none
ManagementEventWatcher Class events not working for processes running on Windows Server 2012 RRS feed

  • Question

  • Hello.

    We have an application which runs on a windows 7 PC and monitors processes running on a number of servers and sends emails if any of these processes stop running.  This application has always worked without any problems until recently when we upgraded the servers that it monitors from windows 2003 to 2012 and now it no longer works.

    The code that is doing the monitoring is:

    Public WQLoptions As ConnectionOptions
    Public WQLscope As ManagementScope
    Public WQLquery As WqlEventQuery
    Public WQLwatcher As ManagementEventWatcher

    WQLoptions = New ConnectionOptions() WQLoptions.Impersonation = ImpersonationLevel.Impersonate WQLoptions.Timeout = New TimeSpan(100) WQLscope = New ManagementScope("\\" + HostName + "\root\CIMV2", WQLoptions) WQLscope.Connect() WQLquery = New WqlEventQuery("SELECT * FROM Win32_ProcessTrace WHERE ProcessName = '" + AppExe + "'")

    WQLwatcher = New ManagementEventWatcher(WQLscope, WQLquery) eventObj = WQLwatcher.WaitForNextEvent()

    The problem have is the WaitForNextEvent method is not firing when a process starts/stops running, I have tried this with the application running on both Windows 7 and Windows 8.1 machines and had the same issue.

    I searched around and found a KB article which appears to be for this problem (https://support.microsoft.com/en-us/kb/3094199) and in it there is a hot-fix, however I have tried installing the hot-fix on both the windows PC the monitoring application runs on and the windows 2012 server the processes being monitored run on, and in both cases I get the same error - "The update is not applicable to your computer" (I have checked and all the prerequisites for the hot-fix are installed).

    Does anyone have any suggestions as to how we can get either this hot-fix or the ManagementEventWatcher class events working?

    Thanks,

    Paul

    Thursday, March 10, 2016 5:31 PM

All replies

  • Have you checked if the program advances when the query does not contain the WHERE condition?

    Thursday, March 10, 2016 6:22 PM
  • I tried your suggestion and when i remove the where clause completely I do see events raised when processes stop running, although I do not see any events raised when processes start.

    One thing I noticed when I examined the ManagementBaseObject returned for the process stop events is that the ProcessName field is not the full application name, but for every process it had been truncated to 14 characters long.  

    I checked the same processes in Win32_Process class and the name there is not truncated, which looks wrong to me as the documentation for these classes states that you can use the name returned by one class to find the same process in the other (https://msdn.microsoft.com/en-us/library/windows/desktop/aa394377(v=vs.85).aspx).

    This has at least fixed half of our problem, in that if I modify the where clause and only use the first 14 characters of the application name then I do see process stop events being raised.   However as I don't get any of the start events raised our application is still not completely working as it never gets notified when a process starts up again.

    Do you have any suggestions as to how we can get the start events to work as well?

    Thanks,

    Paul


    Friday, March 11, 2016 1:13 PM
  • Hi Lotus Group,

    I suggest you try to use Win32_ProcessStartTrace instead of Win32_ProcessTrace. For more information about how to use Win32_ProcessStartTrace, link below is for your reference.
    https://bsmadhu.wordpress.com/2012/06/28/monitor-process-startupshutdown-using-wmi-powershell/

    Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Best Regards,
    Li Wang


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, March 18, 2016 7:28 AM
    Moderator