September 7, 2012

Run a script when windows resumes from suspend/sleep via WMI Event Consumer

Filed under: General, Scripting, WMI — fullparam @ 6:20 pm

You may want to achieve some power savings, but it turns out some services or programs misbehave.
One way around this issue is to run a script when the machine resumes. We can achieve this via two OS native methods:
Task Scheduler on Vista+
WMI Event consumer on Win2K+

I am going to only show my approach for the WMI Event, but I wanted to preempt the comments about task scheduler, yes – I am aware, but there are still two advantages to running it via WMI.
Works for all Windows flavors & it is embedding the script code within WMI, so no visibility to end users that they can modify or disable.
Both methods will run the script/code as SYSTEM, which can be a problem when your issues are related to GUI apps, such as Outlook/Exchange connectivity. This limitation does not exist with the excellent 1E NightWatchman that can run scripts as the logged in user. Without NightWatchman there is no way around programming WTSEnumerateSessions () -> WTSQueryUserToken() -> CreateEnvironmentBlock() -> CreateProcessAsUser() and actually compiling an executable that our script would have to call. Maybe I will post an actual example if some requests do come in.

The main obstacle I found with WMI scripts is the deployment. Likely you want to deploy this solution on a number of machines. The classical way would be to write a MOF file and compile that via mofcomp. I decided to actually create my instances via a VBS script. Note that no matter which approach, the Instances will have to be created while running in SYSTEM. Any consumers created as a regular user would only execute if that user is specifically logged in and is a local admin.

This script will restart a specified Service on your machine. As an example only I am restarting “Wireless Zero Configuration” or in short WZCSVC which exists on all XP machines.
Each time this service stops/starts it will write into the application event log as source EAPOL. This is how you can verify the process worked.

Interesting bits worth noting from the script:
The script will force to use the 64bit version of Wscript when available, even if this script is launched via 32bit process such as the SCCM client. I do this via the WMI method Win32_Process whilst forcing to connect to the 64 bit WMI.
The following code snippet is relevant: objCtx.Add “__ProviderArchitecture”, 64 ‘Load 64bit version of WMI if available. In fact I should create another blog post just on how to escape the bit-ness via WMI of a process.

Use of vbNewLine for the script text. This is needed as VBScript is line aware and I have to somehow add the new line command into WMI. Note that vbCrLf doesn’t work for this scenario.



  1. how to run any .exe file.instead of WZCSVC ?

    Comment by jacek ryś — November 22, 2014 @ 8:00 am

    • You can either have the launching VBS script run the EXE via WMI Win32_Process
      or you change the ActiveScriptEventConsumer into CommandLineEventConsumer

      Comment by fullparam — December 23, 2014 @ 2:30 pm

  2. Is there any way I can remove the script after running the install script? I am a VBS newbie.

    I hope you can help me.


    Comment by Dennis — December 23, 2014 @ 12:45 pm

    • The script itself that is posted here is the “installer script” afterwards this can be deleted.
      The actual script will live in the WMI namespace of the machine. The script text for this script is written here:

      Comment by fullparam — December 23, 2014 @ 2:25 pm

      • Thanks for the quick reply but I don’t know how to access the WMI namespace. Is there a Windows tool that can show a list of all scripts and helpe remove it or something?

        Comment by Dennis — December 23, 2014 @ 2:33 pm

      • Hi Dennis,

        I am afraid the WMI events are a bit of a black magic. There isn’t a very easy to use GUI tool out there however “WMI Admin tools” probably comes closest.
        This process is described here in more details: http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/19/using-the-wmi-admin-tools-to-check-on-permanent-events.aspx

        You can also use the built in wbemtest.exe to connect to the namespace and remove event consumers.

        Comment by fullparam — December 23, 2014 @ 2:47 pm

      • Thank you a lot for your help. I managed to remove the event listener by using wbemtest.exe.

        Merry Christmas and thanks again.

        Comment by Dennis — December 23, 2014 @ 3:43 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: