Catching Configuration Change Events
Microsoft implemented the configuration change provider as an event provider in Windows 2003 and XP. This provider and the Win32_SystemConfigurationChangeEvent event class indicate when the system's device list has been refreshed. Located in the root\cimv2 namespace, the Win32_SystemConfigurationChangeEvent event class is the only class supported by the configuration change provider and is documented at http://msdn.microsoft.com/library/en-us/wmisdk/wmi/win32_systemconfigurationchangeevent.asp. The Win32_SystemConfigurationChangeEvent event class is a subclass of the Win32_DeviceChangeEvent superclass, which is also the parent class of the Win32_VolumeChangeEvent class (which I discuss next).
To subscribe to the Win32_SystemConfigurationChangeEvent event class, you must submit the WQL event query that Figure 3 shows. You'll then receive a notification when you add, remove, or reconfigure a system device. For instance, if you use GenericEventAsyncConsumer.wsf to submit the query, then connect a USB device to your Windows 2003 or XP system, you'll get results similar to those that Figure 3 shows. The EventType property indicates the type of device change that has occurred (Configuration Changed=1, Device Arrival=2, Device Removal=3, Docking=4).
The EventType property doesn't indicate which device triggered the event. In addition, an EventType value of 1 (configuration changed) can refer to almost anything related to the system configuration, including IRQ settings, COM ports, or BIOS version. If you need more detailed information about the current hardware settings, you must write an application or a script that queries the Win32_Processor, Win32_PhysicalMemory, Win32_DMAChannel, and Win32_IRQResource classes; run the script before and after the changes; and compare the two sets of results.
Catching Volume Change Events
Available only in Windows 2003 and XP, the volume change event provider supports the Win32_VolumeChangeEvent event class available in the root\cimv2 namespace and documented at http://msdn.microsoft.com/library/en-us/wmisdk/wmi/win32_volumechangeevent.asp. Like the Win32_SystemConfigurationChangeEvent class, the Win32_VolumeChangeEvent class's parent class is the Win32_DeviceChangeEvent superclass and Win32_VolumeChangeEvent exposes the EventType property. (The EventType property is defined at the level of the Win32_DeviceChangeEvent class and is inherited by both Win32_SystemConfigurationChangeEvent and Win32_VolumeChangeEvent.)
Win32_VolumeChangeEvent represents events related to adding or removing drive letters or to mounting or dismounting drives on a computer. The event class doesn't support network drives. Web Figure 2 shows the query you submit to receive drive-change events. Web Figure 2 also shows the results you'd see if you changed the drive letter of a volume from E to Z. EventType 3 indicates that a drive is removed; EventType 2 means that a drive is added.
The WQL event queries that I discuss in this article are just a few examples of the thousands of queries that you can formulate with WMI. Managing a system isn't just gathering information about the manageable components; it's also keeping tabs on important events in the life cycle of a system or an application. Understanding enough about WMI to trigger a notification when something occurs in the system will pay dividends as you seek to increase the manageability of your enterprise Windows network.