Retrieve Windows event information using powershell
An amazing site that has a lot of this information is located here. http://www.ravichaganti.com/blog/?p=1711To display events that you can attach a script/program to type the following command:
Get-WMIObject -Query "Select * from meta_class Where (__This ISA '__Event') AND (__Class like 'win32%')"
To look at a process save it into an object variable. (For example we'll look at Win32_ProcessStartTrace)
$ProcessStart = Get-WMIObject -list -Class Win32_ProcessStartTrace
To display the properties that you can query on type the command below.
$ProcessStart.Properties |select Name
The results should look like the following.
Name
----
ParentProcessID
ProcessID
ProcessName
SECURITY_DESCRIPTOR
SessionID
Sid
TIME_CREATED
Now that you know the events and its property names you can attach an action to any specific process.
#Register-WMIEvent using -Query
Register-WmiEvent -Query "Select * from Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'" ` -Action {Write-Host $Event.SourceEventArgs.NewEvent.ProcessName " New Outlook process created" }
No comments:
Post a Comment