Reputation: 1051
WMI Querying Thread Events - No results
I`m investigating the WMI classes: Win32_Thread, Win32_ThreadTrace, Win32_ThreadStartTrace, Win32_ThreadStopTrace for possible usage.
The only one that returns any data is Win32_Thread. The rest do not return anything, no matter how I tried to execute it (as Administrator, with PowerShell, with ready to use tools, with code).
Is there any specific reason as to why this is happening? My OS is latest Win 10 Pro x64.
Example tool for testing: https://www.nirsoft.net/utils/simple_wmi_view.html
It would be really interesting and useful to see Win32_ThreadTrace working.
Any advice/help is much appreciated.
Upvotes: 0
Views: 343
Answers (1)
Reputation: 1051
After investigation it seems that @Mathias was correct and you need to "subscribe" for certain events, even though "some" websites state that you can manually query these...
In any case, and answer is here for anyone else that hits this in the future:
$query = "SELECT * FROM Win32_ThreadTrace"
Register-WmiEvent -Source Demo -Query $query -Action {
$global:myevent = $event
Write-Host 'ProcessID:' $event.SourceEventArgs.NewEvent.ProcessID
Write-Host 'ThreadID:' $event.SourceEventArgs.NewEvent.ThreadID
Write-Host 'TimeCreated:' $event.SourceEventArgs.NewEvent.TIME_CREATED }
Upvotes: 2
Related Questions
- Find suspended windows processes using WMI, why is "ExecutionState" always null?
- Running WMI query on Win32_ScheduledJob returns no results
- Process Start Event Using WMI - Not All Process Starts Being Detected
- C# WMI reading remote event log
- Unparsable Query when registering WMI event
- WMI query and event works in single class but not application?
- Why does my WMI InvokeMethod call return 0 (success) but fail to do anything remotely?
- WMI query returns nothing
- Using WMI to monitor event log
- Debugging (Tracing) WMI queries?