Hi,
I have been struggling with a compiled MOF. What I'm trying to do is create an event filter which triggers when a FIDO key is removed from a machine. I am then trying to configure an event consumer to execute rundll32.exe user32.dll,LockWorkStation which will then lock the workstation whenever a FIDO key is removed.
Please see the MOF below:
pragma namespace("\\.\root\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "Test Command Line Event Filter";
Query = "Select * From __InstanceDeletionEvent Within 2 "
"Where TargetInstance Isa 'Win32_PNPEntity' "
"And TargetInstance.Manufacturer LIKE 'FIDO' ";
QueryLanguage = "WQL";
};
instance of CommandLineEventConsumer as $Consumer
{
Name = "Test CommandLine Event Consumer";
RunInteractively = false;
CommandLineTemplate = "cmd /c "
"rundll32.exe user32.dll,LockWorkStation";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
The MOF compiles fine and I can see 'cmd.exe' and 'rundll32.exe' is fired in task manager under SYSTEM but the machine does not lock. It's almost like the user32.dll,LockWorkStation part of the MOF is not processed. I have tried many many variables to try and get this working, from Powershell to calling a .bat file (https://learn.microsoft.com/en-us/windows/win32/wmisdk/running-a-program-from-the-command-line-based-on-an-event) nothing seems to have the desired outcome.
I have also tried to create an .exe file which runs the powershell script inline: Invoke-Command {rundll32.exe user32.dll,LockWorkStation} when executing the .exe MANUALLY (i.e. double click on the .exe) it locks my workstation with no issue. I have also tried to bake this into the MOF by using the 'ExecutablePath' property. I can see the .exe is executed under SYSTEM in the task manager but again, my screen is not locked.
I have also tried to execute the .exe by following the guide as per https://learn.microsoft.com/en-us/windows/win32/wmisdk/commandlineeventconsumer.
Below is the edited code:
Managed Object Format
instance of CommandLineEventConsumer as $Consumer
{
Name = "Test CommandLine Event Consumer";
RunInteractively = false;
ExecutablePath = "c:\windows\system32\cmd.exe";
CommandLineTemplate = "C:\windows\system32\cmd.exe"
"C:\Scripts\fido.bat";
};
With the above... I can just see cmd.exe executed twice under SYSTEM in the task manager.
Basically at my wits end trying to nail this one. Any help would be much appreciated.
Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 23%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
