Export (0) Print
Expand All

SELECT Statement for Event Queries

You can use a variety of SELECT statements to query for event information. The statements can be basic statements or they can be more restrictive to narrow the result set that is returned from the query.

The following example is a basic SELECT statement that is used to query for event information.

SELECT * FROM EventClass

When a consumer submits a query, it is a request to be notified of all occurrences of the event represented by EventClass. This request includes a request for notification about all of the event system and nonsystem properties. When an event provider submits a query, it registers support for generating notifications when an event represented by EventClass occurs.

Consumers can specify individual properties instead of the asterisk (*) in the SELECT statement.

The following example shows how to query for specific properties.

SELECT property_1, property_2, property_3 FROM MyEventClass

However, all of the properties of an embedded object are returned, even if the query specifies embedded object properties.

The following example shows two queries that return the same data.

SELECT targetInstance FROM __InstanceCreationEvent within 2
    WHERE targetinstance isa "Win32_Process"

SELECT targetInstance.Name FROM __InstanceCreationEvent within 2
    WHERE targetinstance isa "Win32_Process"

If a system property is not relevant for a specific query, it contains NULL. For example, the value of the __RELPATH system property is NULL for all event queries.

The following system properties contain NULL for event queries:

For more information, see WMI System Property Reference.

All event queries can include an optional WHERE clause, but WHERE clauses are primarily used by consumers to specify additional filtering. It is strongly recommended that consumers always specify a WHERE clause. The cost of a complex query is minimal compared to the cost of delivering and processing unneeded notifications.

The following example shows a query that requests notifications of all instance modification events that affect the hypothetical class EmailEvent.

SELECT * FROM EmailEvent

If events associated with EmailEvent occur frequently, the consumer is flooded with events. A better query requests events only when specific conditions use properties of the class specified, such as when the importance level is high.

The following example shows the query you can use if EmailImportance is a property of the class EmailEvent.

SELECT * FROM EmailEvent WHERE EmailImportance > 3

Note that WMI can reject a query for a number of reasons. For example, the query can be too complex or resource-intensive for evaluation. When this occurs, WMI returns specific error codes, such as WBEM_E_INVALID_QUERY.

Properties of embedded objects can be used in the WHERE clause.

The following example shows how to query for objects where the TargetInstance property of the __InstanceModificationEvent system class is an embedded Win32_LogicalDisk object and FreeSpace is a property of Win32_LogicalDisk.

SELECT * FROM __InstanceModificationEvent WITHIN 600
    WHERE TargetInstance ISA "Win32_LogicalDisk" 
    AND   TargetInstance.FreeSpace < 1000000


The Monitor creation event for specific process name VBScript sample on TechNet uses the SELECT statement to monitor WMI instance creation events for Win32_Process, filtering for a specific process name.



© 2015 Microsoft