Monitor new Process on remote servers

Posted on 2009-05-13
Last Modified: 2012-08-14
Hi All,

I have a script below that should monitor when a notepad process is created. The script works fine on local and remote machines. However the problem I have is that the script tends to wait on command objEventSource.NextEvent().

This particular command is causing issues as the script waits on each machine in the loop to complete the task before moving on.

My objective is to trap the notepad process when it is initiated on any of the machines in the process.txt file. IE, I want the script to run across all machines when I push it out from a batch file using psexec.

Can anyone please help move past this huddle? or Suggest a better solution. I tried another approach by using vbscript to copy the file to the servers and was faced with this same problem and security issues. Please help

Run Remote Script
Dim objController, objRemoteScript, objFSO
Dim objTSIn, objTSOut, strComputer

'Create objects
Set objController = CreateObject("WshController")
Set objFSO = CreateObject("Scripting.FileSystemObject")

'Read computer names from file
Set objTSIn = objFSO.OpenTextFile("C:\computers.txt")

'Open output file for log
Set objTSOut = objFSO.CreateTextFile("C:\log.txt", True)

Do Until objTSIn.AtEndOfStream
    'Deploy script to remote computer

    strComputer = objTSIn.ReadLine
    objTSOut.WriteLine strComputer & ": Deploying at " & Now
    Set objRemoteScript = objController.CreateScript( _
        "C:\process.vbs", strComputer)
    WScript.ConnectObject objRemoteScript, "remote_"
    Do Until objRemoteScript.Status = 1
        WScript.Sleep 1000
    objTSOut.WriteLine strComputer & " Completed at " & Now
    Set objRemoteScript = Nothing


WScript.Echo "Deployment script complete."

Sub remote_Error
    Dim objError
    Set objError = objRemote.Error
    objTSOut.WriteLine strComputer & ": Error at " & Now
    objTSOut.WriteLine " Line: " & objError.Line & _
        ", Char: " & objError.Character & vbCrLf & _
            "Description: " & objError.Description
    WScript.Quit -1
End Sub
Get notepad Process


'Get computer name

Set WshNetwork = WScript.CreateObject("WScript.Network")

'Create a FileSystemObject

Set oFS = CreateObject("Scripting.FileSystemObject")

'Open a text file of computer names

'with one computer name per line

Set oTS = oFS.OpenTextFile("c:\process.txt")

'go through the text file

Do Until oTS.AtEndOfStream

 'get the next computer name

 'store it in variable strComputer

 strComputer = oTS.ReadLine

'strComputer = "."

Set objSWbemServices = GetObject("winmgmts:" &_

 "{impersonationLevel=impersonate}!" &_

 "\\" & strComputer & "\root\cimv2")

Set objEventSource = objSWbemServices.ExecNotificationQuery( _

 "SELECT * FROM __InstanceCreationEvent " &_

 "WITHIN 10 " &_

 "WHERE TargetInstance " &_

 "ISA 'Win32_Process' " &_

 "AND TargetInstance.Name = 'notepad.exe'")

'Echo Computer name

Set objEventObject = objEventSource.NextEvent()

Wscript.Echo "Computer Name: " &  strComputer

Set objEmail = CreateObject("CDO.Message")

objEmail.From = ""

objEmail.To = ""

objEmail.Subject = strComputer 

objEmail.Textbody = "Notepad initiated."

objEmail.Configuration.Fields.Item _

    ("") = 2

objEmail.Configuration.Fields.Item _

    ("") = _


objEmail.Configuration.Fields.Item _

    ("") = 25




'close the text file


'MsgBox "Done!"

Open in new window

Question by:neosteo
  • 2
  • 2
LVL 14

Accepted Solution

rejoinder earned 250 total points
ID: 24379236
Try this...
This script uses an event sink which monitors the processes.  This will not have any hang-ups as mentioned in the script above but will happily monitor endlessly.
Near the top of the script is a dictionary object so that you can monitor multiple files - why limit your script right?  In this case, the script will monitor notepad and calc.  Add more entries or take out the line, it is up to you.
My thinking is that you would copy the file onto each drive as described.  Then you would schedule the script to run at the system start up.  This way, the user would never see the script start and the script would catch any application you tell it to monitor right from the get go.

Dim ScanSpeed

Dim strComputer

Dim objDictionary

Set WshNetwork = WScript.CreateObject("WScript.Network")

strComputer = WshNetwork.ComputerName 

ScanSpeed = 5

Set objDictionary = CreateObject("scripting.dictionary")

objDictionary.Add "notepad.exe", "notepad.exe"

objDictionary.Add "calc.exe", "calc.exe"

Set ProcessSink = WScript.CreateObject("WbemScripting.SWbemSink", "ProcessSink_")

Set Process = GetObject("winMgmts:{(security)}\\" & strComputer & "\root\cimv2")

Process.ExecNotificationQueryAsync ProcessSink, "select * from __InstanceCreationEvent WITHIN " & ScanSpeed & " where targetinstance isa 'Win32_Process'"

Sub ProcessSink_OnObjectReady(objObject, objAsyncContext)

    strName = objObject.TargetInstance.Name

    strPath = objObject.TargetInstance.ExecutablePath

    if objDictionary.Exists(lcase(strName)) then

        Set objEmail = CreateObject("CDO.Message")

        objEmail.From = ""

        objEmail.To = ""

        objEmail.Subject = strComputer 

        objEmail.Textbody = strName & " initiated."

        objEmail.Configuration.Fields.Item ("") = 2

        objEmail.Configuration.Fields.Item ("") = "Testserver" 

        objEmail.Configuration.Fields.Item ("") = 25



    end if

End Sub

wscript.echo "Click OK to stop monitor."

Open in new window


Author Comment

ID: 24382989
Hi Rejoinder,

Thanks a lot for the script. Its much better than mine. What I am trying to do is run the script remotely? With the echo in their, the script is also waiting for the job to complete. I am pushing out the script using the command below. These are production servers which I can't afford to reboot for the startup script to kick off. I am trying to track a defrag application, I used notepad as an example because I can play with this process without launching the defragmentation tool.

I really need to run it without schedulling it. If you can help with this, It will be much appreciated.

for /f %i in (c:\computers.txt) do @echo %i: && xcopy c:\process.vbs \\%i\c$\ /i /y /r /q
for /f %i in (c:\computers.txt) do @echo %i: && xcopy c:\process.bat \\%i\c$\ /i /y /r /q

psexec.exe @computers.txt c:\process.bat

Author Comment

ID: 24383893
Hi Rejoinder

Thanks, I eventually used my script as the one stated above prompted for user input. However, I got an idea to create a scheduled task that will run it from the network. Thanks for your help.

LVL 14

Expert Comment

ID: 24386260
I hope everything works out then and thanks for the points.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an addendum to the following article: Acitve Directory based Outlook Signature ( The script is fine, and works in normal client-server domains…
When it comes to writing scripts for a Client/Server computing environment it is essential to consider some way of enabling the authentication functionality within a script. This sort of consideration mainly comes into the picture when we are dealin…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now