How to terminate processes from a wmi permanent event consumer

Question

I am trying to create a permanent wmi event consumer that will wait for a process to be created with a specific commandline parameter then terminate it.

So far I can get my event handler to fire when expected and write to a test log file. I can even access parameters from the WMI event by using the TargetEvent.TargetInstance. However when i try to call terminate on it, it fails.

I am also having trouble creating instances of objects like wscript.shell or wscript.network which fail to create an instance. I believe this might be because this script is not actually running in the windows script host.

So my question is how can I get the terminate method to work on my instance of Win32_Process or is there a way to call an external command (given I can't use wscript.shell object).

I got most of the details on how to create my mof file from here: http://www.codeproject.com/KB/system/PermEvtSubscriptionMOF.aspx?display=Print

My Setup Mof File is the following:

#pragma namespace("\\\\.\\root\\subscription")

instance of __EventFilter as $EventFilter
{
    Name  = "My Test Filter";
    EventNamespace = "Root\\Cimv2";
    Query = "Select * From __InstanceCreationEvent Within 2 " 
            "Where TargetInstance Isa \"Win32_Process\" "
            "And Targetinstance.Name = \"notepad.exe\" "
            "And Targetinstance.CommandLine LIKE \"%test.txt%\"";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "MyTestConsumer";
    ScriptingEngine = "VBScript";
    ScriptText = 
    "On Error Resume Next\n"
    "'Set WshShell = WScript.CreateObject(\"WScript.Shell\")\n"
    "Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\n"
    "Set objFile = objFSO.OpenTextFile(\"c:\\log.txt\", 8, True)\n"
    "objFile.WriteLine Time & \" \" & \" notepad started \" & TargetEvent.TargetInstance.Handle \n"    
    "objFile.Close\n"
    "TargetEvent.TargetInstance.Terminate()\n";

};

instance of __FilterToConsumerBinding
{
    Filter = $EventFilter;
    Consumer   = $Consumer;
};

My removal mof file is:

#pragma namespace("\\\\.\\root\\subscription")
#Pragma deleteInstance("__EventFilter.Name=\"My Test Filter\"",FAIL)
#Pragma deleteInstance("ActiveScriptEventConsumer.Name=\"MyTestConsumer\"",FAIL)

#pragma deleteinstance ("__FilterToConsumerBinding.Consumer="
    "\"\\\\\\\\.\\\\root\\\\subscription:ActiveScriptEventConsumer.Name=\\\"MyTestConsumer\\\"\","
    "Filter=\"\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\\"My Test Filter\\\"\"", FAIL)

Answer 1

I have no idea what is the reason for this, but I have never managed to make it work either. At first glance it should - TargetEvent.TargetInstance.Name returns the process name, etc. But when calling a method, an error is written to wbemess.log:

Scripting engine says: Microsoft VBScript runtime error: Object doesn't support this property or method: 'TargetEvent.TargetInstance.Terminate' (Wed Apr 13 19:44:54 2011.15735734) : Dropping event destined for event consumer ActiveScriptEventConsumer="TestConsumer" in namespace //./root/subscription

Here is my workaround:

instance of __EventFilter as $EventFilter
{
    EventNamespace = "Root\\Cimv2";
    Name  = "New Process Instance Filter";
    Query = "Select * From __InstanceCreationEvent Within 2" 
            "Where TargetInstance Isa \"Win32_Process\" "
            "And Targetinstance.Name = \"notepad.exe\" ";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "TargetEventConsumer";
    ScriptingEngine = "VBScript";
    ScriptText = 
    "Set objWmi = GetObject(\"winmgmts:\")\n"
    "\n"
    "Set objProcess = objWmi.Get(\"Win32_Process.Handle='\" _\n"
    "    & TargetEvent.TargetInstance.Handle & \"'\")\n"
    "\n"
    "objProcess.Terminate\n";
};

instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};

In the script I use SWbemServices.Get() to get the created process instance and then Terminate works. Just pass TargetEvent.TargetInstance.Handle to SWbemServices.Get().

You failed to use WshShell object because you attempted to create it with WScript.CreateObject and WScript is not available to the ActiveScriptConsumer VBScript engine. It should work if you use the VBScript CreateObject() function instead. Same with WshNetwork.