-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathset-AVDDeallocateOnLogoff.ps1
25 lines (21 loc) · 4.69 KB
/
set-AVDDeallocateOnLogoff.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<#
.SYNOPSIS
Force-creates a scheduled task that fires upon logoff of any user.
The currently configured code (base64 encoded) for this script then deallocates the Azure VM it runs on to save cost.
To decode / recode base64, use https://www.base64encode.org/ and select UTF-16LE as encoding type.
.NOTES
filename: deallocate_autoscheduler.ps1
author: Jos Lieben / jos@lieben.nu
copyright: Lieben Consultancy, free to use/modify as long as headers are kept intact
site: https://www.lieben.nu
Created: 18/08/2022
#>
$CIMTriggerClass = Get-CimClass -ClassName MSFT_TaskEventTrigger -Namespace Root/Microsoft/Windows/TaskScheduler:MSFT_TaskEventTrigger
$trigger = New-CimInstance -CimClass $CIMTriggerClass -ClientOnly
$trigger.Subscription =
@"
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4647]]</Select></Query></QueryList>
"@
$trigger.Enabled = $True
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -EncodedCommand JABtAGUAdABhAGQAYQB0AGEAIAA9ACAASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIATQBlAHQAYQBkAGEAdABhACIAPQAiAHQAcgB1AGUAIgB9ACAALQBNAGUAdABoAG8AZAAgAEcARQBUACAALQBQAHIAbwB4AHkAIAAkAE4AdQBsAGwAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvADEANgA5AC4AMgA1ADQALgAxADYAOQAuADIANQA0AC8AbQBlAHQAYQBkAGEAdABhAC8AaQBuAHMAdABhAG4AYwBlAD8AYQBwAGkALQB2AGUAcgBzAGkAbwBuAD0AMgAwADIAMQAtADAAMQAtADAAMQAiAA0ACgAkAGEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AVABvAGsAZQBuACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAE0AZQB0AGEAZABhAHQAYQAiAD0AIgB0AHIAdQBlACIAfQAgAC0ATQBlAHQAaABvAGQAIABHAGUAdAAgAC0AUAByAG8AeAB5ACAAJABOAHUAbABsACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwAxADYAOQAuADIANQA0AC4AMQA2ADkALgAyADUANAAvAG0AZQB0AGEAZABhAHQAYQAvAGkAZABlAG4AdABpAHQAeQAvAG8AYQB1AHQAaAAyAC8AdABvAGsAZQBuAD8AYQBwAGkALQB2AGUAcgBzAGkAbwBuAD0AMgAwADIAMQAtADAAMQAtADAAMQAmAHIAZQBzAG8AdQByAGMAZQA9AGgAdAB0AHAAcwA6AC8ALwBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AYQB6AHUAcgBlAC4AYwBvAG0ALwAiAA0ACgANAAoAJABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgBJAGQAIAA9ACAAJABtAGUAdABhAGQAYQB0AGEALgBjAG8AbQBwAHUAdABlAC4AcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4ASQBkAA0ACgAkAHIAZQBzAG8AdQByAGMAZQBHAHIAbwB1AHAATgBhAG0AZQAgAD0AIAAkAG0AZQB0AGEAZABhAHQAYQAuAGMAbwBtAHAAdQB0AGUALgByAGUAcwBvAHUAcgBjAGUARwByAG8AdQBwAE4AYQBtAGUADQAKACQAdgBtAE4AYQBtAGUAIAA9ACAAJABtAGUAdABhAGQAYQB0AGEALgBjAG8AbQBwAHUAdABlAC4AbgBhAG0AZQANAAoAJABhAGMAYwBlAHMAcwBUAG8AawBlAG4AIAA9ACAAJABhAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuAFQAbwBrAGUAbgAuAGEAYwBjAGUAcwBzAF8AdABvAGsAZQBuAA0ACgANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANgAwAA0ACgANAAoAJABSAGUAcwB0AGEAcgB0AEUAdgBlAG4AdABzACAAPQAgAEcAZQB0AC0ARQB2AGUAbgB0AEwAbwBnACAALQBMAG8AZwBOAGEAbQBlACAAUwB5AHMAdABlAG0AIAAtAEEAZgB0AGUAcgAgACgARwBlAHQALQBEAGEAdABlACkALgBBAGQAZABNAGkAbgB1AHQAZQBzACgALQAxACkAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACgAJABfAC4ARQB2AGUAbgB0AEkARAAgAC0AZQBxACAAMQAwADcANAApACAALQBhAG4AZAAgACgAJABfAC4ATQBlAHMAcwBhAGcAZQAgAC0AbQBhAHQAYwBoACAAIgByAGUAcwB0AGEAcgB0ACIAIAApAH0ADQAKACQAUwBlAHMAcwBpAG8AbgBDAG8AdQBuAHQAIAA9ACAAKABxAHUAZQByAHkAIAB1AHMAZQByACAAfAAgAE0AZQBhAHMAdQByAGUALQBPAGIAagBlAGMAdAAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAAQwBvAHUAbgB0ACkALgBjAG8AdQBuAHQAIAAtACAAMQAgACMAIAByAGUAbQBvAHYAZQAgAGgAZQBhAGQAbABpAG4AZQANAAoADQAKAGkAZgAgACgAJABTAGUAcwBzAGkAbwBuAEMAbwB1AG4AdAAgAC0AZwB0ACAAMAAgAC0AbwByACAAJABSAGUAcwB0AGEAcgB0AEUAdgBlAG4AdABzAC4AYwBvAHUAbgB0ACAALQBnAGUAIAAxACkAewANAAoAIAAgACAAIAAjACAAcwBrAGkAcAAgAGQAZQBhAGwAbABvAGMAYQB0AGUAIABiAGUAYwBhAHUAcwBlACAAbwBmACAAdQBzAGUAcgAtAHMAZQBzAHMAaQBvAG4AcwAgAG8AcgAgAGkAbgBpAHQAaQBhAHQAZQBkACAAcgBlAGIAbwBvAHQADQAKAH0AZQBsAHMAZQB7AA0ACgAgACAAIAAgAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIABBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACAAPQAiAEIAZQBhAHIAZQByACAAJABhAGMAYwBlAHMAcwBUAG8AawBlAG4AIgB9ACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAFAAcgBvAHgAeQAgACQATgB1AGwAbAAgAC0AVQByAGkAIAAiAGgAdAB0AHAAcwA6AC8ALwBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AYQB6AHUAcgBlAC4AYwBvAG0ALwBzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgBzAC8AJABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgBJAGQALwByAGUAcwBvAHUAcgBjAGUARwByAG8AdQBwAHMALwAkAHIAZQBzAG8AdQByAGMAZQBHAHIAbwB1AHAATgBhAG0AZQAvAHAAcgBvAHYAaQBkAGUAcgBzAC8ATQBpAGMAcgBvAHMAbwBmAHQALgBDAG8AbQBwAHUAdABlAC8AdgBpAHIAdAB1AGEAbABNAGEAYwBoAGkAbgBlAHMALwAkAHYAbQBOAGEAbQBlAC8AZABlAGEAbABsAG8AYwBhAHQAZQA/AGEAcABpAC0AdgBlAHIAcwBpAG8AbgA9ADIAMAAyADEALQAwADMALQAwADEAIgAgAC0AQwBvAG4AdABlAG4AdABUAHkAcABlACAAIgBhAHAAcABsAGkAYwBhAHQAaQBvAG4ALwBqAHMAbwBuACIADQAKAH0A" #base64 UTF16-LE encoded command https://www.base64encode.org/
$Null = Register-ScheduledTask -TaskName "LC_AUTODEALLOCATE" -Trigger $trigger -User "SYSTEM" -Action $Action -Force -RunLevel Highest