In Windows Server 2008 (Vista) a new feature appeared that allowed to attach a Windows Scheduler task for any event in system logs. Using this feature, an administrator can assign a specific script or sending e-mail alerts to any Windows event. Let’s consider this feature in detail.
Running tasks when certain Windows events occur is based on the close integration of Task Scheduler and Event Viewer. You can assign any Scheduler task to any Windows event directly in Event Viewer console. As a response to an event, Task Scheduler can run a script or send an e-mail notification to an administrator (or any other user).
Suppose, our task is to notify a security administrator about the lockout of an Active Directory user account.
An event of the lockout of an AD user account is registered in the Security log on the domain controller. The Event ID of the lockout is 4740. Open Windows Event Viewer (Event Viewer — eventvwr.msc) and look for this event. Right-click it and select Attach Task To This Event.
Create Basic Task Wizard is launched. The Wizard prompts to specify the task name. It is generated automatically — Security_Microsoft-Windows-Security-Auditing_4740 and it is fine for us.
In the next step a type of the event log, a source and an Event ID are specified. (All fields are filled in automatically and are not editable in this step.)
Then you are prompted to select the type of response to the event. The following responses are available:
- Start a program
- Send an e-mail
- Display a message
We select an e-mail notification. Specify a sender, a recipient, an SMTP server address, a subject and a text of the email.
In the last step of the wizard, you can view the trigger settings. As a result, a new task connected to event 4740 appears in the Task Scheduler. Open Task Scheduler console in Administrative Tools. The new task can be found in Task Scheduler Library -> Event Viewer Tasks.
The trigger becomes active. When any AD account is locked out, a notification letter will be sent to the specified e-mail address.
This notification is not very informative, and to view an event details you have to open Event Viewer. Let’s try to attach the data from the event log to the e-mail. A utility wevtutil can be used to obtain information about any event from Windows logs. So, to get information about the last 4740 event from Security log, you have to run the following:
wevtutil qe Security /q:"*[System[(EventID=4740)]]" /f:text /rd:true /c:1
Make a script (query.cmd) consisting of two lines: the first one deletes the last log file, and the second gets the last event from the log and saves it to the log file:
wevtutil qe Security /q:"*[System[(EventID=4740)]]" /f:text /rd:true /c:1 > c:\script\query.txt
Now you only have to open the settings of the trigger created earlier in Task Scheduler. In Actions tab, add a new action — start script query.cmd. Then you need to change the order of the actions, move it to the top of the list using arrow buttons on the right. (the script should be executed first).
Then edit the second action — sending an e-mail — by selecting c:\script\query.txt as an attachment to the letter.
Let’s test the task again. Now the administrator will receive a notification with the attachment by e-mail, which contains the data on the account name, lockout time and other useful information.
Binding Scheduler tasks to events in system logs works in all Windows versions from Windows Server 2008 / Vista. This feature allows to quickly alert the administrator of certain server issues and solve them.