Run a Script (Program) When a Specific Program Opens/Closes in Windows

In this article, we will show how to track an event of launching a certain program (process) in Windows and perform an action (run a script, command, program, send an email, etc.). As an example, we will track the launch of the notepad.exe process. And when a user opens Notepad, Windows will automatically run a specific PowerShell script.

First of all, configure the process audit policy on Windows. You can configure audit policy on a stand-alone computer using the Local Group Policy Editor (gpedit.msc). If you want to configure a policy on computers and servers in your AD domain, use the Group Policy Management console (gpmc.msc).

1. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy;
2. Open Audit process tracking properties and enable it for Success events;
3. Apply Group Policy settings by running: gpupdate /force

Now, when starting any process in Windows, an event with the EventID 4688 (A new process has been created) will appear in the Event Viewer -> Windows Logs -> Security. The event shows who has run the process (Account name), the name of the process (New Process Name), and the name of the parent process (Creator Process Name).

Then create a new task in the Task Scheduler that will run if an event with the EventID 4688 appears.

1. Open the Task Scheduler (taskschd.msc) and create a new task -> Create Task;
2. Provide the task name and specify that it must be run for all users (When running the task, use the following user account -> BUILTIN\Users). If you create a task using GPO, use this format: %LogonDomain%\%LogonUser%;
3. On the Actions tab, set the action you want to perform. In this example, I will run a PowerShell script (call powershell.exe with attributes: -ExecutionPolicy Bypass -file "C:\PS\ProcessRunEvent.ps1);
4. Then bind the task to a Windows event. Go to Triggers tab, select New -> On an event -> Custom -> New Event Filter;
5. In the next window, specify the following event filter options:
   Event logs: Security
   Event ID: 4688
   Keywords: Audit Success
   
6. Then go to the XML tab and enable the Edit query manually option. Edit the query by adding the following line to the filter: and *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
7. You will get the following XML query:

   <QueryList>
   <Query Id="0" Path="Security">
   <Select Path="Security">
   *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13312 and (band(Keywords,9007199254740992)) and (EventID=4688)]]
   and
   *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
   </Select>
   </Query>
   </QueryList>
   

   

8. Save the task.

Try to run the notepad.exe. Each time a user opens the Notepad, your PowerShell script will automatically run.