function Register-ProcessStartKill { [CmdletBinding(SupportsShouldProcess=$t

1. function Register-ProcessStartKill {
2. [CmdletBinding(SupportsShouldProcess=$true)] param(
3. [switch]$unregister
4. )
5. if ((Get-EventSubscriber -SourceIdentifier 'ProcessStarted' -ErrorAction SilentlyContinue) -ne $null) {
6. Write-Verbose "Unregistering existing 'ProcessStarted'"
7. Unregister-Event -SourceIdentifier 'ProcessStarted'
8. # Alternate method:
9. # Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Query like '%Win32_Process%'" | % { $_.delete() }}
10. if ($unregister) {
11. Write-Verbose "Event subscriber 'ProcessStarted' was removed on $($env:COMPUTERNAME)"
12. return;
13. }
14. } else {
15. if ($unregister) {
16. Write-Verbose "Event subscriber 'ProcessStarted' was not found on $($env:COMPUTERNAME)"
17. return;
18. }
19. }
20. Write-Verbose "Creating Windows Event Log source 'ProcessStarted'"
21. New-EventLog –LogName Application –Source 'ProcessStarted' -ErrorAction Ignore
22.  
23. $query = 'Select * From __InstanceCreationEvent Within 2 Where TargetInstance Isa "Win32_Process"'
24. Write-Verbose "Creating WMI event subscriber with query $query on $($env:COMPUTERNAME)"
25. Register-WMIEvent -Query $query -SourceIdentifier 'ProcessStarted' -MessageData $json -Action {
26. $logFile = Join-Path (mkdir c:\\temp -force) 'ProcessStarts.log'
27. try {
28. $instance = $EventArgs.NewEvent.TargetInstance
29. if ($instance.CommandLine -match '^["]*[A-Z]:\\Users\\' -and $instance.CommandLine -notmatch '(windiff.exe|oleview.exe)[",\ ]{0,2}$') {
30. Stop-Process -Id $instance.ProcessId -ErrorAction Stop -Force
31. $action = "Stopping"
32. $message = "ProcessStarted v1.0.1 $action $($instance.CommandLine) $($instance.ProcessId)"
33. Write-EventLog –LogName Application –Source 'ProcessStarted' –EntryType Warning –EventID 1 –Message $message -ErrorAction Stop
34. } else {
35. $action = "Permitting"
36. }
37. "$action $($instance.CommandLine) $($instance.ProcessId)" | Out-File $logFile -Append
38. } catch {
39. $_ | Out-String | Out-File $logFile -Append
40. }
41. }
42. Write-Verbose "Event subscriber $(Get-EventSubscriber -SourceIdentifier 'ProcessStarted' -ErrorAction SilentlyContinue | select -ExpandProperty SourceIdentifier) was created on $($env:COMPUTERNAME)"
43. }
44.  
45. <#
46. None of this works due to some mystery with Register-WMIEvent remote execution - it creates a job that wont start!
47. function Register-RemoteProcessStartKill {
48. [CmdletBinding(SupportsShouldProcess=$true)] param(
49. $ComputerName = $env:COMPUTERNAME,
50. [switch]$unregister
51. )
52. $ComputerName = [Net.Dns]::GetHostEntry($ComputerName).HostName
53. $unregister2 = (test-path variable:\unregister) -and $unregister
54. $sb = [ScriptBlock]::Create('param($params);function Register-ProcessStartKill {' + (get-item Function:\Register-ProcessStartKill).definition + '};Register-ProcessStartKill @Params')
55. invoke-command -ComputerName $ComputerName -ScriptBlock $sb -ArgumentList $PSBoundParameters -UseSSL -EnableNetworkAccess -Verbose
56. }
57. <#
58. (get-item Function:\Register-ProcessStartKill).scriptblock.invoke($true)
59. (get-item Function:\Register-ProcessStartKill).scriptblock.invoke()
60. #>
61. <#
62. get-eventsubscriber
63. Register-RemoteProcessStartKill -verbose
64. get-eventsubscriber
65. #>
66. <#
67. Register-RemoteProcessStartKill -unregister -verbose
68. get-eventsubscriber
69. #>