Simple WMI Trace Viewer in PowerShell

Run this script as local Administrator to start tracing WMI events. When you are done tracing hit ENTER to view the results. This does not display all WMI trace events, check the WMI Activity Trace event log in Windows Event viewer to view all events.

This uses Windows inbuilt trace logs but presents the data in a more useful format. Instead of Out-GridView you could use Export-Csv cmdlet to output data to disk.

This should work on Windows 7/8/10 and Server 2008+

The script can be downloaded here: https://1drv.ms/u/s!AiFhB4fT6aiTgdo_knyvL4C_7fHQiw

Example output after launching ConfigMgr Software Center:

The script is also available here:

$wmiLog = "Microsoft-Windows-WMI-Activity/Trace"
echo y | Wevtutil.exe sl $wmiLog /e:true
Read-Host -Prompt "Tracing WMI Started. Press [ENTER] to stop"
echo y | Wevtutil.exe sl $wmiLog /e:false
$events = Get-WinEvent -LogName $wmiLog -Oldest | Where-Object {$_.message.Contains("Operation = Start") -or $_.message.Contains("Operation = Provider") }

if ($events -eq $null)
{
    Write-Host "No WMI events in trace!"
    return
}

$table = New-Object System.Data.DataTable
[void]$table.Columns.Add("Computer")
[void]$table.Columns.Add("Namespace")
[void]$table.Columns.Add("Type")
[void]$table.Columns.Add("Query")
[void]$table.Columns.Add("UserName")
[void]$table.Columns.Add("Process")

ForEach ($event in $events)
{
    switch ($event.Properties.Count)
    {
        6 {
            $typeStart = $event.Properties[1].Value.IndexOf("::")+2
            $typeEnd = $event.Properties[1].Value.IndexOf(" ",$typeStart) 
            $type = $event.Properties[1].Value.Substring($typestart,$typeEnd-$typeStart)
            $query = $event.Properties[1].Value.Substring($event.Properties[1].Value.IndexOf(":",$typeEnd)+2)
            $process = Get-Process -Id ($event.Properties[2].Value) -ErrorAction SilentlyContinue
            if ($process -eq $null) 
            { 
                $process = "($($event.Properties[2].Value))"
            }
            else
            {
                $process = "$($process.Name) ($($process.Id))"
            }      

            [void]$table.Rows.Add(`
                $env:COMPUTERNAME,`
                "\\.\root\cimv2",`
                $type,`
                $query,`
                "N/A",
                $process)
        }
        8 {
            $typeStart = $event.Properties[3].Value.IndexOf("::")+2
            $typeEnd = $event.Properties[3].Value.IndexOf(" ",$typeStart) 
            $type = $event.Properties[3].Value.Substring($typestart,$typeEnd-$typeStart)
            $query = $event.Properties[3].Value.Substring($event.Properties[3].Value.IndexOf(":",$typeEnd)+2)
            $process = Get-Process -Id ($event.Properties[6].Value) -ErrorAction SilentlyContinue
            if ($process -eq $null) 
            { 
                $process = "($($event.Properties[6].Value))"
            }
            else
            {
                $process = "$($process.Name) ($($process.Id))"
            }

            [void]$table.Rows.Add(`
                $event.Properties[4].Value,`
                $event.Properties[7].Value,`
                $type,`
                $query,`
                $event.Properties[5].Value,
                $process)
        }
        default
        {
            Write-Error "Unexpected number of event properties."
            Write-Host $event
            Write-Host $event.Properties
        }
    }
}

$table | Out-GridView

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.

View all posts by chentiangemalc →