Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Run a Script (Program) When a Specific Program Opens/Closes in Windows

November 10, 2021 PowerShellWindows 10Windows Server 2019

Run a Script (Program) When a Specific Program Opens/Closes in Windows

In this article, we will show how to track an event of launching a certain program (process) in Windows and perform an action (run a script, command, program, send an email, etc.). As an example, we will track the launch of the notepad.exe process. And when a user opens Notepad, Windows will automatically run a specific PowerShell script.

First of all, configure the process audit policy on Windows. You can configure audit policy on a stand-alone computer using the Local Group Policy Editor (gpedit.msc). If you want to configure a policy on computers and servers in your AD domain, use the Group Policy Management console (gpmc.msc).

  1. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy;
  2. Open Audit process tracking properties and enable it for Success events;Enable audit process tracking policy in Windows
  3. Apply Group Policy settings by running: gpupdate /force

Now, when starting any process in Windows, an event with the EventID 4688 (A new process has been created) will appear in the Event Viewer -> Windows Logs -> Security. The event shows who has run the process (Account name), the name of the process (New Process Name), and the name of the parent process (Creator Process Name).

EventID 4688 (A new process has been created)

You can select app launch events from the Event Log by the specific process using PowerShell:

Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='User';expression={ $_.Properties[1].Value }}|where-object {$_.NewProcessName –like “*notepad.exe*”}

As a result, we got the history of launching the program by users on this computer.

getting history of running processes from Event Viewer using PowerShell

Then create a new task in the Task Scheduler that will run if an event with the EventID 4688 appears.

  1. Open the Task Scheduler (taskschd.msc) and create a new task -> Create Task;
  2. Provide the task name and specify that it must be run for all users (When running the task, use the following user account -> BUILTIN\Users). If you create a task using GPO, use this format: %LogonDomain%\%LogonUser%;
  3. On the Actions tab, set the action you want to perform. In this example, I will run a PowerShell script (call powershell.exe with attributes: -ExecutionPolicy Bypass -file "C:\PS\ProcessRunEvent.ps1); run a PowerShell script using a scheduled task
  4. Then bind the task to a Windows event. Go to Triggers tab, select New -> On an event -> Custom -> New Event Filter;
  5. In the next window, specify the following event filter options:
    Event logs: Security
    Event ID: 4688
    Keywords: Audit Success
    audit security event 4688
  6. Then go to the XML tab and enable the Edit query manually option. Edit the query by adding the following line to the filter: and *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
  7. You will get the following XML query:
    <QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13312 and (band(Keywords,9007199254740992)) and (EventID=4688)]]
    and
    *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
    </Select>
    </Query>
    </QueryList>
    

    edit the XML event filter

  8. Save the task.

Try to run the notepad.exe. Each time a user opens the Notepad, your PowerShell script will automatically run.

For example, you can display a pop-up notification or send an email using PowerShell.

Running a PowerShell script when you launch a certain program in Windows

After closing the specific app, sometimes you may want to run a backup script, etc. If you want to track exiting a program, use the event with the Event ID 4689 — A process has exited.

Earlier we showed a PowerShell script to automatically restart a process if it stops. The solution tracking a run/stop event of a process is more elegant and doesn’t require a PowerShell script to monitor running Windows processes.

1 comment
4
Facebook Twitter Google + Pinterest
previous post
How to Allow Multiple RDP Sessions in Windows 10 and 11?
next post
Configuring NFS Server and Client on Linux CentOS/RHEL

Related Reading

How to Deploy Windows 10 (11) with PXE...

June 27, 2022

Checking Windows Activation Status on Active Directory Computers

June 27, 2022

Configuring Multiple VLAN Interfaces on Windows

June 24, 2022

How to Disable or Enable USB Drives in...

June 24, 2022

Adding Domain Users to the Local Administrators Group...

June 23, 2022

1 comment

Blu June 18, 2022 - 8:22 pm

The program I’m trying to audit has spaces and a “&” in the path wich seems to lead to an error when setting up the trigger. is there a solution for this?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • How to Deploy Windows 10 (11) with PXE Network Boot?

    June 27, 2022
  • Checking Windows Activation Status on Active Directory Computers

    June 27, 2022
  • Configuring Multiple VLAN Interfaces on Windows

    June 24, 2022
  • How to Disable or Enable USB Drives in Windows using Group Policy?

    June 24, 2022
  • Adding Domain Users to the Local Administrators Group in Windows

    June 23, 2022
  • Viewing a Remote User’s Desktop Session with Shadow Mode in Windows

    June 23, 2022
  • How to Create a Wi-Fi Hotspot on your Windows PC?

    June 23, 2022
  • Configuring SSH Public Key Authentication on Windows

    June 15, 2022
  • How to Run a Program as a Different User (RunAs) in Windows?

    June 15, 2022
  • FAQ: Licensing Microsoft Exchange Server 2019/2016

    June 14, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Installing RSAT Administration Tools on Windows 10 and 11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Hide Installed Programs in Windows 10 and 11?
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Tracking and Analyzing Remote Desktop Connection Logs in Windows
  • How to Create a UEFI Bootable USB Drive to Install Windows 10 or 7?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top