Display event details in message when attaching a task to an event

When I try to safely remove hardware, Windows 10 tells me that a program is using the hardware, but doesn't tell me which program it is. I found that this information is recorded however in Event Viewer under System as Event 225 as such:

The application \Device\HarddiskVolume3\Program Files... with process id 4424 stopped the removal or ejection for the device USB....

This is pretty helpful information that I would like to see without going to event viewer every time. I have found that there is a button in Event Viewer which states Attach Task To This Event... When pressed, it offers the option to display a message every time this event is logged. I would like to have the task display the event details every time the event 225 gets logged. It seems like it could be possible, but I'm not a system level expert.

Is there an easy way to accomplish my goal? If not in the display message, is there a way to script a batch file to execute instead to tell me this information?

Yaroslav

Posted 2018-04-01T14:28:58.830

Reputation: 33

Answers

The "display a message" action is deprecated and might not actually do anything. Instead, you can use PowerShell! Save this as a .ps1 file somewhere on the computer, e.g. C:\evtmsg.ps1:

Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'System' -MaxEvents 20 | ? { $_.Id -eq 225 } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Ejection Failed')

This script gets the most recent instance of event 225 from the System log and uses the Windows Forms library to display its message.

Use Event Viewer's Attach Task To This Event command on an instance of event 225. On the Action screen, choose "start a program," then specify powershell for the program/script to run. In the "add arguments" box, put this line, adjusted for where you saved the PowerShell script:

-executionpolicy bypass -windowstyle hidden -file C:\evtmsg.ps1

The change should take effect immediately after creating the task.

Ben N

Posted 2018-04-01T14:28:58.830

Reputation: 32 973

Send email notification when specific Event ID is generated

I have a similar solution I wanted to share just in case someone can put it to use since it seems to help me out and scream at me only when I explicitly need it to based on specific Event IDs.

Scheduling

This solution uses a Task Scheduler job that has many different Triggers of the On an event for when it is to execute. You specify the specific Event ID that's to "trigger" an execution.

PowerShell Script

Here's a PowerShell script that uses a Gmail account with a password to send an email which will include the detail of the applicable events in its body.

Note: You have to pass the Gmail account password as the first argument to the PowerShell script.
$EmailPassword=$args[0]
$event = get-eventlog -LogName System -EntryType Error -newest 1

$PCName = $env:COMPUTERNAME
$Username = "LocalMailBox"
$EmailBody = $event | format-list -property * | out-string
$EmailFrom = "$PCName <noreply@domain.notify>"
$EmailTo = "whatever@gmail.com" 
$EmailSubject = "New Event Log [System]"
$SMTPServer = "smtp.gmail.com" 
Write-host "Sending Email"
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587) 
$SMTPClient.EnableSsl = $true 
$SMTPClient.Credentials = New-Object System.Net.NetworkCredential($Username, $EmailPassword); 
$SMTPClient.Send($EmailFrom, $EmailTo, $EmailSubject, $EmailBody)
Start-Sleep -s 10
From the Action tab you will create an Action defined as:

Action: Start a program

Program/script: Powershell

Add arguments (optional): -ExecutionPolicy Bypass -File "C:\Scripts\PSScript.ps1" "GmailPassword"

Start in (optional): C:\Windows\System32\WindowsPowerShell\v1.0

From the General tab of the scheduled task, be sure the Run whether user is logged on or not and the Run with highest privileges options are both selected.

The Email

With everything listed above set just as specified, this will ensure that when those specific System Event IDs are generated which you defined "triggers" for that an email will be sent, and hopefully with applicable detail as per the event that triggers each.

I only mention this as I have noticed that if two event that match the PowerShell logic of $event | format-list -property * | out-string are created quickly, that the body of the email will contain the latest event's detail based on timing.

Remember that regardless of the Event ID body content and even if it's not pertinent to the specific events you defined as triggers it is certain that those defined triggered indeed triggered this email so give it some attention when received.

Pimp Juice IT

Posted 2018-04-01T14:28:58.830

Reputation: 29 425

Thanks for the answer. While I was not quite looking for an email (since this is meant for my pc rather than a remote server), I have actually learned quite a bit from your answer. Especially that there is another side to windows which allows me to customize it quite a bit! I think I'll have a bit of fun in the next while exploring this. – Yaroslav – 2018-04-02T10:06:55.133