Как мне кажется, нужно подписаться на системное событие SessionSwitch (https://docs.microsoft.com/en-us/dotnet/api/microsoft.win32.systemevents?redirectedfrom=MSDN&view=dotnet-plat-ext-6.0#events).
Вот такая строка работает в Powershell
Register-ObjectEvent -InputObject ([microsoft.win32.systemevents]) -EventName "SessionSwitch" -Action {"SessionSwitch detected.";Get-Process -Name powershell | Stop-Process -Force}
Add(MainForm,1220184,357,161)
{
Point(Handle)
link(onCreate,9836734:doExec,[])
}
Add(FormatStr,9241707,637,182)
{
DataCount=1
Mask="Register-ObjectEvent -InputObject ([microsoft.win32.systemevents]) -EventName "SessionSwitch" -Action {"Shutdown/Logoff detected.";Stop-Process -Id %1 -Force}\r\n"
Point(FString)
link(Str1,11443217:ProcessID,[])
}
Add(WinExec,9836734,406,175)
{
FileName="powershell"
Action="runas"
Point(ProcessID)
link(onExec,7769977:doDeferredEvent,[])
}
Add(FindWindow,15095067,518,175)
{
ClassName="ConsoleWindowClass"
SkipParam=1
link(onFind,3494617:doEvent1,[])
}
Add(DeferredEvent,7769977,462,175)
{
Delay=1000
link(onDeferredEvent,15095067:doFind,[])
}
Add(Hub,3494617,574,175)
{
OutCount=4
link(onEvent1,11443217:doWinInfo,[(599,181)(599,139)])
link(onEvent2,9241707:doString,[])
link(onEvent3,4107439:doSetText,[(627,195)(627,237)])
link(onEvent4,4107439:doPut,[(620,202)(620,244)])
}
Add(WinInfo,11443217,623,133)
{
Point(ProcessID)
link(Handle,1220184:Handle,[(629,103)(334,103)(334,205)(363,205)])
}
Add(ClipboardHook,4107439,637,231)
{
Point(Handle)
link(Text,9241707:FString,[])
}
Поиск
Друзья
Администрация