Trace Tracking
I have been demonstrating how to use indication event with WMI using Register-CimIndicationEvent.This is a useful way watch what is happening on a computer by monitoring instances of a specific WMI class.
$query = "Select * from __InstanceModificationEvent WITHIN 10 where TargetInstance ISA 'Win32_UserAccount'"
Register-CimIndicationEvent -Query $query -SourceIdentifier "LocalUserChange"
However, there are few WMI classes that are specifically designed to track activity. Today, I want to look at tracking classes you can use to monitor processes. These Win32 classes have process in their name and end with Trace.
PS C:\> Get-CimClass win32_Process*Trace | Select-Object CimClassName
CimClassName
------------
Win32_ProcessTrace
Win32_ProcessStartTrace
Win32_ProcessStopTrace
ProcessTrace
These classes have different properties than the Win32_Process class. You need to know them in the event you want to create a granular filter to watch for specific processes. There are several discovery techniques you can use.
Using the native Get-CimClass cmdlet is relatively straightforward.
(Get-CimClass Win32_ProcessTrace).CimClassProperties | Format-Table
Because it can be cumbersome to drill down to the properties, you can use the Get-CimClassProperty function from the PSScriptTools module.
One other way that still works in PowerShell 7 is to use the [WmiClass] accelerator.
[WmiClass]"win32_ProcessTrace"
This retrieves the same information as Get-CimClass.
PS C:\> ([WmiClass]"win32_ProcessTrace").properties | Format-Table
Name Value Type IsLocal IsArray Origin Qualifiers
---- ----- ---- ------- ------- ------ ----------
ParentProcessID UInt32 True False Win32_ProcessTrace {CIMTYPE, read}
ProcessID UInt32 True False Win32_ProcessTrace {CIMTYPE, read}
ProcessName String True False Win32_ProcessTrace {CIMTYPE, read}
SECURITY_DESCRIPTOR UInt8 False True __Event {CIMTYPE}
SessionID UInt32 True False Win32_ProcessTrace {CIMTYPE, read}
Sid UInt8 True True Win32_ProcessTrace {CIMTYPE, read}
TIME_CREATED UInt64 False False __Event {CIMTYPE}
Use this class to track when a process starts or stops.
$paramHash = @{
Query = "Select * from win32_ProcessTrace within 5 where ProcessName='pwsh.exe'"
ComputerName = $env:computername
SourceIdentifier = 'PSTrace'
}
Register-CimIndicationEvent @paramHash
After running code in a new PowerShell session, I get these events.]
PS C:\> Get-Event | Tee -variable e
ComputerName :
RunspaceId : 6ccbc5f2-3846-47cb-a78e-55c579e922e5
EventIdentifier : 3
Sender : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatcher
SourceEventArgs : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationEventInstanceEventArgs
SourceArgs : {Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatcher, }
SourceIdentifier : PSTrace
TimeGenerated : 9/15/2025 3:56:55 PM
MessageData :
ComputerName :
RunspaceId : 6ccbc5f2-3846-47cb-a78e-55c579e922e5
EventIdentifier : 4
Sender : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatcher
SourceEventArgs : Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationEventInstanceEventArgs
SourceArgs : {Microsoft.Management.Infrastructure.CimCmdlets.CimIndicationWatcher, }
SourceIdentifier : PSTrace
TimeGenerated : 9/15/2025 3:57:26 PM
MessageData :