{
	"id": "16e1b2f5-e4b6-4b00-9fe5-7fc0026c670a",
	"created_at": "2026-04-06T00:07:31.685542Z",
	"updated_at": "2026-04-10T13:12:49.967243Z",
	"deleted_at": null,
	"sha1_hash": "b600a362ee03246bf4617262c4c7703cd6eae185",
	"title": "Register-WmiEvent (Microsoft.PowerShell.Management) - PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89796,
	"plain_text": "Register-WmiEvent (Microsoft.PowerShell.Management) -\r\nPowerShell\r\nBy sdwheeler\r\nArchived: 2026-04-05 13:11:01 UTC\r\nIn this article\r\n1. Syntax\r\n2. Description\r\n3. Examples\r\n4. Parameters\r\n5. Inputs\r\n6. Outputs\r\n7. Notes\r\nSubscribes to a Windows Management Instrumentation (WMI) event.\r\nSyntax\r\nclass (Default)\r\nRegister-WmiEvent\r\n [-Class] \u003cString\u003e\r\n [[-SourceIdentifier] \u003cString\u003e]\r\n [[-Action] \u003cScriptBlock\u003e]\r\n [-Namespace \u003cString\u003e]\r\n [-Credential \u003cPSCredential\u003e]\r\n [-ComputerName \u003cString\u003e]\r\n [-Timeout \u003cInt64\u003e]\r\n [-MessageData \u003cPSObject\u003e]\r\n [-SupportEvent]\r\n [-Forward]\r\n [-MaxTriggerCount \u003cInt32\u003e]\r\n [\u003cCommonParameters\u003e]\r\nquery\r\nRegister-WmiEvent\r\n [-Query] \u003cString\u003e\r\n [[-SourceIdentifier] \u003cString\u003e]\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 1 of 12\n\n[[-Action] \u003cScriptBlock\u003e]\r\n [-Namespace \u003cString\u003e]\r\n [-Credential \u003cPSCredential\u003e]\r\n [-ComputerName \u003cString\u003e]\r\n [-Timeout \u003cInt64\u003e]\r\n [-MessageData \u003cPSObject\u003e]\r\n [-SupportEvent]\r\n [-Forward]\r\n [-MaxTriggerCount \u003cInt32\u003e]\r\n [\u003cCommonParameters\u003e]\r\nDescription\r\nThe Register-WmiEvent cmdlet subscribes to Windows Management Instrumentation (WMI) events on the local\r\ncomputer or on a remote computer.\r\nWhen the subscribed WMI event is raised, it is added to the event queue in your local session even if the event\r\noccurs on a remote computer. To get events in the event queue, use the Get-Event cmdlet.\r\nYou can use the parameters of Register-WmiEvent to subscribe to events on remote computers and to specify the\r\nproperty values of the events that can help you identify the event in the queue. You can also use the Action\r\nparameter to specify actions to take when a subscribed event is raised.\r\nWhen you subscribe to an event, an event subscriber is added to your session. To get the event subscribers in the\r\nsession, use the Get-EventSubscriber cmdlet. To cancel the subscription, use the Unregister-Event cmdlet,\r\nwhich deletes the event subscriber from the session.\r\nNew Common Information Model (CIM) cmdlets, introduced Windows PowerShell 3.0, perform the same tasks as\r\nthe WMI cmdlets. The CIM cmdlets comply with WS-Management (WSMan) standards and with the CIM\r\nstandard, which enables the cmdlets to use the same techniques to manage computers that run the Windows\r\noperating system and those that run other operating systems. Instead of using Register-WmiEvent , consider using\r\nthe Register-CimIndicationEvent cmdlet.\r\nExamples\r\nExample 1: Subscribe to events generated by a class\r\nThis command subscribes to the events generated by the Win32_ProcessStartTrace class. This class raises an\r\nevent whenever a process starts.\r\nRegister-WmiEvent -Class 'Win32_ProcessStartTrace' -SourceIdentifier \"ProcessStarted\"\r\nExample 2: Subscribe to creation events for a process\r\nThis command uses a query to subscribe to Win32_process instance creation events.\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 2 of 12\n\n$wmiParameters = @{\r\n Query = \"select * from __instancecreationevent within 5 where targetinstance isa 'Win32_Process'\"\r\n SourceIdentifier = \"WMIProcess\"\r\n MessageData = \"Test 01\"\r\n TimeOut = 500\r\n}\r\nRegister-WmiEvent @wmiParameters\r\nExample 3: Use an action to respond to an event\r\nThis example shows how to use an action to respond to an event. In this case, when a process starts, any Start-Process commands in the current session are written to an XML file.\r\n$action = {\r\n Get-History |\r\n Where-Object { $_.CommandLine -like \"*Start-Process*\" } |\r\n Export-CliXml \"commandHistory.clixml\"\r\n}\r\nRegister-WmiEvent -Class Win32_ProcessStartTrace -SourceIdentifier ProcessStarted -Action $action\r\nId Name State HasMoreData Location Command\r\n-- ---- ----- ----------- -------- -------\r\n1 ProcessStarted NotStarted False Get-History | where {...\r\nWhen you use the Action parameter, Register-WmiEvent returns a background job that represents the event\r\naction. You can use the Job cmdlets, such as Get-Job and Receive-Job , to manage the event job.\r\nFor more information, see about_Jobs.\r\nExample 4: Register for events on a remote computer\r\nThis example registers for events on the Server01 remote computer.\r\nRegister-WmiEvent -Class 'Win32_ProcessStartTrace' -SourceIdentifier \"Start\" -ComputerName Server01\r\nGet-Event -SourceIdentifier \"Start\"\r\nWMI returns the events to the local computer and stores them in the event queue in the current session. To retrieve\r\nthe events, run a local Get-Event command.\r\nParameters\r\n-Action\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 3 of 12\n\nSpecifies commands that handle the events. The commands in the Action parameter run when an event is raised\r\ninstead of sending the event to the event queue. Enclose the commands in braces ( {} ) to create a script block.\r\nThe value of Action can include the $Event , $EventSubscriber , $Sender , $EventArgs , and $args\r\nautomatic variables, which provide information about the event to the Action script block. For more information,\r\nsee about_Automatic_Variables.\r\nWhen you specify an action, Register-WmiEvent returns an event job object that represents that action. You can\r\nuse the cmdlets that contain the Job noun (the Job cmdlets) to manage the event job.\r\nParameter properties\r\nType: ScriptBlock\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\n(All)\r\nPosition: 101\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-Class\r\nSpecifies the event to which you are subscribing. Enter the WMI class that generates the events. A Class or Query\r\nparameter is required in every command.\r\nParameter properties\r\nType: String\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 4 of 12\n\nParameter sets\r\nclass\r\nPosition: 0\r\nMandatory: True\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-ComputerName\r\nSpecifies the name of the computer on which the command runs. The default is the local computer.\r\nType the NetBIOS name, an IP address, or a fully qualified domain name of the computer. To specify the local\r\ncomputer, type the computer name, a dot ( . ), or localhost.\r\nThis parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even\r\nif your computer is not configured to run remote commands.\r\nParameter properties\r\nType: String\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nAliases: Cn\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 5 of 12\n\n-Credential\r\nSpecifies a user account that has permission to perform this action. The default is the current user.\r\nType a user name, such as User01 or Domain01\\User01, or enter a PSCredential object, such as one generated by\r\nthe Get-Credential cmdlet. If you type a user name, this cmdlet prompts you for a password.\r\nParameter properties\r\nType: PSCredential\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-Forward\r\nIndicates that this cmdlet sends events for this subscription to the session on the local computer. Use this\r\nparameter when you are registering for events on a remote computer or in a remote session.\r\nParameter properties\r\nType: SwitchParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 6 of 12\n\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-MaxTriggerCount\r\nSpecifies the maximum trigger count.\r\nParameter properties\r\nType: Int32\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-MessageData\r\nSpecifies any additional data to be associated with this event subscription. The value of this parameter appears in\r\nthe MessageData property of all events associated with this subscription.\r\nParameter properties\r\nType: PSObject\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 7 of 12\n\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-Namespace\r\nSpecifies the namespace of the WMI class.\r\nParameter properties\r\nType: String\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nAliases: NS\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 8 of 12\n\n-Query\r\nSpecifies a query in WMI Query Language (WQL) that identifies the WMI event class, such as: select * from\r\n__InstanceDeletionEvent .\r\nParameter properties\r\nType: String\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nquery\r\nPosition: 0\r\nMandatory: True\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-SourceIdentifier\r\nSpecifies a name that you select for the subscription. The name that you select must be unique in the current\r\nsession. The default value is the GUID that Windows PowerShell assigns.\r\nThe value of this parameter appears in the value of the SourceIdentifier property of the subscriber object and of\r\nall event objects associated with this subscription.\r\nParameter properties\r\nType: String\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 9 of 12\n\n(All)\r\nPosition: 100\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-SupportEvent\r\nIndicates that this cmdlet hides the event subscription. Use this parameter when the current subscription is part of\r\na more complex event registration mechanism and it should not be discovered independently.\r\nTo view or cancel a subscription that was created by using the SupportEvent parameter, specify the Force\r\nparameter of the Get-EventSubscriber and Unregister-Event cmdlets.\r\nParameter properties\r\nType: SwitchParameter\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\n-Timeout\r\nSpecifies how long Windows PowerShell waits for this command to finish.\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 10 of 12\n\nThe default value, 0 (zero), means that there is no time-out, and it causes Windows PowerShell to wait\r\nindefinitely.\r\nParameter properties\r\nType: Int64\r\nDefault value: None\r\nSupports wildcards: False\r\nDontShow: False\r\nAliases: TimeoutMSec\r\nParameter sets\r\n(All)\r\nPosition: Named\r\nMandatory: False\r\nValue from pipeline: False\r\nValue from pipeline by property name: False\r\nValue from remaining arguments: False\r\nCommonParameters\r\nThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -\r\nInformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction,\r\nand -WarningVariable. For more information, see about_CommonParameters.\r\nInputs\r\nNone\r\nYou cannot pipe objects to this cmdlet.\r\nOutputs\r\nNone\r\nThis cmdlet does not generate any output.\r\nNotes\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 11 of 12\n\nTo use this cmdlet in Windows Vista or a later version of the Windows operating system, start Windows\r\nPowerShell by using the Run as administrator option.\r\nEvents, event subscriptions, and the event queue exist only in the current session. If you close the current session,\r\nthe event queue is discarded and the event subscription is canceled.\r\nSource: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1"
	],
	"report_names": [
		"register-wmievent?view=powershell-5.1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434051,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b600a362ee03246bf4617262c4c7703cd6eae185.pdf",
		"text": "https://archive.orkl.eu/b600a362ee03246bf4617262c4c7703cd6eae185.txt",
		"img": "https://archive.orkl.eu/b600a362ee03246bf4617262c4c7703cd6eae185.jpg"
	}
}