Using "within" in a WMI event query

What happens when we don't specify a "within" interval in a WQL notification query with an intrinsic event class name?

For example:

SELECT * FROM __InstanceCreationEvent

            WHERE TargetInstance ISA 'Win32_NTLogEvent' AND

            TargetInstance.LogFile = 'System' AND

            TargetInstance.EventCode = '1007'

 

The WITHIN interval is only required if there isn’t a real WMI Event Provider that supports that event class.  In the case of the NTEventLog  WMI Provider, it’s a real event provider, meaning that the events are not polled, they are pushed.  So events come in as they happen.

 

For a general overview of WMI eventing you could visit this page.

Kapil Mathur [MSFT]