Advertisement
Guest User

Untitled

a guest
Dec 16th, 2017
67
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $filter = ([wmiclass]"\\\\.\\root\\subscription:__EventFilter").CreateInstance()
  2. $filter.QueryLanguage = "WQL"
  3. $filter.Query = "Select * from __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA [STARTUP]"
  4. $filter.Name = "[NAME]"
  5. $filter.EventNamespace = 'root\\cimv2'
  6.  
  7. $result = $filter.Put()
  8. $filterPath = $result.Path
  9.  
  10. $consumer = ([wmiclass]"\\\\.\\root\\subscription:CommandLineEventConsumer").CreateInstance()
  11. $consumer.Name = '[NAME]'
  12. $consumer.CommandLineTemplate = '[COMMAND_LINE]'
  13. $consumer.ExecutablePath = ""
  14. $consumer.WorkingDirectory = "C:\\Windows\\System32"
  15. $result = $consumer.Put()
  16. $consumerPath = $result.Path
  17.  
  18. $bind = ([wmiclass]"\\\\.\\root\\subscription:__FilterToConsumerBinding").CreateInstance()
  19.  
  20. $bind.Filter = $filterPath
  21. $bind.Consumer = $consumerPath
  22. $result = $bind.Put()
  23. $bindPath = $result.Path
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement