2023-03-20T05:53:00.4766991 SMBtotheCloud \Post-ESP-Reboot true <QueryList><Query Id="0" Path="Microsoft-Windows-User Device Registration/Admin"><Select Path="Microsoft-Windows-User Device Registration/Admin">*[System[Provider[@Name='Microsoft-Windows-User Device Registration'] and EventID=300]]</Select></Query></QueryList> S-1-5-18 HighestAvailable IgnoreNew false true true false false true false true true false false false true false PT72H 7 powershell.exe -executionpolicy bypass c:\temp\Post-ESP-Reboot.ps1