This is a quick script that I put together a while back to help locate and track what systems had WMI event subscriptions configured.

I don’t want to completely rehash this topic as you can look at my previous blog post to catch up on all things permanent WMI subscriptions right here: https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/ Feel free to give that a read and then head back over here to check out the script!

The basics of this script are performing WMI queries against the __EventFilter, __EventConsumer and __EventBinding WMI classes which are commonly located in the root/Subscription namespace.

Keep in mind that while I am using the root/Subscription namespace, these subscriptions can exist in other namespaces.

From there it is simply a matter of outputting everything as a single object which you can then dig deeper into by checking the Filter, Consumer and Binding properties.

You can download the script below and once you do, go ahead and dot source the script to load the Get-WMISubsciptionEvent function.

Get-WMIEventSubscription

Feel free to give it a download and let me know what you think!

Script Download

https://gallery.technet.microsoft.com/scriptcenter/List-all-WMI-Permanent-73e04ab4