If whithin 30 second docx file is modified or created action is running
$query = 'select * from __instanceOperationEvent WITHIN 30 WHERE ((__CLASS = "__instanceCreationEvent" OR __CLASS = "__InstanceModificationEvent") AND (TargetInstance ISA "CIM_DataFile") AND (TargetInstance.Extension = "docx"))'
Register-WmiEvent -Query $query -Action {Write-Host "defined action"}
If notepad is started custion action is performed:
$wu = "Select * from win32_ProcessStartTrace where processname = 'notepad.exe'"
Register-WmiEvent -Query $wu -Action {Write-Host "defined action"}
Brak komentarzy:
Prześlij komentarz