WMI: Kind request for WMI-QL Event Class Definition: SESSION_RECONNECTED, WORKSTATION_LOCKED, SCREENSAVER_INVOKED

Question

Would you please review the WMI-QL or share the correct MSDN section or WMI man page to lookout for these following WMI Event class QL definitions ?

Setup using Win7 laptop with WMI enabled and working for many WMI-QL for system info.

WMI EVENT-ID COMMAND EXPECTED RESPONSE

N/A / 4778  SESSION_RECONNECTED      ??
N/A / 4779  SESSION_DISCONNECTED     ??
N/A / 4800  WORKSTATION_LOCKED       ??
*   / 4801  WORKSTATION_UNLOCKED     ??
N/A / 4802  SCREENSAVER_INVOKED      ??
N/A / 4803  SCREENSAVER_DISMISSED    ??

==

I have already explored WMI Reference, however unable to Zero-In the correct class category.

==

Myself still not getting any response from WMIC command for the following commands, while remaining commands are giving positive response.

Following Seven Empty Response WMI-QL commands, each of which returned immediately always:

1. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4778'".
   $

2. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4779'" $

3. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4780'" $

4. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4800'" $

5. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4801'" $

6. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4802'" $

7. $ wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4803'" $

The question points to: Whether we need to explicitly Subscribe/Register to any WMI Event class explicitly only for these above seven events ? or any other configuration settings are missing for these events ? Any tips/hints would be highly appreciated.

==

Thanks in advance.

Answer 1

Please refer to MSDN link: [Win32_NTLogEvent class] (http://msdn.microsoft.com/en-us/library/aa394226(v=vs.85).aspx#properties).

Like to get the "512 / 4608 STARTUP" query, you may run WMIC command: "select * from Win32_StartupCommand"

CLASS: Win32_StartupCommand

Caption|Command|Description|Location|Name|SettingID|User|UserSID

Sidebar|%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun|Sidebar|HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Sidebar|(null)|NT AUTHORITY\LOCAL SERVICE|S-1-5-19

...

Similarly, to get the event code 4800, you may also run the exact WMIC command:

wmic -U Domain/username%password //nt-ip-addr "select * from Win32_NTLogEvent where EventCode = '4800'".

WMI/WMIC experts out there, please review/correct, if anything need to be modified.