I have some code that I was sure used to work which creates a permenet event handler. The code is:
# Create Event Filter
$EventFilter = ([WMICLASS]"\\.\root\subscription:__EventFilter").CreateInstance()
$EventFilter.QueryLanguage = "WQL"
$EventFilter.Query = "SELECT * FROM Win32_ProcessStartTrace"
$EVentFilter.EventNamespace = "root\cimv2"
$EventFilter.Name = "EF1"
$Result = $EventFilter.Put()
$Filter = $Result.Path # for later
CLS
#
# Create Logical Consumer
$InstanceConsumer = ([wmiclass]"\\.\root\subscription:LogFileEventConsumer").CreateInstance()
$InstanceConsumer.Name = "EC1"
$InstanceConsumer.FileName = "C:\Foo\ProcessLog.log"
$instanceConsumer.Text = "New process has been created: %ProcessName%"
$Result = $InstanceConsumer.Put()
$Consumer = $Result.Path # for later
NEW-ITEM C:\FOO\PROCESSLOG.LOG -ITEM FILE
#
# Bind event filter to consumer
$InstanceBinding = ([wmiclass]"\\.\root\subscription:__FilterToConsumerBinding").CreateInstance()
$InstanceBinding.Filter = $Filter # from earlier
$instanceBinding.Consumer = $Consumer # from earlier
$Result = $InstanceBinding.Put()
#
The code I am sure used to work - but now it just gives this error:
Exception calling "Put" with "0" argument(s): ""
At line:1 char:1
+ $Result = $EventFilter.Put()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodExceptions
c