Why is Task Scheduler triggered by logging of one event but not the other?
I am trying to track the occurrence of specified Security events. In order to accomplish this, I want a message to be displayed whenever these events are logged in the Windows Security log. Because displaying a message is a deprecated feature in Task Scheduler, I am using Powershell commands to accomplish this like so:
Trigger
On event - Log: Security, Source: Microsoft-Windows-Eventlog, EventID: 1102
Action
-executionpolicy bypass -windowstyle hidden -file C:1102.ps1
1102.ps1
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq 1102 } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Event ID: 1102')
Event ID 1102 occurs whenever the audit log is cleared. To trigger this, I simply go into Event Viewer, right click on the Security log, and click 'Clear Log...'. Shortly afterwards, a message displays as intended.
However, when I try to trigger Event ID 4719 by changing the system audit policy, no message displays despite the event being logged in the Security log. Both triggers are set up similarly in Task Scheduler so it's unclear to me why this is working for one and not the other.
windows security powershell
add a comment |
I am trying to track the occurrence of specified Security events. In order to accomplish this, I want a message to be displayed whenever these events are logged in the Windows Security log. Because displaying a message is a deprecated feature in Task Scheduler, I am using Powershell commands to accomplish this like so:
Trigger
On event - Log: Security, Source: Microsoft-Windows-Eventlog, EventID: 1102
Action
-executionpolicy bypass -windowstyle hidden -file C:1102.ps1
1102.ps1
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq 1102 } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Event ID: 1102')
Event ID 1102 occurs whenever the audit log is cleared. To trigger this, I simply go into Event Viewer, right click on the Security log, and click 'Clear Log...'. Shortly afterwards, a message displays as intended.
However, when I try to trigger Event ID 4719 by changing the system audit policy, no message displays despite the event being logged in the Security log. Both triggers are set up similarly in Task Scheduler so it's unclear to me why this is working for one and not the other.
windows security powershell
add a comment |
I am trying to track the occurrence of specified Security events. In order to accomplish this, I want a message to be displayed whenever these events are logged in the Windows Security log. Because displaying a message is a deprecated feature in Task Scheduler, I am using Powershell commands to accomplish this like so:
Trigger
On event - Log: Security, Source: Microsoft-Windows-Eventlog, EventID: 1102
Action
-executionpolicy bypass -windowstyle hidden -file C:1102.ps1
1102.ps1
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq 1102 } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Event ID: 1102')
Event ID 1102 occurs whenever the audit log is cleared. To trigger this, I simply go into Event Viewer, right click on the Security log, and click 'Clear Log...'. Shortly afterwards, a message displays as intended.
However, when I try to trigger Event ID 4719 by changing the system audit policy, no message displays despite the event being logged in the Security log. Both triggers are set up similarly in Task Scheduler so it's unclear to me why this is working for one and not the other.
windows security powershell
I am trying to track the occurrence of specified Security events. In order to accomplish this, I want a message to be displayed whenever these events are logged in the Windows Security log. Because displaying a message is a deprecated feature in Task Scheduler, I am using Powershell commands to accomplish this like so:
Trigger
On event - Log: Security, Source: Microsoft-Windows-Eventlog, EventID: 1102
Action
-executionpolicy bypass -windowstyle hidden -file C:1102.ps1
1102.ps1
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq 1102 } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Event ID: 1102')
Event ID 1102 occurs whenever the audit log is cleared. To trigger this, I simply go into Event Viewer, right click on the Security log, and click 'Clear Log...'. Shortly afterwards, a message displays as intended.
However, when I try to trigger Event ID 4719 by changing the system audit policy, no message displays despite the event being logged in the Security log. Both triggers are set up similarly in Task Scheduler so it's unclear to me why this is working for one and not the other.
windows security powershell
windows security powershell
asked Dec 18 '18 at 16:03
SoraProSoraPro
12
12
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Don't us TaskSceduler for this. Use a permanent WmiEvent consumer / watcher. Use RegEx or to go after multiple events.
Example:
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq '1102|4719' } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), "Event ID: $($_.Id)")
This has been possible for multiple languages, so not a PS specific thing, but of course PS can be used for it.
Examples:
Powershell Centralized Log Monitor Monitors a collection of servers
for specified log events, and sends email alerts when it encouters the
monitored events.
https://gallery.technet.microsoft.com/scriptcenter/ed188912-1a20-4be9-ae4f-8ac46cf2aae4
https://learn-powershell.net/2013/08/02/powershell-and-events-wmi-temporary-event-subscriptions
http://irl33t.com/blog/2011/06/powershell-script-watch-eventlogs-ps1
https://www.codeguru.com/vb/vbnet30/article.php/c13315/How-to-Build-a-Simple-Event-Log-MontiorWatcher-Using-TCP-in-NET.htm
https://www.codeproject.com/Articles/4857/%2fArticles%2f4857%2fA-realtime-event-log-monitoring-tool
https://www.ravichaganti.com/blog/attaching-scripts-or-tasks-to-windows-event-log-entries-using-powershell-and-wmi
Using Task Scheduler still to see what would happen with my current implementation, I modified the script as you suggested but doing so only prints "Event ID: " in the message's title bar. As for your suggestion to use a WmiEvent consumer / watcher, that is something I know nothing about. I'll see if I can figure it out with the links you've provided.
– SoraPro
Dec 19 '18 at 19:00
add a comment |
Finally figured this one out...it turns out the Source for 4719 is Microsoft-Windows-Security-Auditing and not Microsoft-Windows-Eventlog.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1385622%2fwhy-is-task-scheduler-triggered-by-logging-of-one-event-but-not-the-other%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Don't us TaskSceduler for this. Use a permanent WmiEvent consumer / watcher. Use RegEx or to go after multiple events.
Example:
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq '1102|4719' } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), "Event ID: $($_.Id)")
This has been possible for multiple languages, so not a PS specific thing, but of course PS can be used for it.
Examples:
Powershell Centralized Log Monitor Monitors a collection of servers
for specified log events, and sends email alerts when it encouters the
monitored events.
https://gallery.technet.microsoft.com/scriptcenter/ed188912-1a20-4be9-ae4f-8ac46cf2aae4
https://learn-powershell.net/2013/08/02/powershell-and-events-wmi-temporary-event-subscriptions
http://irl33t.com/blog/2011/06/powershell-script-watch-eventlogs-ps1
https://www.codeguru.com/vb/vbnet30/article.php/c13315/How-to-Build-a-Simple-Event-Log-MontiorWatcher-Using-TCP-in-NET.htm
https://www.codeproject.com/Articles/4857/%2fArticles%2f4857%2fA-realtime-event-log-monitoring-tool
https://www.ravichaganti.com/blog/attaching-scripts-or-tasks-to-windows-event-log-entries-using-powershell-and-wmi
Using Task Scheduler still to see what would happen with my current implementation, I modified the script as you suggested but doing so only prints "Event ID: " in the message's title bar. As for your suggestion to use a WmiEvent consumer / watcher, that is something I know nothing about. I'll see if I can figure it out with the links you've provided.
– SoraPro
Dec 19 '18 at 19:00
add a comment |
Don't us TaskSceduler for this. Use a permanent WmiEvent consumer / watcher. Use RegEx or to go after multiple events.
Example:
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq '1102|4719' } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), "Event ID: $($_.Id)")
This has been possible for multiple languages, so not a PS specific thing, but of course PS can be used for it.
Examples:
Powershell Centralized Log Monitor Monitors a collection of servers
for specified log events, and sends email alerts when it encouters the
monitored events.
https://gallery.technet.microsoft.com/scriptcenter/ed188912-1a20-4be9-ae4f-8ac46cf2aae4
https://learn-powershell.net/2013/08/02/powershell-and-events-wmi-temporary-event-subscriptions
http://irl33t.com/blog/2011/06/powershell-script-watch-eventlogs-ps1
https://www.codeguru.com/vb/vbnet30/article.php/c13315/How-to-Build-a-Simple-Event-Log-MontiorWatcher-Using-TCP-in-NET.htm
https://www.codeproject.com/Articles/4857/%2fArticles%2f4857%2fA-realtime-event-log-monitoring-tool
https://www.ravichaganti.com/blog/attaching-scripts-or-tasks-to-windows-event-log-entries-using-powershell-and-wmi
Using Task Scheduler still to see what would happen with my current implementation, I modified the script as you suggested but doing so only prints "Event ID: " in the message's title bar. As for your suggestion to use a WmiEvent consumer / watcher, that is something I know nothing about. I'll see if I can figure it out with the links you've provided.
– SoraPro
Dec 19 '18 at 19:00
add a comment |
Don't us TaskSceduler for this. Use a permanent WmiEvent consumer / watcher. Use RegEx or to go after multiple events.
Example:
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq '1102|4719' } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), "Event ID: $($_.Id)")
This has been possible for multiple languages, so not a PS specific thing, but of course PS can be used for it.
Examples:
Powershell Centralized Log Monitor Monitors a collection of servers
for specified log events, and sends email alerts when it encouters the
monitored events.
https://gallery.technet.microsoft.com/scriptcenter/ed188912-1a20-4be9-ae4f-8ac46cf2aae4
https://learn-powershell.net/2013/08/02/powershell-and-events-wmi-temporary-event-subscriptions
http://irl33t.com/blog/2011/06/powershell-script-watch-eventlogs-ps1
https://www.codeguru.com/vb/vbnet30/article.php/c13315/How-to-Build-a-Simple-Event-Log-MontiorWatcher-Using-TCP-in-NET.htm
https://www.codeproject.com/Articles/4857/%2fArticles%2f4857%2fA-realtime-event-log-monitoring-tool
https://www.ravichaganti.com/blog/attaching-scripts-or-tasks-to-windows-event-log-entries-using-powershell-and-wmi
Don't us TaskSceduler for this. Use a permanent WmiEvent consumer / watcher. Use RegEx or to go after multiple events.
Example:
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq '1102|4719' } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), "Event ID: $($_.Id)")
This has been possible for multiple languages, so not a PS specific thing, but of course PS can be used for it.
Examples:
Powershell Centralized Log Monitor Monitors a collection of servers
for specified log events, and sends email alerts when it encouters the
monitored events.
https://gallery.technet.microsoft.com/scriptcenter/ed188912-1a20-4be9-ae4f-8ac46cf2aae4
https://learn-powershell.net/2013/08/02/powershell-and-events-wmi-temporary-event-subscriptions
http://irl33t.com/blog/2011/06/powershell-script-watch-eventlogs-ps1
https://www.codeguru.com/vb/vbnet30/article.php/c13315/How-to-Build-a-Simple-Event-Log-MontiorWatcher-Using-TCP-in-NET.htm
https://www.codeproject.com/Articles/4857/%2fArticles%2f4857%2fA-realtime-event-log-monitoring-tool
https://www.ravichaganti.com/blog/attaching-scripts-or-tasks-to-windows-event-log-entries-using-powershell-and-wmi
answered Dec 19 '18 at 0:40
postanotepostanote
93023
93023
Using Task Scheduler still to see what would happen with my current implementation, I modified the script as you suggested but doing so only prints "Event ID: " in the message's title bar. As for your suggestion to use a WmiEvent consumer / watcher, that is something I know nothing about. I'll see if I can figure it out with the links you've provided.
– SoraPro
Dec 19 '18 at 19:00
add a comment |
Using Task Scheduler still to see what would happen with my current implementation, I modified the script as you suggested but doing so only prints "Event ID: " in the message's title bar. As for your suggestion to use a WmiEvent consumer / watcher, that is something I know nothing about. I'll see if I can figure it out with the links you've provided.
– SoraPro
Dec 19 '18 at 19:00
Using Task Scheduler still to see what would happen with my current implementation, I modified the script as you suggested but doing so only prints "Event ID: " in the message's title bar. As for your suggestion to use a WmiEvent consumer / watcher, that is something I know nothing about. I'll see if I can figure it out with the links you've provided.
– SoraPro
Dec 19 '18 at 19:00
Using Task Scheduler still to see what would happen with my current implementation, I modified the script as you suggested but doing so only prints "Event ID: " in the message's title bar. As for your suggestion to use a WmiEvent consumer / watcher, that is something I know nothing about. I'll see if I can figure it out with the links you've provided.
– SoraPro
Dec 19 '18 at 19:00
add a comment |
Finally figured this one out...it turns out the Source for 4719 is Microsoft-Windows-Security-Auditing and not Microsoft-Windows-Eventlog.
add a comment |
Finally figured this one out...it turns out the Source for 4719 is Microsoft-Windows-Security-Auditing and not Microsoft-Windows-Eventlog.
add a comment |
Finally figured this one out...it turns out the Source for 4719 is Microsoft-Windows-Security-Auditing and not Microsoft-Windows-Eventlog.
Finally figured this one out...it turns out the Source for 4719 is Microsoft-Windows-Security-Auditing and not Microsoft-Windows-Eventlog.
answered Dec 21 '18 at 15:03
SoraProSoraPro
12
12
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1385622%2fwhy-is-task-scheduler-triggered-by-logging-of-one-event-but-not-the-other%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown