# PowerShell script to detect during ESP
# Author : Yutaro Tamai (https://sccm.jp)
# Reference : https://oofhours.com/2023/09/15/detecting-when-you-are-in-oobe/

$TypeDef = @"

using System;
using System.Text;
using System.Collections.Generic;
using System.Runtime.InteropServices;

namespace Api
{
 public class Kernel32
 {
   [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
   public static extern int OOBEComplete(ref int bIsOOBEComplete);
 }
}
"@
 
Add-Type -TypeDefinition $TypeDef -Language CSharp

$IsOOBEComplete = $false
$hr = [Api.Kernel32]::OOBEComplete([ref] $IsOOBEComplete)

$WWAHost = Get-Process -Name "WWAHost" -ErrorAction SilentlyContinue
$SecurityHealthSystray = Get-Process -Name "SecurityHealthSystray" -ErrorAction SilentlyContinue
$LastUsedUsername = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name LastUsedUsername

# Main
if ($IsOOBEComplete -eq 1) {
if ($LastUsedUsername.LastUsedUsername -ne "defaultuser0"){
if ($WWAHost.MainWindowHandle -eq 0) {
if ($SecurityHealthSystray -ne $null) {
Write-Output "ESP-Completed"}
}
}
}