Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Run a Script (Program) When a Specific Program Opens/Closes in Windows

February 27, 2023 PowerShellWindows 10Windows Server 2019

Run a Script (Program) When a Specific Program Opens/Closes in Windows

In this article, we will show how to track an event of launching a certain program (process) in Windows and perform an action (run a script, command, program, send an email, etc.). As an example, we will track the launch of the notepad.exe process. And when a user opens Notepad, Windows will automatically run a specific PowerShell script.

First of all, configure the process audit policy on Windows. You can configure audit policy on a stand-alone computer using the Local Group Policy Editor (gpedit.msc). If you want to configure a policy on computers and servers in your AD domain, use the Group Policy Management console (gpmc.msc).

  1. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy;
  2. Open Audit process tracking properties and enable it for Success events;Enable audit process tracking policy in Windows
  3. Apply Group Policy settings by running: gpupdate /force

Now, when starting any process in Windows, an event with the EventID 4688 (A new process has been created) will appear in the Event Viewer -> Windows Logs -> Security. The event shows who has run the process (Account name), the name of the process (New Process Name), and the name of the parent process (Creator Process Name).

EventID 4688 (A new process has been created)

You can select app launch events from the Event Log by the specific process using PowerShell:

Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='User';expression={ $_.Properties[1].Value }}|where-object {$_.NewProcessName –like “*notepad.exe*”}

As a result, we got the history of launching the program by users on this computer.

getting history of running processes from Event Viewer using PowerShell

Then create a new task in the Task Scheduler that will run if an event with the EventID 4688 appears.

  1. Open the Task Scheduler (taskschd.msc) and create a new task -> Create Task;
  2. Provide the task name and specify that it must be run for all users (When running the task, use the following user account -> BUILTIN\Users). If you create a task using GPO, use this format: %LogonDomain%\%LogonUser%;
  3. On the Actions tab, set the action you want to perform. In this example, I will run a PowerShell script (call powershell.exe with attributes: -ExecutionPolicy Bypass -file "C:\PS\ProcessRunEvent.ps1); run a PowerShell script using a scheduled task
  4. Then bind the task to a Windows event. Go to Triggers tab, select New -> On an event -> Custom -> New Event Filter;
  5. In the next window, specify the following event filter options:
    Event logs: Security
    Event ID: 4688
    Keywords: Audit Success
    audit security event 4688
  6. Then go to the XML tab and enable the Edit query manually option. Edit the query by adding the following line to the filter: and *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
  7. You will get the following XML query:
    <QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">
    *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13312 and (band(Keywords,9007199254740992)) and (EventID=4688)]]
    and
    *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]
    </Select>
    </Query>
    </QueryList>
    

    edit the XML event filter

  8. Save the task.

Try to run the notepad.exe. Each time a user opens the Notepad, your PowerShell script will automatically run.

For example, you can display a pop-up notification or send an email using PowerShell.

Running a PowerShell script when you launch a certain program in Windows

After closing the specific app, sometimes you may want to run a backup script, etc. If you want to track exiting a program, use the event with the Event ID 4689 — A process has exited.

Earlier we showed a PowerShell script to automatically restart a process if it stops. The solution tracking a run/stop event of a process is more elegant and doesn’t require a PowerShell script to monitor running Windows processes.

1 comment
4
Facebook Twitter Google + Pinterest
previous post
How to Rename an Active Directory Domain Name?
next post
Configuring NFS Server and Client on Linux CentOS/RHEL

Related Reading

Installing Language Pack in Windows 10/11 with PowerShell

September 15, 2023

Configure Email Forwarding for Mailbox on Exchange Server/Microsoft...

September 14, 2023

How to View and Change BIOS (UEFI) Settings...

September 13, 2023

How to Create UEFI Bootable USB Drive to...

September 11, 2023

Redirect HTTP to HTTPS in IIS (Windows Server)

September 7, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Installing Language Pack in Windows 10/11 with PowerShell

    September 15, 2023
  • Configure Email Forwarding for Mailbox on Exchange Server/Microsoft 365

    September 14, 2023
  • How to View and Change BIOS (UEFI) Settings with PowerShell

    September 13, 2023
  • How to Create UEFI Bootable USB Drive to Install Windows

    September 11, 2023
  • Redirect HTTP to HTTPS in IIS (Windows Server)

    September 7, 2023
  • Add an Additional Domain Controller to an Existing AD Domain

    September 6, 2023
  • How to Install an SSL Certificate on IIS (Windows Server)

    September 5, 2023
  • Managing Windows Firewall Rules with PowerShell

    August 31, 2023
  • Fixing ‘The Network Path Was Not Found’ 0x80070035 Error Code on Windows

    August 30, 2023
  • Disable Welcome Message for Microsoft 365 Groups

    August 28, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Manage Windows Updates with PSWindowsUpdate PowerShell Module
  • Configuring Port Forwarding in Windows
  • Start Menu or Taskbar Search Not Working in Windows 10/11
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Adding Drivers into VMWare ESXi Installation Image
  • How to Hide Installed Programs in Windows 10 and 11
  • Configuring SFTP (SSH FTP) Server on Windows
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top