WMI Event Subscriptions (OBJECTS.DATA)

windowsPersistence MechanismsDisk Image

Location

C:\Windows\System32\wbem\Repository\OBJECTS.DATA

Description

WMI repository containing permanent event subscriptions (EventFilter, EventConsumer, FilterToConsumerBinding) that execute arbitrary commands or scripts in response to system events.

Forensic Value

WMI event subscriptions are a stealthy persistence mechanism favored by advanced adversaries because they do not appear in traditional autoruns locations. Parsing OBJECTS.DATA reveals the trigger condition (e.g., system startup, user logon, interval timer) and the exact command or script payload. This persistence survives reboots and does not require files on disk if using ActiveScriptEventConsumer.

Tools Required

KAPEPyWMIPersistenceFinderAutoruns (Sysinternals)wmi-parser

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical