<?php $strComputer = "."; $wmi = new COM("winmgmts:\\\\" . $strComputer . "\\root\\cimv2"); $wmiEvent = $wmi->ExecNotificationQuery("SELECT * FROM __InstanceOperationEvent Within 1 Where TargetInstance ISA 'Win32_LogicalDisk'"); $i = 1; $i++; while ($i != 0) { $usb = $wmiEvent->NextEvent; if ($usb->TargetInstance->DriveType == 2) { switch ($usb->Path_->Class) { case "__InstanceCreationEvent": echo "Drive " . $usb->TargetInstance->DeviceId . " has been added.\n"; break; case "__InstanceDeletionEvent": echo "Drive " . $usb->TargetInstance->DeviceId . " has been removed.\n"; break; } } }
<?php //This function converts "20120201211425.631101-300" and rearranges it from // 2012 02 01 21 14 25 .631101-300 // Year M D H m s micro secs | -300 is offset (EST timezone in this case) function win_time($timestr) { return substr($timestr, 4, 2) . "/" . substr($timestr, 6, 2) . "/" . substr($timestr, 0, 4) . " " . substr($timestr, 8, 2) . ":" . substr($timestr, 10, 2) . ":" . substr($timestr, 12, 2) . " " . substr($timestr, -4); // OUTPUT: 02/01/2012 21:14:25 -300 (M/D/Y H:m:s TZ) } $strComputer = "."; $wmi = new COM("winmgmts:\\\\" . $strComputer . "\\root\\cimv2"); $wmiEvent = $wmi->ExecNotificationQuery("SELECT * FROM __InstanceOperationEvent " . " Within .1 WHERE TargetInstance ISA 'Win32_Process'", "WQL"); $get_user = new Variant("", VT_BSTR); $get_domain = new Variant("", VT_BSTR); echo "Monitoring Processes ...\n"; while (true) { $evt = $wmiEvent->NextEvent; switch ($evt->Path_->Class) { case "__InstanceCreationEvent": $error = $evt->TargetInstance->GetOwner($get_user); if ($error != 0) { echo "Could not get Owner Info - Error: " . $error; } else { $evtCreated = win_time($evt->TargetInstance->CreationDate); $evt->TargetInstance->GetOwner($get_user, $get_domain); echo "New Process Created : " . $evtCreated . "\n"; echo "New Process Name : " . $evt->TargetInstance->Name . "\n"; echo "Process Owner : " . $get_domain . "\\" . $get_user; echo "\n" . "New Process Path : " . $evt->TargetInstance->ExecutablePath . "\n"; echo "New Process ID : " . $evt->TargetInstance->ProcessId . "\n";