File tree 1 file changed +66
-11
lines changed
src/PowerShell.Core.Instrumentation
1 file changed +66
-11
lines changed Original file line number Diff line number Diff line change 21842184 value="0x6017"
21852185 version="1"
21862186 />
2187- <event
2187+ <event
21882188 channel="C_ANALYTIC"
21892189 keywords="AmsiState"
21902190 level="win:Verbose"
21962196 value="0x4001"
21972197 version="1"
21982198 />
2199+ <event
2200+ channel="C_ANALYTIC"
2201+ keywords="WDACQuery"
2202+ level="win:Verbose"
2203+ message="$(string.PS_PROVIDER.event.E_A_WDACQuery.message)"
2204+ opcode="Method"
2205+ symbol="WDACQuery"
2206+ task="WDAC"
2207+ template="T_WDACQuery"
2208+ value="0x4002"
2209+ version="1"
2210+ />
2211+ </events>
21992212 </events>
22002213 <channels>
22012214 <!--There are two channels defined for Windows PowerShell instrumentation
24192432 symbol="T_ISEOperation"
24202433 value="120"
24212434 />
2422- <task
2435+ <task
24232436 message="$(string.PS_PROVIDER.task.T_AmsiState.message)"
24242437 name="Amsi"
24252438 symbol="T_Amsi"
24262439 value="130"
2440+ />
2441+ <task
2442+ message="$(string.PS_PROVIDER.task.T_WDACQuery.message)"
2443+ name="WDAC"
2444+ symbol="T_WDAC"
2445+ value="131"
24272446 />
24282447 </tasks>
24292448 <opcodes>
25852604 name="PSWorkflow"
25862605 symbol="K_PSWORKFLOW"
25872606 />
2588- <keyword
2607+ <keyword
25892608 mask="0x400"
25902609 message="$(string.PS_PROVIDER.keyword.K_AmsiState.message)"
25912610 name="AmsiState"
25922611 symbol="K_AmsiState"
2612+ />
2613+ <keyword
2614+ mask="0x800"
2615+ message="$(string.PS_PROVIDER.keyword.K_WDACQuery.message)"
2616+ name="WDACQuery"
2617+ symbol="K_WDACQuery"
25932618 />
25942619 </keywords>
25952620 <maps>
40484073 name="FileName"
40494074 />
40504075 </template>
4051- <template tid="T_AmsiState">
4052- <data
4053- inType="win:UnicodeString"
4054- name="Action"
4076+ <template tid="T_AmsiState">
4077+ <data
4078+ inType="win:UnicodeString"
4079+ name="Action"
4080+ />
4081+ <data
4082+ inType="win:UnicodeString"
4083+ name="AmsiContext"
4084+ />
4085+ </template>
4086+ <template tid="T_WDACQuery">
4087+ <data
4088+ inType="win:UnicodeString"
4089+ name="QueryName"
40554090 />
4056- <data
4057- inType="win:UnicodeString"
4058- name="AmsiContext"
4091+ <data
4092+ inType="win:UnicodeString"
4093+ name="FileName"
4094+ />
4095+ <data
4096+ inType="win:Int32"
4097+ name="QuerySuccess"
40594098 />
4060- </template>
4099+ <data
4100+ inType="win:Int32"
4101+ name="QuerySResult"
4102+ />
4103+ </template>
40614104 </templates>
40624105 </provider>
40634106 </events>
56755718 id="PS_PROVIDER.event.E_O_REMOTE_NAMEDPIPE_DISCONNECT.message"
56765719 value="Windows PowerShell IPC disconnect on process: %1 in AppDomain: %2 for User: %3."
56775720 />
5721+ <string
5722+ id="PS_PROVIDER.event.E_A_WDACQuery.message"
5723+ value="WDAC Query. %n %t Query: %1 %n %t File: %2 %n %t SuccessCode: %3 %n %t ResultCode: %4"
5724+ />
5725+ <string
5726+ id="PS_PROVIDER.keyword.K_WDACQuery.message"
5727+ value="WDAC Query"
5728+ />
5729+ <string
5730+ id="PS_PROVIDER.task.T_WDACQuery.message"
5731+ value="WDAC Query"
5732+ />
56785733 </stringTable>
56795734 </resources>
56805735 </localization>
You can’t perform that action at this time.
0 commit comments