Delete what triggers eventID 10

Back in the old days of Vista SP1, Microsoft introducted a permanent WMI event that triggers an event in the logs whenever your processor reaches 99% of usage. It’s a good idea but it’s unfortunately written as an error and catched by the administrative view filter.
eventID 10

The problem is that it’s a false positive that Microsoft reintroduced in Windows 7 SP1 😦
Microsoft still only gives us a workaround based on an old fashioned vbscript.

So, here’s how to achieve the same thing as the vbscript by using powershell:

# 
# Delete the eventID 10
#
# http://support.microsoft.com/kb/950375

$obj1  = @(Get-WmiObject -Namespace "root\subscription"  -Query "Select * FROM __EventFilter WHERE Name='BVTFilter'" -ErrorAction SilentlyContinue)
$obj2 = @(Get-WmiObject -Namespace "root\subscription"  -Query "Associators Of {__EventFilter.Name='BVTFilter'} WHERE AssocClass=__FilterToConsumerBinding" -ErrorAction SilentlyContinue)
if ($obj2.Count -eq 0)
{
    Write-Warning -Message "obj2 not found"
} else {

    foreach ($obj in $obj2)
    {
        try 
        {
            $obj.delete()
        }
        catch
        {
            Write-Warning -Message "Failed to delete $obj"
            $_.Exception.ErrorCode 
            $_.CategoryInfo.Reason
            $_.Exception.Message
        }
    }
}

$obj3 = @(Get-WmiObject -Namespace "root\subscription"  -Query "References Of {__EventFilter.Name='BVTFilter'} WHERE ResultClass=__FilterToConsumerBinding" -ErrorAction SilentlyContinue)
if ($obj3.Count -eq 0)
{
    Write-Warning -Message "obj3 not found"
} else {
    foreach ($obj in $obj3)
    {
        try 
        {
            $obj.delete()
        }
        catch
        {
            Write-Warning -Message "Failed to delete $obj"
            $_.Exception.ErrorCode 
            $_.CategoryInfo.Reason
            $_.Exception.Message
        }
    }
}

if ($obj1.Count -eq 0)
{
    Write-Warning -Message "obj1 not found"
} else {
    $obj1[0].delete()    
}
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s