diff --git a/scripts/Windows/OS/User/Add.ps1 b/scripts/Windows/OS/User/Add.ps1 index db271138..f4b5a4dc 100644 --- a/scripts/Windows/OS/User/Add.ps1 +++ b/scripts/Windows/OS/User/Add.ps1 @@ -141,7 +141,17 @@ function Start-EventDrivenTask() { ) $identifier = "EventLog$EventID"; Write-EventLog -LogName Application -Source "Application" -EventId $EventID -Message "This event was created by $env:Username"; - Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND EventIdentifier=$EventID" -SourceIdentifier "$identifier"; + + $applicationLog = Get-EventLog -List | Where-Object { $_.Log -eq "Application" }; + + Register-ObjectEvent -InputObject $applicationLog -EventName EntryWritten -Action { + $entry = $event.SourceEventArgs.Entry; + + if ($entry.EventID -eq $EventID) { + New-Event -SourceIdentifier $identifier; + } + }; + Wait-Event -SourceIdentifier $identifier; } -args $EventID }