Set-HKLMrunKey.ps1
|
<#PSScriptInfo .VERSION 1.0.1 .GUID 166e9b28-f99e-4714-8a69-3d2bd87df331 .AUTHOR Sea Star Development .COMPANYNAME Sea Star Development .COPYRIGHT .TAGS registry change Run key script .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES .PRIVATEDATA #> <# .DESCRIPTION Issue warning when registry RUN key changed #> Param() ############################################################################### # Set-HKLMrunKey will detect any changes to the registry HKLM\Run key and write # a Warning event in the Applications Event log. The message box will timeout # after 10 seconds. Run once per session from $profile via ".\Set-HKLMrunKey". ############################################################################### $hive = "HKEY_LOCAL_MACHINE" $keyPath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" $action = { $HKLM = 'The key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' + ' has been modified; check if the change is intentional.' $logType = 2 $shell = New-Object -Com Wscript.Shell $shell.Popup($HKLM,10,'PS Automatic Event Monitor',48) | Out-Null $Shell.LogEvent($logType,$HKLM) | Out-Null } $query = "SELECT * FROM RegistryKeyChangeEvent WHERE Hive = '$hive' AND KeyPath = '$keyPath'" Register-WmiEvent -Query $query -Namespace 'root\default' ` -SourceIdentifier HKLMRunKey -SupportEvent -Action $action | Out-Null |