// Try to register the event handler and start monitoring
private void btnStart_Click(object sender, EventArgs e)
{
if (lstMonitoringItems.SelectedItems.Count == 1)
{
MonitoringItem item = null;
MyEventViewer.MonitoringItems.TryGetValue(
lstMonitoringItems.SelectedItems[0].Text, out item);
try
{
item.WmiEventReceived +=
new WmiEventReceivedHandler(MyEventViewer.HandleEvent);
item.StartMonitoring();
}
catch (ManagementException ex)
{
item.State = MonitoringItemState.Incomplete;
MessageBox.Show("Can not start monitoring" +
" for the following reason:" +
Environment.NewLine + ex.Message);
}
catch (System.Runtime.InteropServices.COMException ex)
{
item.State = MonitoringItemState.Incomplete;
MessageBox.Show("Can not start monitoring" +
" for the following reason:" +
Environment.NewLine + ex.Message);
}
UpdateQueryListView();
}
}
public EventViewer()
{
InitializeComponent();
MonitoringItems = new Dictionary <string, MonitoringItem>();
MonitoringItem item1 = new MonitoringItem(
@"Select * From __InstanceCreationEvent Within 1 " +
@"Where TargetInstance Isa 'Win32_Process' " +
@"And TargetInstance.Name = 'Notepad.exe'", "Sample1");
MonitoringItem item2 = new MonitoringItem(
@"Select * From __InstanceOperationEvent Within 1 " +
@"Where TargetInstance Isa 'Win32_Service'", "Sample2");
MonitoringItem item3 = new MonitoringItem(
@"Select * From __InstanceDeletionEvent Within 1 " +
@"Where TargetInstance Isa 'Win32_PrintJob'", "Sample3");
item1.State = MonitoringItemState.Stopped;
item2.State = MonitoringItemState.Stopped;
item3.State = MonitoringItemState.Stopped;
AddItemToDictionary(item1.Name, item1);
AddItemToDictionary(item2.Name, item2);
AddItemToDictionary(item3.Name, item3);
}
// Try to unregister the event handler and stop monitoring
private void btnStop_Click(object sender, EventArgs e)
{
if (lstMonitoringItems.SelectedItems.Count == 1)
{
MonitoringItem item = null;
MyEventViewer.MonitoringItems.TryGetValue(
lstMonitoringItems.SelectedItems[0].Text, out item);
if (item.State == MonitoringItemState.Running)
{
try
{
item.StopMonitoring();
item.WmiEventReceived -= MyEventViewer.HandleEvent;
UpdateQueryListView();
}
catch (Exception ex)
{
MessageBox.Show("Can not stop monitoring" +
" for the following reason:" +
Environment.NewLine + ex.Message);
}
}
}
}
// Edit an existing monitored item
// Don't allow editing of active (running) items
private void btnEdit_Click(object sender, EventArgs e)
{
if (lstMonitoringItems.SelectedItems.Count == 1)
{
MonitoringItem item = null;
MyEventViewer.MonitoringItems.TryGetValue(
lstMonitoringItems.SelectedItems[0].Text, out item);
if (item.State != MonitoringItemState.Running)
{
SimpleQueryEditor simpleEditor = new SimpleQueryEditor(false);
simpleEditor.Controls["txtName"].Text = item.Name;
simpleEditor.Controls["txtQuery"].Text = item.WqlQuery.QueryString;
simpleEditor.MyQueryManager = this;
simpleEditor.ShowDialog();
}
else
{
MessageBox.Show("You need to stop monitoring" +
" before you can edit an item properties.");
}
}
}
public ScriptActionEditor(MonitoringItem item, bool editing)
{
InitializeComponent();
Item = item;
lblScriptHost.Text = "cscript.exe";
Editing = editing;
if (Editing)
{
txtActionName.Enabled = false;
}
}
// An attempt to colorize ListView items
// according to monitored item state
public void AddItemToListView(MonitoringItem monitoringItem)
{
ListViewItem listItem = new ListViewItem();
listItem.Name = monitoringItem.Name;
listItem.Text = monitoringItem.Name;
listItem.SubItems.Add(new ListViewItem.ListViewSubItem());
listItem.SubItems.Add(new ListViewItem.ListViewSubItem());
listItem.SubItems[1].Text = monitoringItem.State.ToString();
listItem.SubItems[2].Text = monitoringItem.WqlQuery.QueryString;
lstMonitoringItems.Items.Add(listItem);
}
private void btnImport_Click(object sender, EventArgs e)
{
foreach (ListViewItem savedItem in lstSavedItems.CheckedItems)
{
if (!MyQueryManager.MyEventViewer.MonitoringItems.ContainsKey(savedItem.Name))
{
MonitoringItem item =
new MonitoringItem(savedItem.SubItems[1].Text, savedItem.Name);
MyQueryManager.MyEventViewer.AddItemToDictionary(savedItem.Name, item);
MyQueryManager.AddItemToListView(item);
}
}
MyQueryManager.UpdateQueryListView();
Close();
}
private void finishButton_Click(object sender, EventArgs e)
{
string exitChoice = null;
foreach (RadioButton radio in
GetActivePage().Controls["groupExitOptions"].Controls)
{
if (radio.Checked)
{
exitChoice = radio.Name;
}
}
switch (exitChoice)
{
case "radioAdd":
MonitoringItem item = new MonitoringItem(
Query, NewItemName(GetActivePage().Controls["txtQueryName"].Text));
MyParent.MyEventViewer.AddItemToDictionary(item.Name, item);
MyParent.AddItemToListView(item);
MyParent.UpdateQueryListView();
MyParent.lstMonitoringItems.Items[item.Name].Selected = true;
break;
case "radioEdit":
SimpleQueryEditor simpleEditor = new SimpleQueryEditor(true);
simpleEditor.MyQueryManager = MyParent;
simpleEditor.Controls["txtName"].Text = GetActivePage().Controls["txtQueryName"].Text;
simpleEditor.Controls["txtQuery"].Text = Query.QueryString;
simpleEditor.ShowDialog();
break;
case "radioClose":
break;
}
}
// Clicking btnRemove should do two things:
// 1. Remove the selected element from the monitoredItems dictionary
// 2. Remove the selected element from the ListView
private void btnRemove_Click(object sender, EventArgs e)
{
if (lstMonitoringItems.SelectedItems.Count == 1)
{
MonitoringItem item = null;
MyEventViewer.MonitoringItems.TryGetValue(
lstMonitoringItems.SelectedItems[0].Name, out item);
item.StopMonitoring();
MyEventViewer.MonitoringItems.Remove(item.Name);
// Select the item after the one that got deleted
// If the last item is deleted select the new
// last item in the list
int deletedIndex =
lstMonitoringItems.SelectedItems[0].Index;
lstMonitoringItems.SelectedItems[0].Remove();
if (lstMonitoringItems.Items.Count > deletedIndex)
{
lstMonitoringItems.Items[deletedIndex].Selected = true;
}
else if (lstMonitoringItems.Items.Count > 1)
{
lstMonitoringItems.Items
[lstMonitoringItems.Items.Count - 1].Selected = true;
}
}
else
{
MessageBox.Show("Please select the monitoring item" +
" you want to delete");
}
}
public void AddItemToDictionary(string name, MonitoringItem item)
{
MonitoringItems.Add(name, item);
}
public QueryActions(MonitoringItem item)
{
Item = item;
InitializeComponent();
}
public ActiveScriptAction(
MonitoringItem item, string scriptPath)
: base(item)
{
ScriptFileName = scriptPath;
}
public ActiveScriptAction(
MonitoringItem item) : base(item)
{
}
public GetEventTextAction(MonitoringItem item) : base(item)
{
}
public EventAction(MonitoringItem item)
{
mParent = item;
}
// Attempt to save the query and exit
// TODO: get rid of the arrow code
private void btnSave_Click(object sender, EventArgs e)
{
if (AddFlag)
{
if ((txtName.Text.Length > 0) & (txtQuery.Text.Length > 0))
{
MonitoringItem item;
if (MyQueryManager.MyEventViewer.MonitoringItems.
TryGetValue(this.txtName.Text, out item))
{
DialogResult result =
MessageBox.Show("A monitoring item with the name " +
txtName.Text + " already exists. Do you want " +
"to replace it?", "Item already exists",
MessageBoxButtons.YesNoCancel);
switch (result)
{
case DialogResult.Yes:
item.WqlQuery.QueryString = this.txtQuery.Text;
MyQueryManager.lstMonitoringItems.Items
[item.Name].Selected = true;
MyQueryManager.UpdateQueryListView();
this.Close();
break;
case DialogResult.No:
this.Close();
break;
case DialogResult.Cancel:
break;
}
}
else
{
item = new MonitoringItem(
this.txtQuery.Text, this.txtName.Text);
MyQueryManager.MyEventViewer.AddItemToDictionary(
item.Name, item);
MyQueryManager.AddItemToListView(item);
MyQueryManager.lstMonitoringItems.Items
[item.Name].Selected = true;
MyQueryManager.UpdateQueryListView();
this.Close();
}
}
else
{
MessageBox.Show(" You need to enter both " +
"monitoring item name and query text.");
}
}
else
{
MonitoringItem item =
MyQueryManager.MyEventViewer.MonitoringItems[txtName.Text];
try
{
item.WqlQuery.QueryString =
txtQuery.Text;
}
// It appears that trying to set WqlEventQuery.QueryString
// can throw these exceptions:
catch (ManagementException ex)
{
item.State = MonitoringItemState.Incomplete;
MessageBox.Show(
"Can't save changes to the monitoring item " +
Environment.NewLine +
ex.Message);
}
catch (FormatException ex)
{
item.State = MonitoringItemState.Incomplete;
MessageBox.Show(
"Can't save changes to the monitoring item " +
Environment.NewLine +
ex.Message);
}
catch (ArgumentException ex)
{
item.State = MonitoringItemState.Incomplete;
MessageBox.Show(
"Can't save changes to the monitoring item " +
Environment.NewLine +
ex.Message);
}
MyQueryManager.UpdateQueryListView();
Close();
}
}