Create a scheduled task to trigger on a log event with a specific event ID

0

I have a manual routine (involving the Scheduled Task GUI) for creating a scheduled task that triggers on a given set of events from the event log. I would like to automate that process using Powershell (alternatively using some other scripting tool) and I have found a small how-to with some examples, as well as the documentation for New-ScheduledTaskTrigger.

Unfortunately, the docs do not show any view of creating a task for some specific event id. It only lists one specific non-time related trigger - -AtLogOn.

How would I register such a task? Could for instance Get-Eventlog be used? New-ScheduledTask mentions "trigger objects", but not how to create them and the docs to Triggers are no longer updated and contains no PowerShell relevant info. The docs for New-ScheduledTaskTrigger seems like exactly what I want:

The New-ScheduledTaskTrigger cmdlet creates and returns a new scheduled task trigger object.

But as I mentioned above, the docs doesn't mention anything about event ids.

oligofren

Posted 2019-10-02T08:50:33.203

Reputation: 842

Similar question here https://superuser.com/questions/1481946/how-to-launch-a-bat-file-the-second-internet-disconects-windows-10/1481970#1481970 but with a different event ID.

– spikey_richie – 2019-10-02T08:53:02.897

@spikey_richie That's exactly what I don't want :-) As I wrote, I want to do this using Powershell. My current routine involves manually creating the trigger using the gui. The powershell tag is also a hint :-) – oligofren – 2019-10-02T08:55:36.997

Understood, thanks for updating the question. – spikey_richie – 2019-10-02T08:58:08.610

@spikey_richie Found a solution. It doesn't show how to programmatically build the trigger, but it's a workaround that achieves the same thing. – oligofren – 2019-10-02T09:26:02.550

Answers

1

I found a way, albeit not strictly using PowerShell, but rather a combination of XML and the schtask command. The info was retrieved from this Microsoft blog: Trigger a PowerShell Script from a Windows Event.

For the users of the script

The intended users of the script can now just run this in a terminal:

schtasks /create /TN "My Super Duper Tasks\The task id 101" /XML my-task.xml

This assumes the script has been installed in a designated area, like C:\my-script.bat, otherwise Windows won't have anything to run.

For the author of script

The following steps is of course only for the author of the script, not its intended users!

  1. Manually create a trigger like you normally would (example).
  2. Right click the trigger and export it to an XML file.
  3. Right click the trigger and delete it (it will be recreated from the XML later on).
  4. Remove the sections Principals and RegistrationInfo in the XML file, as they contain hard coded information about user ids that is not present on other computers. It will be recreated using schtasks.
  5. Run the schtask command given above (for the users)

oligofren

Posted 2019-10-02T08:50:33.203

Reputation: 842

Asked: 2019-10-02T08:50:33.203

Viewed: 585 times

Active: 2019-10-02T09:50:44.793