Home
  •  

Windows 7 Aggregate DFD Collection

Microsoft.Windows.Client.Win7.Computer.DFD.Collection (Rule)

Knowledge Base article:

Summary

This rule collects events that the Windows 7 Disk diagnostic logs when the SMART drive detects an impending failure

Causes

The hard drive is about to fail

Resolutions

Please back up the hard drive and replace it immediately

Element properties:

TargetMicrosoft.Windows.Client.Win7.Aggregate.PhysicalDisk
CategoryEventCollection
EnabledTrue
Alert GenerateFalse
RemotableTrue
Event LogSystem

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider System.PrivilegedMonitoringAccount
Mapper ConditionDetection Microsoft.Windows.Client.Win7.LinkedDataMapper Default
PublishToDiskChannel WriteAction Microsoft.Windows.Client.Win7.Computer.PublishLinkedData Default

Source Code:

<Rule ID="Microsoft.Windows.Client.Win7.Computer.DFD.Collection" Enabled="onEssentialMonitoring" Target="Microsoft.Windows.Client.Win7.Aggregate.PhysicalDisk" DiscardLevel="100" ConfirmDelivery="true" Remotable="true" Priority="Normal">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" RunAs="System!System.PrivilegedMonitoringAccount" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</ComputerName>

      <LogName>System</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Microsoft-Windows-DiskDiagnostic</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>1</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventData/DataItem/EventData/Data[@Name='HardwareID']/text()</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>$Target/Property[Type="Microsoft.Windows.Client.Win7.Aggregate.PhysicalDisk"]/PNPDeviceID$</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <ConditionDetection TypeID="Microsoft.Windows.Client.Win7.LinkedDataMapper" ID="Mapper">

    <ManagedEntityId>$Target/Id$</ManagedEntityId>

    <RuleId>$MPElement$</RuleId>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="PublishToDiskChannel" TypeID="Microsoft.Windows.Client.Win7.Computer.PublishLinkedData">

      <ChannelId>AD13D396-4ED3-4911-9B94-99AADA9DB51A</ChannelId>

    </WriteAction>

  </WriteActions>

</Rule>