I wanted to run a powershell script when a specific process started.
I knew you could create event triggered scheduled tasks, and have used this before based on a specific event id.. However this time the eventid is going to be the same for a lot of different process start events so needed to find a way to filter this. Turns out you can edit the filter manually in Task Scheduler and this allows you to fully edit the XPath queries of the event XML.
To enable this, you must first turn on Audit Process Tracking for Success, in Local Security Policy
Now in the scheduled tasks
Edit the event filter, the query is below. You can get the field and values from looking at the XML in the event viewer under eventdata
this is the line in the query below that will need to be updated for the specific process.
Edit the event filter, the query is below. You can get the field and values from looking at the XML in the event viewer under eventdata
this is the line in the query below that will need to be updated for the specific process.
<QueryList>
<Query Id="0" Path="System">
<Select Path="Security">
*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13312 and (band(Keywords,9007199254740992)) and (EventID=4688)]]
and
*[EventData[Data[@Name='NewProcessName'] and (Data='C:\temp\process.exe')]]
</Select>
</Query>
</QueryList>
No comments:
Post a Comment