I guess Sherry Kissinger (SMS Expert's MOF Master extraordinaire) and I are playing tag with these Remote Assistance edits! Sherry did an excellent job documenting how to inventory specific remote assistance events in her blog entry: MOF edit - Remote Assistance Requests Accepted, which was based loosely on my WQL Query edit using the View Provider example. This seems to be a hot topic lately as someone else also contacted me about the MOF edit who wanted to inventory other Remote Assistance events so I figured I'd share my results here to help out anyone else looking for this information. These edits are all based on performing simple WQL queries using the WMI View Provider.
The trick here was that there are limits to the number of WQL keywords that can be used in WQL queries using the View Provider (large numbers of WQL keywords used in a complex query can cause WMI to return the WBEM_E_QUOTA_VIOLATION error code as an HRESULT value. The limit of WQL keywords depends on how complex the query is). So I couldn't add in a bunch of OR's in there for the various events generated by Remote Assistance processes. To get around this, I just queried for all events generated by Remote Assistance (SourceName = RemoteAssistance). This was great until I discovered that the actual Remote Assistance connections do not show up in the event log with Remote Assistance as the source! Turns out, the actual connections are generated by a .dll (I think) called safrslv so I had to create a separate class for connections. Don't ask me what safrslv is or why this is different, I just take what the MOF gives me and try to make it work.
Couple of event log examples here:
On the system being remoted into:
(Remote Assistance source events):
Event 5261 : User <user> has accepted a Solicited Remote Assistance session from <IP>
Event 5262 : A Solicited Remote Assistance session for user <user> from <IP> ended.
Event 5270 : A remote assistance ticket has been created with duration: <time> for user <user>
(safrslv source events):
Event 4 : Remote assistance of <user> ended.
Event 5 : Remote assistance of <user> started
On the system that did the remoting:
Event 5023 : Expert (local user: <user>) has opened the following ticket: <ticket GUID> to the remote computer on port 3389
On to the MOF edits finally:
These edits work with SMS 2003 as well as Configuration Manager 2007 and I've actually modified the edits to account for SMS 2003 in this posting (the #pragma namespace change lines aren't needed for Configuration Manager 2007 as the data classes are in a totally separate file (Configuration.mof) from the reporting classes (SMS_def.mof)). In case you want to download the actual MOF edit (in .txt format because I can't upload MOF files!) then right-click and select Save Target As... HERE.
//Remote Assistance Requests Data Class
#pragma namespace("\\\\.\\root\\cimv2")
[Union,
ViewSources{"Select * FROM Win32_NTLogEvent WHERE LogFile='Application' AND SourceName='Remote Assistance'"},
ViewSpaces{\\\\.\\root\\cimv2},
Dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
Class RARequests
{
[PropertySources("LogFile"), Key] string LogFile;
[PropertySources("EventCode")] UINT16 EventCode;
[PropertySources("RecordNumber"), Key] UINT32 Recordnumber;
[PropertySources("Message")] String Message;
[PropertySources("TimeGenerated")] DateTime TimeGenerated;
};
//Remote Assistance Requests Reporting Class
#pragma namespace(\\\\.\\root\\cimv2\\sms)
[SMS_Report(TRUE),
SMS_Group_Name("Remote Assistance Requests"),
SMS_Class_ID("MICROSOFT|RARequests|1.0")]
Class RARequests: SMS_Class_Template
{
[SMS_Report(TRUE), Key] String LogFile;
[SMS_Report(TRUE), SMS_Units("DecimalString")] UINT16 EventCode;
[SMS_Report(TRUE), Key, SMS_Units("DecimalString")] UINT32 RecordNumber;
[SMS_Report(True)] String Message;
[SMS_Report(True)] DateTime TimeGenerated;
};
Resource Explorer Screen Shot:
Which gives you the resulting view in Resource Explorer (after hardware inventory has run on a system with these events anyway 
):
//Remote Assistance Connections Data Class
#pragma namespace(\\\\.\\root\\cimv2)
[Union,
ViewSources{"Select * FROM Win32_NTLogEvent WHERE LogFile='Application' AND SourceName='safrslv'"},
ViewSpaces{\\\\.\\root\\cimv2},
Dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
Class RAConnections
{
[PropertySources("LogFile"), Key] string LogFile;
[PropertySources("EventCode")] UINT16 EventCode;
[PropertySources("RecordNumber"), Key] UINT32 Recordnumber;
[PropertySources("Message")] String Message;
[PropertySources("TimeGenerated")] DateTime TimeGenerated;
};
//Remote Assistance Connections Reporting Class
#pragma namespace(\\\\.\\root\\cimv2\\sms)
[SMS_Report(TRUE),
SMS_Group_Name("Remote Assistance Connections"),
SMS_Class_ID("MICROSOFT|RAConnections|1.0")]
Class RAConnections: SMS_Class_Template
{
[SMS_Report(TRUE), Key] String LogFile;
[SMS_Report(TRUE), SMS_Units("DecimalString")] UINT16 EventCode;
[SMS_Report(TRUE), Key, SMS_Units("DecimalString")] UINT32 RecordNumber;
[SMS_Report(True)] String Message;
[SMS_Report(True)] DateTime TimeGenerated;
};
Resource Explorer Screen Shot:
Which gives you the resulting view in Resource Explorer (after hardware inventory has run on a system with these events anyway ):
