Note: This tip requires PowerShell 2.0 or above.
If you are familiar with Windows Management Instrumentation (WMI), there are different types of WMI queries possible. This includes data, event, and schema queries. In the context of today’s tip, we shall look at event queries. WMI events occur when a change happens in the WMI namespace being monitored. When an event that can be monitored by WMI occurs, an instance of the corresponding WMI event class is created, modified, or deleted. Starting PowerShell 2.0, we can use the Register-WmiEvent cmdlet to subscribe to WMI events. We can use the -Class parameter to specify a WMI event class to subscribe to. For example, Win32_ProcessStartTrace and Win32_LocalTime are WMI event classes while Win32_Process is not.
As you see above, we see an error when the WMI class is not an event class. In fact, not all WMI classes are WMI event classes. So, how do we know which WMI classes are event classes?
Get-WmiObject -Query "SELECT * FROM meta_class WHERE __This ISA '__Event'"
Simple! You can further filter this to show only Win32 WMI classes:
Get-WmiObject -Query "SELECT * FROM meta_class WHERE (__This ISA '__Event') AND (__Class like 'win32%')"