Skip to content

Instantly share code, notes, and snippets.

@svch0stz

svch0stz/defenderwatch.ps1

Last active November 18, 2022 01:03
Show Gist options
  • Star 18 You must be signed in to star a gist
  • Fork 7 You must be signed in to fork a gist
  • Save svch0stz/82b501087bae9f0e27c6a00ebf18daaf to your computer and use it in GitHub Desktop.
Save svch0stz/82b501087bae9f0e27c6a00ebf18daaf to your computer and use it in GitHub Desktop.
Download ZIP
WMI Watcher for Windows Defender RealtimeMonitoring
Raw
defenderwatch.ps1
$WMI = @{
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
Action = {
#$Global:Data = $Event
Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
}
Namespace = 'root\microsoft\windows\defender'
SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @WMI
#Uninstall: Unregister-Event Defender.DisableRealtimeMonitoring
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment