Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2008 R2 / Windows Event Triggers

July 22, 2015 Windows Server 2008 R2

Windows Event Triggers

In Windows Server 2008 (Vista) a new feature appeared that allowed to attach a Windows Scheduler task for any event in system logs. Using this feature, an administrator can assign a specific script or sending e-mail alerts to any Windows event. Let’s consider this feature in detail.

Running tasks when certain Windows events occur is based on the close integration of Task Scheduler and Event Viewer. You can assign any Scheduler task to any Windows event directly in Event Viewer console. As a response to an event, Task Scheduler can run a script or send an e-mail notification to an administrator (or any other user).

Suppose, our task is to notify a security administrator about the lockout of an Active Directory user account.

Tip. We have chosen this event for illustrative purposes. In fact, the scope of applying this feature is quite wide. These can be the notifications of Windows service stops, running an app after Exchange backup is over, notifications of changes in Active Directory security groups, or changes in certain directories or files, etc.

An event of the lockout of an AD user account is registered in the Security log on the domain controller. The Event ID of the lockout is 4740. Open Windows Event Viewer (Event Viewer — eventvwr.msc) and look for this event. Right-click it and select Attach Task To This Event.

Attach Task To Windows Event

Create Basic Task Wizard is launched. The Wizard prompts to specify the task name. It is generated automatically — Security_Microsoft-Windows-Security-Auditing_4740 and it is fine for us.

Security_Microsoft-Windows-Security-Auditing

In the next step a type of the event log, a source and an Event ID are specified. (All fields are filled in automatically and are not editable in this step.)

Attach task to security event

Then you are prompted to select the type of response to the event. The following responses are available:

  • Start a program
  • Send an e-mail
  • Display a message

event action

We select an e-mail notification. Specify a sender, a recipient, an SMTP server address, a subject and a text of the email.

email alert settings

In the last step of the wizard, you can view the trigger settings. As a result, a new task connected to event 4740 appears in the Task Scheduler. Open Task Scheduler console in Administrative Tools. The new task can be found in Task Scheduler Library -> Event Viewer Tasks.

monitoring event with task scheduler

Here you can also change event trigger settings and force it to test the response to the event. trigger settings

Tip. If you have to attach one trigger to several EventIDs, you need to specify them separated with commas.

The trigger becomes active. When any AD account is locked out, a notification letter will be sent to the specified e-mail address.

email alert

Note. The same feature in Windows Server 2003 and the earlier Windows versions was implemented by the console utility eventtriggers.exe. This utility also allowed to monitor events in the system logs and assign triggers to certain events. In our example, when you have to assign a vbs or powershell script to 4740 event to send an e-mail to the administrator mailbox, the command can look like this:

eventtriggers /create /TR “Lock Account” /TK “C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe c:\script\SendEmailAlert.ps1″ /L Security /EID 4740

This notification is not very informative, and to view an event details you have to open Event Viewer. Let’s try to attach the data from the event log to the e-mail. A utility wevtutil can be used to obtain information about any event from Windows logs. So, to get information about the last 4740 event from Security log, you have to run the following:

wevtutil qe Security /q:"*[System[(EventID=4740)]]" /f:text /rd:true /c:1

Make a script (query.cmd)  consisting of two lines: the first one deletes the last log file, and the second gets the last event from the log and saves it to the log file:

del c:\script\query.txt
wevtutil qe Security /q:"*[System[(EventID=4740)]]" /f:text /rd:true /c:1 > c:\script\query.txt

Now you only have to open the settings of the trigger created earlier in Task Scheduler. In Actions tab, add a new action — start script query.cmd. Then you need to change the order of the actions, move it to the top of the list using arrow buttons on the right. (the script should be executed first).

actions order

Then edit the second action — sending an e-mail — by selecting c:\script\query.txt as an attachment to the letter.

Note. In our example, to make the task work properly, you have to run it elevated. To do it, check in the settings Run with highest privileges.

Run task with highest privileges

Let’s test the task again. Now the administrator will receive a notification with the attachment by e-mail, which contains the data on the account name, lockout time and other useful information.

Extended email notification

Tip. Using Windows event triggers to alert the administrator about the critical issues on the servers is not a full-featured substitute to a monitoring system, like System Center Operations Manager or Zenoss. However, it is a simple built-in monitoring and notification tool for small businesses with no need to invest in implementing or training staff.

Binding Scheduler tasks to events in system logs works in all Windows versions from Windows Server 2008 / Vista. This feature allows to quickly alert the administrator of certain server issues and solve them.

Note. In Windows Server 2012 R2 Task Scheduler does not support email sending (deprecated) .
For this purpose better use the PowerShell 3.0 – Send-MailMessage.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
How Windows Determines That the File Has Been Downloaded from the Internet
next post
Virtual Secure Mode (VSM) in Windows 10 Enterprise

Related Reading

How to Enable TLS 1.2 on Windows?

January 18, 2023

Outlook: Your Server Does Not Support the Connection...

October 20, 2022

Adding USB 3.0 and NVMe Drivers to Windows...

September 7, 2022

How to Run Disk Cleanup (Cleanmgr.exe) on Windows...

March 12, 2020

RDP Authentication Error: CredSSP Encryption Oracle Remediation

September 10, 2019

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Remote Desktop Connection Error: Outdated entry in the DNS cache
  • How to Filter Event Logs by Username in Windows 2008 and higher
  • Fixing High Memory Usage by Metafile on Windows Server 2008 R2
  • Unable to Install Print Driver after KB3170455
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top