Introduction
In this post, I’m just playing with Windows Management Instrumentation (WMI) Event Watcher task to look for few tasks. As per Microsoft, the WMI Event Watcher task detects the changes in your system. It also uses WQL (Windows Management Instrumentation Query Language) to describe the event(s) it’s listening for. Microsoft says that we might use the task to determine scenarios as follows :
- When a file is added to a folder
- When a server’s hard disk free space drops below a certain percentage
- When a server’s free memory drops below a certain percentage When an application is installed
WQL Query
To detect whether Microsoft Defender Antivirus Realtime Monitoring is disabled, i.e if DisableRealtimeMonitoring is True, the WQL query would be:
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
Let me breakdown this query to make it more clear.
In the query, the WHERE clause is checking for a TargetInstance whose type is MSFT_MpPreference. MSFT_MpPreference is a WMI class, which has DisableRealtimeMonitoring property of type boolean. By default, it should be False when Windows Defender is turned on. We are looking for DisableRealtimeMonitoring being True.
In the above query, it can be seen from SELECT and FROM clauses, that we’re selecting all (*) InstanceModificationEvents. __InstanceModificationEvent is a WMI class which reports an instance modification event that is generated when an instance changes in the namespace. In this case, we have access to a PreviousInstance value, which enables us to compare our PreviousInstance with our TargetInstance.
Here, we are selecting all WMI instance modification events, looking for DisableRealtimeMonitoring property being TRUE. And the WITHIN clause represents that the task will notify us of all instance modification events, that are relevant to our WHERE condition, every 5 seconds.
If the DisableRealtimeMonitoring property becomes TRUE, i.e if the Defender Realtime Monitoring is turned off, we’ve created a NotifyIcon which will be displayed with a custom message to the user.
Action = {
Add-Type -AssemblyName System.Windows.Forms
$global:balmsg = New-Object System.Windows.Forms.NotifyIcon
$path = (Get-Process -id $pid).Path
$balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($path)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning
$balmsg.BalloonTipText = ‘MS Defender has been disabled remotely'
$balmsg.BalloonTipTitle = "Alert from Administrator for $Env:USERNAME"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(20000)
}
Demo
When defender is turned off remotely, a notification alert will be displayed to the user as follows:
The name space has to be set to root\microsoft\windows\defender and the whole code for WQL query and action needs to be added into a custom event variable. In our case, we have named it to DefenderNotify and registered it as WMI event with below command:
Register-WMIEvent @DefenderNotify
The Register-WmiEvent cmdlet will subscribe to the DefenderNotify WMI event and will notify us when DisableRealtimeMonitoring is set to TRUE.
Also, to disable the WMI watcher task, just run the below command:
Unregister-Event Defender.DisableRealtimeMonitoring
I have added it to a powershell script DefenderNotify.ps1 which can be viewed here:
https://github.com/ScarredMonk/DefenderNotify
References:
https://docs.microsoft.com/en-us/windows/win32/wmisdk/–instancemodificationevent
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)