I have a script that waits for a usb device to be plugged in and then logs the devices id and a script that reads blacklisted processes from a text file and if any of those processes are created it logs the time the process was created and the full execution path. It works fine until I restart the OS, the binding is still in the WMI-Event helper but for some reason it doesn't seem to be working. Any ideas? This is the script in action - http://youtu.be/9quIRznbBhA?hd=1
This is how I have my code :
$q = "select * from __InstanceCreationEvent within 2 where TargetInstance ISA 'Win32_Process' and TargetInstance.Name = 'calc.exe'" New-WmiEventFilter -Name ProcessStarted -Query "$q"
New-WmiEventConsumer -Name ProcessStarted -ConsumerType LogFile -Text "Time: %TargetInstance.CreationDate% Executable Path : %TargetInstance.ExecutablePath%" -FileName C:\temp\process.log
${ScriptPath} = Split-Path $MyInvocation.MyCommand.PathNew-WmiFilterToConsumerBinding `-Consumer (& "${ScriptPath}\ProcessConsumer.ps1") `-Filter (& "${ScriptPath}\ProcessFilter.ps1")