Last active
October 29, 2022 14:28
-
-
Save mattifestation/dfdd41e5020f4286e9b6486545abc359 to your computer and use it in GitHub Desktop.
Enables AMSI logging to the AMSI/Operational event log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $AutoLoggerName = 'MyAMSILogger' | |
| $AutoLoggerGuid = "{$((New-Guid).Guid)}" | |
| New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled | |
| Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41 |
It does indeed appear to be gone in Win10 20H2. That said, I was never able to get anything logged previously using this technique, though I'm really not certain why.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Unless I am getting something wrong AMSI/Operational seems to have dissapeared in newer Windows 10 versions