SELECT Statement for Event Queries
You can use a variety of SELECT statements to query for event information. The statements can be basic statements or they can be more restrictive to narrow the result set that is returned from the query.
The following example is a basic SELECT statement that is used to query for event information.
When a consumer submits a query, it is a request to be notified of all occurrences of the event represented by EventClass. This request includes a request for notification about all of the event system and nonsystem properties. When an event provider submits a query, it registers support for generating notifications when an event represented by EventClass occurs.
Consumers can specify individual properties instead of the asterisk (*) in the SELECT statement.
The following example shows how to query for specific properties.
However, all of the properties of an embedded object are returned, even if the query specifies embedded object properties.
The following example shows two queries that return the same data.
SELECT targetInstance FROM __InstanceCreationEvent within 2 WHERE targetinstance isa "Win32_Process"
SELECT targetInstance.Name FROM __InstanceCreationEvent within 2 WHERE targetinstance isa "Win32_Process"
If a system property is not relevant for a specific query, it contains NULL. For example, the value of the __RELPATH system property is NULL for all event queries.
The following system properties contain NULL for event queries:
For more information, see WMI System Property Reference.
All event queries can include an optional WHERE clause, but WHERE clauses are primarily used by consumers to specify additional filtering. It is strongly recommended that consumers always specify a WHERE clause. The cost of a complex query is minimal compared to the cost of delivering and processing unneeded notifications.
The following example shows a query that requests notifications of all instance modification events that affect the hypothetical class EmailEvent.
If events associated with EmailEvent occur frequently, the consumer is flooded with events. A better query requests events only when specific conditions use properties of the class specified, such as when the importance level is high.
The following example shows the query you can use if EmailImportance is a property of the class EmailEvent.
Note that WMI can reject a query for a number of reasons. For example, the query can be too complex or resource-intensive for evaluation. When this occurs, WMI returns specific error codes, such as WBEM_E_INVALID_QUERY.
Properties of embedded objects can be used in the WHERE clause.
The following example shows how to query for objects where the TargetInstance property of the __InstanceModificationEvent system class is an embedded Win32_LogicalDisk object and FreeSpace is a property of Win32_LogicalDisk.
SELECT * FROM __InstanceModificationEvent WITHIN 600 WHERE TargetInstance ISA "Win32_LogicalDisk" AND TargetInstance.FreeSpace < 1000000
The Monitor creation event for specific process name VBScript sample on TechNet uses the SELECT statement to monitor WMI instance creation events for Win32_Process, filtering for a specific process name.