I need to setup a Windows Scheduled Task for an event from Active Directory.
The content(I don't know how it's called) of my event is something like:
Is there a way to read and use the values of account name and Event ID from this event in a batch file which will start when this event occurs ?
with schtasks you can trigger a batch file with /sc onevent :
SCHTASKS /Create /SC ONEVENT /mo */EventData/Data[@Name='SubjectUserName']='reduser' /EC Security /tn check_event /tr "c:\some.bat"
where /mo .. is an xpath for the elements you want to pass through your filter.In this case related to the user reduser (as this is a not hidden info in your screenshot)
wevtutil qe Security wevtutil qe security /q:*/EventData/Data[@Name='SubjectUserName']='reduser'
you'll list events in the Security related to the reduser and the last line will be the last event.And you can get additional filtering by adding the system time in xpath filer - the format is always YYYY-MM-DDThh:mm:ss.msZ - or with piping through findstr . To get the desired time format independently of the settings you can check this .
Though it's a little cumbersome to parse the xml line with pure batch and get the things you want - the line is too long and you might need two embedded for loops to parse the data. Here I've event log data with wevtutil to get a info about started process , so I suppose you can use it as a reference.
