Posted on July 22, 2015 · Posted in Windows Server 2008 R2

Windows Event Triggers

In Windows Server 2008 (Vista) a new feature appeared that allowed to attach a Windows Scheduler task for any event in system logs. Using this feature, an administrator can assign a specific script or sending e-mail alerts to any Windows event. Let’s consider this feature in detail.

Running tasks when certain Windows events occur is based on the close integration of Task Scheduler and Event Viewer. You can assign any Scheduler task to any Windows event directly in Event Viewer console. As a response to an event, Task Scheduler can run a script or send an e-mail notification to an administrator (or any other user).

Suppose, our task is to notify a security administrator about the lockout of an Active Directory user account.

Tip. We have chosen this event for illustrative purposes. In fact, the scope of applying this feature is quite wide. These can be the notifications of Windows service stops, running an app after Exchange backup is over, notifications of changes in Active Directory security groups, or changes in certain directories or files, etc.

An event of the lockout of an AD user account is registered in the Security log on the domain controller. The Event ID of the lockout is 4740. Open Windows Event Viewer (Event Viewer — eventvwr.msc) and look for this event. Right-click it and select Attach Task To This Event.

Attach Task To Windows Event

Create Basic Task Wizard is launched. The Wizard prompts to specify the task name. It is generated automatically — Security_Microsoft-Windows-Security-Auditing_4740 and it is fine for us.


In the next step a type of the event log, a source and an Event ID are specified. (All fields are filled in automatically and are not editable in this step.)

Attach task to security event

Then you are prompted to select the type of response to the event. The following responses are available:

  • Start a program
  • Send an e-mail
  • Display a message

event action

We select an e-mail notification. Specify a sender, a recipient, an SMTP server address, a subject and a text of the email.

email alert settings

In the last step of the wizard, you can view the trigger settings. As a result, a new task connected to event 4740 appears in the Task Scheduler. Open Task Scheduler console in Administrative Tools. The new task can be found in Task Scheduler Library -> Event Viewer Tasks.

monitoring event with task scheduler

Here you can also change event trigger settings and force it to test the response to the event. trigger settings

Tip. If you have to attach one trigger to several EventIDs, you need to specify them separated with commas.

The trigger becomes active. When any AD account is locked out, a notification letter will be sent to the specified e-mail address.

email alert

Note. The same feature in Windows Server 2003 and the earlier Windows versions was implemented by the console utility eventtriggers.exe. This utility also allowed to monitor events in the system logs and assign triggers to certain events. In our example, when you have to assign a vbs or powershell script to 4740 event to send an e-mail to the administrator mailbox, the command can look like this:

eventtriggers /create /TR “Lock Account” /TK “C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe c:\script\SendEmailAlert.ps1″ /L Security /EID 4740

This notification is not very informative, and to view an event details you have to open Event Viewer. Let’s try to attach the data from the event log to the e-mail. A utility wevtutil can be used to obtain information about any event from Windows logs. So, to get information about the last 4740 event from Security log, you have to run the following:

wevtutil qe Security /q:"*[System[(EventID=4740)]]" /f:text /rd:true /c:1

Make a script (query.cmd)  consisting of two lines: the first one deletes the last log file, and the second gets the last event from the log and saves it to the log file:

del c:\script\query.txt
wevtutil qe Security /q:"*[System[(EventID=4740)]]" /f:text /rd:true /c:1 > c:\script\query.txt

Now you only have to open the settings of the trigger created earlier in Task Scheduler. In Actions tab, add a new action — start script query.cmd. Then you need to change the order of the actions, move it to the top of the list using arrow buttons on the right. (the script should be executed first).

actions order

Then edit the second action — sending an e-mail — by selecting c:\script\query.txt as an attachment to the letter.

Note. In our example, to make the task work properly, you have to run it elevated. To do it, check in the settings Run with highest privileges.

Run task with highest privileges

Let’s test the task again. Now the administrator will receive a notification with the attachment by e-mail, which contains the data on the account name, lockout time and other useful information.

Extended email notification

Tip. Using Windows event triggers to alert the administrator about the critical issues on the servers is not a full-featured substitute to a monitoring system, like System Center Operations Manager or Zenoss. However, it is a simple built-in monitoring and notification tool for small businesses with no need to invest in implementing or training staff.

Binding Scheduler tasks to events in system logs works in all Windows versions from Windows Server 2008 / Vista. This feature allows to quickly alert the administrator of certain server issues and solve them.

Note. In Windows Server 2012 R2 Task Scheduler does not support email sending (deprecated) .
For this purpose better use the PowerShell 3.0 – Send-MailMessage.

Related Articles