Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows 10 / Run a Script (Program) When a Specific Program Opens/Closes in Windows

March 13, 2024 PowerShellWindows 10Windows Server 2019

Run a Script (Program) When a Specific Program Opens/Closes in Windows

In this article, we will show how to track an event of launching a certain program (process) in Windows and perform an action (run a script, command, program, send an email, etc.). As an example, we will track the launch of the notepad.exe process. And when a user opens Notepad, Windows will automatically run a specific PowerShell script.

First of all, configure the process audit policy on Windows. You can configure audit policy on a stand-alone computer using the Local Group Policy Editor (gpedit.msc). If you want to configure a policy on computers and servers in your AD domain, use the Group Policy Management console (gpmc.msc).

  1. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy;
  2. Open Audit process tracking properties and enable it for Success events;Enable audit process tracking policy in Windows
  3. Apply Group Policy settings by running: gpupdate /force

Now, when starting any process in Windows, an event with the EventID 4688 (A new process has been created) will appear in the Event Viewer -> Windows Logs -> Security. The event shows who has run the process (Account name), the name of the process (New Process Name), and the name of the parent process (Creator Process Name).

EventID 4688 (A new process has been created)

You can select app launch events from the Event Log by the specific process using PowerShell:

Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='User';expression={ $_.Properties[1].Value }}|where-object {$_.NewProcessName –like “*notepad.exe*”}

As a result, we got the history of launching the program by users on this computer.

getting history of running processes from Event Viewer using PowerShell

Then create a new task in the Task Scheduler that will run if an event with the EventID 4688 appears.

  1. Open the Task Scheduler (taskschd.msc) and create a new task -> Create Task;
  2. Provide the task name and specify that it must be run for all users (When running the task, use the following user account -> BUILTIN\Users). If you create a task using GPO, use this format: %LogonDomain%\%LogonUser%;
  3. On the Actions tab, set the action you want to perform. In this example, I will run a PowerShell script (call powershell.exe with attributes: -ExecutionPolicy Bypass -file "C:\PS\ProcessRunEvent.ps1); run a PowerShell script using a scheduled task
  4. Then bind the task to a Windows event. Go to Triggers tab, select New -> On an event -> Custom -> New Event Filter;
  5. In the next window, specify the following event filter options:
    Event logs: Security
    Event ID: 4688
    Keywords: Audit Success
    audit security event 4688
  6. Then go to the XML tab and enable the Edit query manually option. Edit the query by adding the following line to the filter: and *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
  7. You will get the following XML query:
    <QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13312 and (band(Keywords,9007199254740992)) and (EventID=4688)]]
    and
    *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
    </Select>
    </Query>
    </QueryList>
    

    edit the XML event filter

  8. Save the task.

Try to run the notepad.exe. Each time a user opens the Notepad, your PowerShell script will automatically run.

For example, you can display a pop-up notification or send an email using PowerShell.

Running a PowerShell script when you launch a certain program in Windows

After closing the specific app, sometimes you may want to run a backup script, etc. If you want to track exiting a program, use the event with the Event ID 4689 — A process has exited.
6 comments
10
Facebook Twitter Google + Pinterest
previous post
How to Rename an Active Directory Domain
next post
Searching AD Groups, Users, and Computers using Wildcards

Related Reading

View Windows Update History with PowerShell (CMD)

April 30, 2025

Change BIOS from Legacy to UEFI without Reinstalling...

April 21, 2025

Uninstalling Windows Updates via CMD/PowerShell

April 18, 2025

Allowing Ping (ICMP Echo) Responses in Windows Firewall

April 15, 2025

How to Pause (Delay) Update Installation on Windows...

April 11, 2025

6 comments

Blu June 18, 2022 - 8:22 pm

The program I’m trying to audit has spaces and a “&” in the path wich seems to lead to an error when setting up the trigger. is there a solution for this?

Reply
Jibun no Kage November 16, 2023 - 1:24 am

Get-WinEvent as you present returns the following error…

Get-WinEvent -FilterHashtable @{
LogName = ‘Security’
ID = 4688
} | Select-Object TimeCreated,@{name=’NewProcessName’;expression={ $_.Properties[5].Value }}, @{name=’User’;expression={ $_.Properties[1].Value }}|where-object {$_.NewProcessName –like “*notepad.exe*”}

Reply
Jibun no Kage November 16, 2023 - 1:25 am

Here is the error…

S C:\WINDOWS\System32> Get-WinEvent -FilterHashtable @{
LogName = ‘Security’
ID = 4688
} | Select-Object TimeCreated,@{name=’NewProcessName’;expression={ $_.Properties[5].Value }}, @{name=’User’;expression={ $_.Properties[1].Value }}|where-object {$_.NewProcessName –like “*notepad.exe*”}
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -FilterHashtable @{
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand

Reply
admin November 20, 2023 - 8:12 am

This is actually not an error 🙂
Get-WinEvent : No events were found that match the specified selection criteria.

Reply
daniel cuomo December 5, 2024 - 10:20 pm

Hi!, I was trying to make a task when an app closes but doesn’t work, when it opens works great

Reply
admin December 12, 2024 - 7:10 am

Check which event ID is generated when the app closes. Maybe it depends on the Windows version and the audit policy enabled. In my case it is 4689 on Windows 10.
Edit the XML event filter accordingly.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMware
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025
  • How to Write Logs to the Windows Event Viewer from PowerShell/CMD

    March 3, 2025
  • How to Hide (Block) a Specific Windows Update

    February 25, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)
  • How to Download Offline Installer (APPX/MSIX) for Microsoft Store App
  • Configuring Port Forwarding in Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Adding Drivers into VMWare ESXi Installation Image
  • Tracking and Analyzing Remote Desktop Connection Logs in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top