Monitoring Subtree-Level Events

Microsoft® Windows® 2000 Scripting Guide

« Previous | Next »   

Because subtrees receive a great deal of activity, you typically would not want to monitor an entire subtree (such as HKEY_LOCAL_MACHINE). However, this can be useful if you want to generate statistical data about registry use. For example, you might notice a large amount of disk activity when configuring an application. To help pinpoint the cause of this, you can monitor a registry subtree to see whether the disk activity is the result of a large number of changes being made to the registry.

To monitor a subtree, subscribe to the RegistryTreeChangeEvent, specifying the particular subtree you are interested in monitoring. An event will be generated only when an actual modification takes place within the subtree. No event is fired when the subtree is accessed without being modified. (For example, you will not be notified anytime an application reads a registry entry.) The event does not include information about the change that took place; it simply provides notification that a change has occurred. You cannot use the event to determine who made the change or what change was made.

In scripts that monitor the registry, you will typically use the GetObjectText_ method to echo the fact that a change has been made. This is the only information about the change that is available to you. The output from the scripts used in this section of the chapter will look similar to this:

Received Registry Change Event ------------------------------ instance of RegistryTreeChangeEvent {         Hive = "HKEY_LOCAL_MACHINE";         RootPath = "";         TIME_CREATED = "126746045405872087"; }; 

The script in Listing 16.17 subscribes to the RegistryTreeChangeEvent for the HKEY_USERS subtree. You can modify the script to monitor a different subtree by changing HKEY_USERS to HKEY_LOCAL_MACHINE or any other registry subtree.

Scripting Steps

The script in Listing 16.17 monitors and reports on events in the HKEY_USERS subtree, displaying messages regarding each detected event. To carry out this task, the script must perform the following steps:

1. Use the GetObject method to connect to the WMI service.
2. Use the CreateObject method to create an event sink.
3. Use ExecNotificationQuery to register for the event.
4. Put the script in sleep mode while waiting on the event.
5. Implement the event handler as a subroutine that uses the Echo method to display a message indicating that a registry change event was received.

Listing 16.17   Monitoring Events at the Subtree Level

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 

strComputer = "." Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _      strComputer & "\root\default")  Set wmiSink = WScript.CreateObject("WbemScripting.SWbemSink", "SINK_")  wmiServices.ExecNotificationQueryAsync wmiSink, _      "SELECT * FROM RegistryTreeChangeEvent WHERE Hive='HKEY_USERS'" _         & " AND RootPath=''"  Wscript.Echo "Listening for Registry Change Events ..." & vbCrLf  Do While(1)      Wscript.Sleep 1000  Loop  Sub SINK_OnObjectReady(wmiObject, wmiAsyncContext)      Wscript.Echo "Received Registry Change Event" & vbCrLf & _          "------------------------------" & vbCrLf & _              wmiObject.GetObjectText_()  End Sub 

Send us your feedback

« Previous | Next »