-
Notifications
You must be signed in to change notification settings - Fork 33
Cmdlets Scripts
Invoke-IR edited this page Oct 18, 2014
·
1 revision
Table of Contents
NAME
New-Signature
SYNOPSIS
Creates a new WMI Event Subscription (Filter, Consumer, Binding)
SYNTAX
New-Signature [[-ComputerName] <String[]>] [-Name] <String>
[[-EventNamespace] <String>] [-Query] <String> [[-Type] <String>]
[-ScriptLocation] <String> [-CommandLineArgs] <String> [-Force]
[<CommonParameters>]
DESCRIPTION
The New-Signature cmdlet creates a new WMI Event Subscription, and sets
it parameters. The cmdlet makes three seperate WMI objects, an
__EventFilter, a Consumer (CommandLineEventConsumer or
LogFileEventConsumer), and a __FilterToConsumerBinding.
PARAMETERS
-ComputerName <String[]>
Creates a New WMI Event Subscriptions running on the specified
computers. The default is the local computer.
Type the NetBIOS name, and IP address, or a fully qulaified domain
name of one or more computers.
This parameter does not rely on Windows PowerShell remoting. You
can use the ComputerName parameter of Get-Signature as long as the
remote computer has its RPC Server running. Additionally,
PowerShell must be run with appropriate credentials for the remote
endpoint.
Required? false
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters?
-Name <String>
Specifies the Name of the Signature (WMI Event Subscription). The
same name will be used for the Filter, Consumer, and Binding.
Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters?
-EventNamespace <String>
Specify the WMI Namespace for the signature's class.
Required? false
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters?
-Query <String>
The WMI Query Language Query that will be used by the __EventFilter.
Required? true
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters?
-Type <String>
Type is used to specify what type of EventConsumer to use. The
options are the CommandLineEventConsumer and LogFileEventConsumer.
The default is CommandLineEventConsumer.
Required? false
Position? 5
Default value
Accept pipeline input? false
Accept wildcard characters?
-ScriptLocation <String>
Gives the location of the script that is executed by the
CommandLineEventConsumer. Because the Consumer is run with the
NT AUTHORITY/SYSTEM user context the script must be accessible
(ReadAndExecute privilege) to the remote host's Computer Account.
Required? true
Position? 6
Default value
Accept pipeline input? false
Accept wildcard characters?
-CommandLineArgs <String>
A space delimited list of arguments for the CommandLineEventConsumer.
Required? true
Position? 7
Default value
Accept pipeline input? false
Accept wildcard characters?
-Force [<SwitchParameter>]
Allows the cmdlet to overwrite a signature that already exists.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".
INPUTS
None
OUTPUTS
None
-------------------------- EXAMPLE 1 --------------------------
C:\PS>$ComputerName = 'localhost'
C:\PS>$ScriptLocation = '\\DC1\Uproot\Uproot.ps1'
C:\PS>$Name = 'SERVICE_CREATION'
C:\PS>$Query = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE
TargetInstance ISA 'Win32_Service'"
C:\PS>$CommandLineArgs = "%TargetInstance.SystemName% 'SERVICE_CREATION'
%TIME_CREATED% %TargetInstance.Name% %TargetInstance.PathName%
%TargetInstance.DisplayName% %TargetInstance.State%
%TargetInstance.StartMode% %TargetInstance.StartName%
%TargetInstance.ServiceType%"
C:\PS>New-Signature -ComputerName $ComputerName -Name $Name -Query $Query
-ScriptLocation $ScriptLocation -CommandLineArgs $CommandLineArgs
-Verbose -Type "CommandLine"
RELATED LINKS
https://github.com/l00ps/Uproot/wiki/New-Signature
NAME
Get-Signature
SYNOPSIS
Gets the WMI Event Subscription Signatures that are running on the
local or remote computer
SYNTAX
Get-Signature [[-ComputerName] <String[]>] [-Type <String>]
[<CommonParameters>]
Get-Signature [[-ComputerName] <String[]>] [-Type <String>] -Name
<String> [<CommonParameters>]
DESCRIPTION
The Get-Signature cmdlet gets WMI Event Subscriptions on a local or
remote computer.
Without parameters, Get-Signature gets all of the WMI Event
Subscriptions on the local computer. You can also specify a
particular subscription by subscription name.
When a specific name is used, Get-Signature will return an array of
the __Filter, CommandLineEventConsumer, and __FilterToConsumerBinding
corresponding with the given name. When no name is specified, the
Get-Signature cmdlet will return all __FilterToConsumerBinding Objects.
PARAMETERS
-ComputerName <String[]>
Gets the WMI Event Subscriptions running on the specified computers.
The default is the local computer.
Type the NetBIOS name, and IP address, or a fully qulaified domain
name of one or more computers.
This parameter does not rely on Windows PowerShell remoting. You
can use the ComputerName parameter of Get-Signature as long as the
remote computer has its RPC Server running. Additionally,
PowerShell must be run with appropriate credentials for the remote
endpoint.
Required? false
Position? 1
Default value localhost
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-Type <String>
####
Required? false
Position? named
Default value CommandLine
Accept pipeline input? false
Accept wildcard characters? false
-Name <String>
Specifies the Name of the new Signature.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, see
about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
System.Management.Automation.PSCustomObject
By default, Get-Signature returns an object of type
System.Management.Automation.PSCustomObject which contains objects that
are of the __FilterToConsumerBinding object type. If the -Name
Parameter is used then Get-Signature returns a PSCustomObject that
contains an array of __EventFilter, CommandLineEventConsumer, and
__FilterToConsumerBinding objects that correspond with the specified
name.
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Get-Signature
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Get-Signature -ComputerName HOST1
-------------------------- EXAMPLE 3 --------------------------
C:\PS>Get-Signature -ComputerName HOST1,HOST2 -Name "SIGNATURE1"
RELATED LINKS
https://github.com/l00ps/Uproot/wiki/Get-Signature
NAME
Remove-Signature
SYNOPSIS
Removes WMI Event Subscription.
SYNTAX
Remove-Signature [-InputObject <Object>] [-WhatIf] [-Confirm]
[<CommonParameters>]
Remove-Signature [-ComputerName <String[]>] [-Type <String>] -Name
<String> [-WhatIf] [-Confirm] [<CommonParameters>]
DESCRIPTION
The Remove-Signature cmdlet deletes WMI Event Subscription.
Subscriptions can be passed via the pipeline from Get-Signature, or
their name and type can be specified as arguments.
Remove-Signature removes the Filter, Consumer, and Binding for each
Signature.
PARAMETERS
-InputObject <Object>
An object created by Get-Signature that can be passed via the
pipeline to Remove-Signature for deletion.
Required? false
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false
-ComputerName <String[]>
Removes WMI Event Subscriptions running on the specified computers.
The default is the local computer.
Type the NetBIOS name, and IP address, or a fully qualified domain
name of one or more computers.
This parameter does not rely on Windows PowerShell remoting. You
can use the ComputerName parameter of Get-Signature as long as the
remote computer has its RPC Server running. Additionally,
PowerShell must be run with appropriate credentials for the remote
endpoint.
Required? false
Position? named
Default value localhost
Accept pipeline input? false
Accept wildcard characters? false
-Type <String>
The name of the consumer to be removed. Can be either CommandLine
(CommandLineEventConsumer) or LogFile (LogFileEventConsumer)
If an object is received via the pipeline, the Type parameter is not
used.
Required? false
Position? named
Default value CommandLine
Accept pipeline input? false
Accept wildcard characters? false
-Name <String>
Contains the name of the Signature that should be removed.
If an object is received via the pipeline, the Name parameter is not
used.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, see
about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
Signature Array (Consumer, Filter, Binding)
OUTPUTS
None
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Get-Signature -ComputerName HOST1 -Name SIGNATURE | Remove-Signature
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Remove-Signature -ComputerName HOST1 -Name SERVICE_SIGNATURE
RELATED LINKS
https://github.com/l00ps/Uproot/wiki/New-Signature
Uproot.ps1
Install.ps1
Uninstall.ps1
Remove-Event.ps1
Uproot.ps1