Rechercher dans ce blog

jeudi 11 janvier 2018

Powershell - Trap Event in the registry



When you delete a value in the registry an event produce




if ((Test-Path -Path HKU:\) -ne $true)
{
       New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
}

$query = "Select * from RegistryTreeChangeEvent where Hive='HKEY_USERS' AND RootPath='xxxxxxxxxxxxxxxxxxxxxxxxx\\Software\\Policies\\Google\\Chrome'"
Register-WmiEvent -SourceIdentifier "Start" -Query $query -Action {   
       Remove-ItemProperty -Path "HKU:\xxxxxxxxxxxxxxxxxxxxxxx\Software\Policies\Google\Chrome" -Name "DefaultSearchProviderNewTabURL" -ErrorAction SilentlyContinue
       Remove-ItemProperty -Path "HKU:\xxxxxxxxxxxxxxxxxxxxxxxxx\Software\Policies\Google\Chrome" -Name "DefaultSearchProviderName" -ErrorAction SilentlyContinue
       Remove-ItemProperty -Path "HKU:\xxxxxxxxxxxxxxxxxxxxxxxxx\Software\Policies\Google\Chrome" -Name "DefaultSearchProviderIconURL" -ErrorAction SilentlyContinue
       Remove-ItemProperty -Path "HKU:\xxxxxxxxxxxxxxxxxxxxxxxxx\Software\Policies\Google\Chrome" -Name "HomepageLocation" -ErrorAction SilentlyContinue
       Remove-ItemProperty -Path "HKU:\xxxxxxxxxxxxxxxxxxxxxxxxx\Software\Policies\Google\Chrome" -Name "DefaultSearchProviderSearchURL" -ErrorAction SilentlyContinue
      
       Write-Host "Something Changed"

}
Publié par à Aucun commentaire:
Libellés :

C# Déclanchement d'un event au changement d'un Service Windows







Permet de faire une capture d'un service Windows dès que le changement ce produit



          try
            {
                var query = "SELECT * FROM __InstanceModificationEvent WITHIN 1 WHERE TargetInstance Isa "win32_Service" and TargetInstance.Name like 'SERVICENAME'";
                var scope = new ManagementScope(@"root\cimv2", null);
                scope.Connect();
                EventQuery qry = new EventQuery(query);
                w = new ManagementEventWatcher(scope, qry);
                LabelAbonnement = LabelName;
                w.EventArrived += EventArrived;
                w.Start();
            }
            catch (Exception)
            {

            }
       private void EventArrived(object sender, EventArrivedEventArgs e)
        {
            try
            {
                var targetInstance = (ManagementBaseObject)e.NewEvent["TargetInstance"];
                foreach (var p in targetInstance.Properties)
                {
                    LabelAbonnement.Invoke((MethodInvoker)(() => LabelAbonnement.TextValue = targetInstance.Properties["State"].Value.ToString()));
                }
            }
            catch (Exception)
            {
            }
        }
Publié par à Aucun commentaire:
Libellés :
Inscription à : Articles (Atom)