Today's complex OSs—including Windows—perform many tasks at the same time and generate many events. System users trigger additional events. For instance, a user or an administrator might perform some system configuration changes, disconnect the power plug from the machine, or shut down the OS. Each of these actions triggers one or more events. From a management perspective, the ability to capture and audit these events has great potential value. For example, you might want to write a script that would notify you if someone makes a certain system configuration change. If you submit the appropriate Windows Management Instrumentation (WMI) Query Language (WQL) query, you can catch OS events.
Submitting Queries
To submit the WQL event queries that I present here, you can use any application that can consume WMI events. Microsoft .NET application developers can use the System.Management classes available from the Windows .NET Framework. Administrators with some scripting knowledge can use a simple WMI script. If you have no programming experience, you can use the wbemtest.exe tool that's included in any WMI-capable Windows version (Windows NT 4.0 and later). If your Windows infrastructure already has enterprise management software such as Microsoft Operations Manager (MOM) or HP OpenView in place, you can catch WMI events from this software as well. . . .
Register
