Developed by @jaredcatkinson, @mattifestation
An Event Filter (__EventFilter) is a WMI Query Language (WQL) query that specifies the type of object to look for (for more details on WQL please check out Ravikanth Chaganti's free ebook). Event Consumers (__EventConsumer) are the action component of the Event Subscription. Event Consumers tell the subscription what to do with an object that makes it past the filter. There are five default event consumers in Windows: ActionScriptEventConsumer (runs arbitrary vbscript or jscript code), CommandLineEventConsumer (executes an arbitrary command), LogFileEventConsumer (writes to a specified flat log file), NtEventLogEventConsumer (creates a new event log), and SMTPEventConsumer (sends an email). Lastly, the Binding (__FilterToConsumerBinding) pairs a Filter with a Consumer.
Get-ActiveScriptEventConsumer -
Get-CommandLineEventConsumer -
Get-LogFileEventConsumer -
Get-NtEventLogEventConsumer -
Get-SmtpEventLogEventConsumer -
Get-WmiEventConsumer -
Get-WmiEventFilter -
Get-WmiEventSubscription -
New-ActiveScriptEventConsumer -
New-CommandLineEventConsumer -
New-LogFileEventConsumer -
New-NtEventLogEventConsumer -
New-SmtpEventConsumer -
New-WmiEventConsumer -
New-WmiEventFilter -
New-WmiEventSubscription -
New-CimSessionDcom -
Register-PermanentWmiEvent -