Author: davehull
Subject: Could not get WMI permissions
Posted: 16 July 2014 at 9:00pm
The WMI check was added to look for malware using it as a persistence mechanism, there have been documented cases of this going back a couple years. I've got a set of Powershell scripts I wrote to pull WMI Event Consumers and Event Filters from hosts (before Mark added it to Autoruns). They are available from https://github.com/davehull/Kansa/tree/master/Modules/ASEP, if you want to compare notes with what Autoruns is returning, I would expect the same or similar results. You'll likely have to run as admin to get access.
Subject: Could not get WMI permissions
Posted: 16 July 2014 at 9:00pm
The WMI check was added to look for malware using it as a persistence mechanism, there have been documented cases of this going back a couple years. I've got a set of Powershell scripts I wrote to pull WMI Event Consumers and Event Filters from hosts (before Mark added it to Autoruns). They are available from https://github.com/davehull/Kansa/tree/master/Modules/ASEP, if you want to compare notes with what Autoruns is returning, I would expect the same or similar results. You'll likely have to run as admin to get access.