Forwarding WMI Events and Data
For computers running on Windows Server 2003 operating system and later, event forwarding is not available for WMI events. For computers running on Windows Vista operating system and later, use the eventvwr command to run the Event Viewer and create event subscriptions. Applications written in C++ also use the Event Collector Service API.
Windows XP: A forwarding consumer is a WMI event consumer that permits local actions to be performed in response to WMI events raised on a remote computer. When a WMI event is raised on the sending computer, the forwarding consumer, MSFT_ForwardingConsumer instance, passes it to the receiving computer where it is raised again as a part of an MSFT_ForwardedEvent event. For more information, see Supporting Classes for the Forwarding Consumer. For more information about support and installation of this component on a specific operating system, see Operating System Availability of WMI Components.
Using the Forwarding Consumer
The remainder of this topic applies only to Windows XP.
The forwarding consumer works across computer boundaries using COM for remote communication. It uses Active Directory for authentication. Authentication is enabled by default. Authentication for computers in workgroups is not supported. It is possible to send unauthenticated events by setting the MSFT_ForwardingConsumer property Authenticate to FALSE on the sending computer, and setting the following registry key to 1 (one) on the receiving computer.
HKEY_LOCAL_MACHINE SOFTWARE Microsoft WBEM FWD AllowUnauthenticatedEvents
To set up a sending computer for event forwarding a permanent subscription is needed using an instance of MSFT_ForwardingConsumer. If the WMI event specified in the __EventFilter Query property is raised, the forwarding consumer forwards this event to the computer specified in the MSFT_ForwardingConsumer Target property. The Target property can contain one or more computers in a comma delimited list. The forwarding consumer searches through the list until it finds a computer that responds to a connection request. To save network resources, it does not attempt to connect to the remaining computers, regardless of the connection result—success or failure. If forwarding to multiple computers is necessary, you must create separate forwarding consumer instances for each receiving computer.
Starting with Windows Vista, the Wbemess.log file no longer exists. It is replaced by Event Tracing for Windows (ETW). For more information, see Tracing WMI Activity.
Windows Server 2003 and Windows XP: The most common errors received are WMIMSG_E_TARGETNOTLISTENING (0x80042113) and WBEM_E_ACCESS_DENIED (0x80041003). Errors can be traced using a subscription to MSFT_FCTraceEventBase, __EventDroppedEvents events, and the Wbemess.log file.
The following Managed Object Format (MOF) code example shows how to set up a sending computer and forward an event for each new process.
#pragma namespace ("\\\\.\\root\\subscription")
instance of __EventFilter as $myfilter
{
Name = "My filter for new process";
Query = "SELECT * FROM __InstanceCreationEvent
WITHIN 10 WHERE TargetInstance ISA 'win32_Process'";
QueryLanguage = "WQL";
EventNamespace = "root\\cimv2";
};
instance of MSFT_ForwardingConsumer as $myconsumer
{
Name = "My consumer for new process";
Authenticate = TRUE;
//Use IP, Netbios, or DNS name of receiving computer
Targets = {"w24-32"};
Encryption = TRUE;
};
instance of __FilterToConsumerBinding
{
Consumer=$myconsumer;
Filter=$myfilter;
};
To set up a receiving computer for capturing forwarded events, a permanent or temporary subscription is required using the class MSFT_ForwardedEvent.
The following MOF code example shows how to set up a receiving computer to wait for forwarded events.
#pragma namespace ("\\\\.\\root\\subscription")
instance of LogFileEventConsumer as $mylogconsumer
{
MaximumFileSize = 500000;
name = "New process log file";
Filename = "c:\\NewProcess.txt";
Text ="Computer = %machine%\r\n
Process = %event.targetinstance.caption%
Time = %time%\r\n
Page file usage = %event.targetinstance.pagefileusage%";
};
instance of __EventFilter as $myfilterforlogconsumer
{
Name = "New process filter";
Query = "SELECT * FROM MSFT_ForwardedEvent
WHERE event.targetinstance.pagefileusage > 500000";
QueryLanguage = "WQL";
EventNamespace = "root\\cimv2";
};
instance of __FilterToConsumerBinding
{
Consumer = $mylogconsumer;
Filter = $myfilterforlogconsumer;
};