INTRINSIC EVENTS
SELECT * FROM __InstanceXEvent WITHIN PollingInterval WHERE TargetInstance ISA WMIClassName AND TargetInstance.WMIClassPropertyName = Value
_INSTANCECREATIOINEVENT
#Query for new process events$query = "Select * from __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'"#Register WMI eventRegister-WmiEvent -Query $query -Action { Write-Host "New Process Created. Do something useful here" }
_INSTANCEMODIFICATIONEVENT
#Query for new process events$query = "Select * from __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Processor' AND TargetInstance.LoadPercentage > 80"#Register WMI eventRegister-WmiEvent -Query $query -Action { Write-Host "Processor utilization is more than 80%. Do something useful here" }
_INSTANCEDELETIONEVENT
#Query for new process events$query = "Select * from __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'"#Register WMI eventRegister-WmiEvent -Query $query -Action { Write-Host "A Process terminated. Do something useful here" }
EXTRINSIC EVENT
Note: We cannot use __InstanceDeletionEvent, __InstanceCreationEvent, __InstanceModificationevent, or __InstanceOperationEvent for monitoring extrinsic events.
REGISTRY VALUE CHANGE EVENT
$query = "Select * from RegistryValueChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND KeyPath='Software\\Temp' AND ValueName='Name'"Register-WmiEvent -Query $query -Action { if ((Get-item HKLM:\SOFTWARE\Temp).GetValue("Name")) { write-host (Get-item HKLM:\SOFTWARE\Temp).GetValue("Name") } else { Write-host "The registry value was deleted" }}
REGISTRY KEY CHANGE VALUE
$query = "Select * from RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND KeyPath='Software\\Temp'"Register-WmiEvent -Query $query -Action { Write-host "Something changed" }
REGISTRY TREE CHANGE EVENT
$query = "Select * from RegistryTreeChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND RootPath=''"Register-WmiEvent -Query $query -Action { Write-host "Something changed" }
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
