WMI event filter query in PowerShell script

0
votes

I'm trying to add two different WMI events to an SCCM server with a PowerShell script that someone else wrote. I have to make the two event queries into one query and I'm not sure how best to do it. I've tried it a bunch of different ways so far. Here's the code:

Function WMI-InstanceFilter
{
# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"

$PropertyHash = @{
    QueryLanguage = "WQL";
    Query = "";
    Name = "Name";
    EventNameSpace="root/sms/site_$($SiteCode)"
    }

$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop

Here's the two event queries I need to somehow combine and put into the query line:

SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"

SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"

What would be the best way to do this?

1
powershellwmiwql
You can combine the name queries like this: TargetInstance.Name LIKE 'drivers - %' OR TargetInstance.Name LIKE 'BIOS - %'. However, I don't think you can combine the timings, so you will need to choose a single duration for the WITHIN clause as it is now a single query. - boxdog

1 Answers

1
votes

You're dealing with WQL in your queries and you can only have a single WITHIN value - see https://docs.microsoft.com/en-gb/windows/desktop/WmiSdk/within-clause so you'll either have to pick 300 (seconds = 5 minutes) or 900 (seconds = 15 minutes) or a compromise value somewhere between them.

Your combined SELECT statement would look like this

SELECT * FROM __InstanceOperationEvent WITHIN 900 WHERE TargetInstance ISA 'SMS_Package' AND TargetInstance.Name LIKE 'drivers - %' OR TargetInstance.Name LIKE 'BIOS - %'

Change the WITHIN value to what you think best for your needs.

Do you need both drive & bios at the same time or could you use a parameter driven switch statement to swap between them?

Something like this

Function WMI-InstanceFilter {
[CmdletBinding()]
param (
  [ValidateSet('Bios', 'Drivers' )]
  [string]$InstanceType
)

# Function Started
LogTraceMessage "*** Function WMI-InstanceFilter Started ***"
Write-Verbose "*** Function WMI-InstanceFilter Started ***"

switch ($InstanceType) {
 'Bios' {
          $query = "SELECT * FROM __InstanceOperationEvent Within 900 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'drivers - %'"
        }
  'Drivers' {
          $query = "SELECT * FROM __InstanceOperationEvent Within 300 Where TargetInstance ISA 'SMS_Package' and TargetInstance.Name like 'BIOS - %'"
        }
}

$PropertyHash = @{
    QueryLanguage = "WQL"
    Query = $query
    Name = "Name"
    EventNameSpace="root/sms/site_$($SiteCode)"
    }

$Script:InstanceFilter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $PropertyHash -Verbose -ErrorAction Stop
}