0

I need to display a message to the user whenever the following Audit System event IDs occur: 1100, 1102, 1104, 1108, 4612, and 4719.

The title bar of the message window should say, as an example, "Event ID: 1100"

I also need to know how to trigger each of these events.

Here is what I've managed to accomplish so far: I am currently using Windows Task Scheduler. For Event ID 1102, I set up the following trigger:

On event - Log: Security, Source: Microsoft-Windows-Eventlog, EventID: 1102

Along with the following action to be run in powershell:

-executionpolicy bypass -windowstyle hidden -file C:\1102.ps1

And here is what my 1102.ps1 script looks like: 

Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq 1102 } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Event ID: 1102')

By going into Event Viewer and clearing the Security log, I am able to make the desired message appear. However, I would like to be able to add a String argument to the end of my Task Scheduler action as opposed to typing out the string literal 'Event ID: 1102' in my .ps1 script. This will allow me to use the same script for any event ID.

On top of that, I have been unable to make the message appear for any other event (using the same trigger/action/script as detailed above but with the appropriate event IDs). For example, I made a system audit policy change (Event ID 4719) which was logged to the Security log in Event Viewer but for some reason did not display any message. As for the others, I have not yet figured out how to manually trigger them.

  • Why not something like ```Add-Type -AssemblyName System.Windows.Forms $lastEvt = Get-WinEvent -LogName 'Security' | select -First 1 Write-Host "Event ID: " $lastEvt.Id``` –  Dec 17 '18 at 21:10
  • @Rthomas529 doesn't work, I get no message at all when I modify the script as you suggested. –  Dec 17 '18 at 22:00
  • 1
    @TeddyF have you tried the option "Run with the highest privilege". – LT- Dec 18 '18 at 00:59
  • @LT- In conjunction with which solution? –  Dec 18 '18 at 15:24
  • @TeddyF in regard to this commend "On top of that, I have been unable to make the message appear for any other event (using the same trigger/action/script as detailed above but with the appropriate event IDs)." But regardless of any comment. You should always run your scheduled task with the highest privilege in order to work with the security events. – LT- Dec 18 '18 at 19:06
  • @LT- Ah, that option was not enabled but enabling didn't make a difference. Good to know that for the future though. –  Dec 18 '18 at 20:09
  • @TeddyF To your this comment "However, I would like to be able to add a String argument to the end of my Task Scheduler action as opposed to typing out the string literal 'Event ID: 1102' in my .ps1 script. This will allow me to use the same script for any event ID." you need to use pram option in your script. Here is an example: https://stackoverflow.com/questions/5592531/how-to-pass-an-argument-to-a-powershell-script – LT- Dec 19 '18 at 00:14
  • @TeddyF If your script is working for one type of event it should work for other events as well. You will have to figure out how to generate the event in order to test. For instance, to generate 1104 you can try setting following options under security event properties: `- Set Maximum log size to 100KB or less` `- Select Do not overwrite events` This will fill up the logs and probably will generate 1104. – LT- Dec 19 '18 at 00:37
  • @TeddyF In order to generate 1100, you can try restarting "Windows Event Log" server (tested on windows 10). To generate 4719 try making changes to Local Audit Policy: https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter2 – LT- Dec 19 '18 at 00:38
  • @LT- I was able to generate a message for 1104 by following steps similar to what you suggested but a message does not generate for 4719 despite the event being logged in the Security log when I make a change to the system audit policy. Also, I am able to generate 1100 in the Event Log by stopping or restarting "Windows Event Log" as you suggested but no message displays, I assume because the script cannot run while the Windows Event Log service is down. –  Dec 19 '18 at 15:59

2 Answers2

0

You can pass any event's properties to an event-based task. You'll need to export your task and then modify the exported xml by adding needed parameters to EventTrigger section:

<EventTrigger>
    <ValueQueries>
        <Value name="EventID">Event/System/EventID</Value>
    </ValueQueries>    
    ...
</EventTrigger>

Then import back your task and now you can refer this new value as a command line parameter $(<value_name>). E. g. cmd /k echo $(EventID)

You can read more about this here https://blogs.technet.microsoft.com/otto/2007/11/09/reference-the-event-that-triggered-your-task/

BTW you do not need to create a script to show a message because Task Scheduler can do this by itself, just choose task action "Display a message".

montonero
  • 1,363
  • 10
  • 16
  • When I replace `'Event ID: 1102'` from my .ps1 script in the OP with `$(EventID)`, 'Error' is printed to the message window title bar (even after exporting the XML, modifying it, then importing it back in) . Also, I'm unable to choose "display a message" as the action because that is a deprecated feature. –  Dec 18 '18 at 15:38
  • $(EventID) should be passed as a parameter to the script in task arguments. – montonero Dec 19 '18 at 07:03
  • I am passing 'Event ID: 1102' as a paramater like so: `-executionpolicy bypass -windowstyle hidden -file C:\1102.ps1 "Event ID: 1102"` and still seeing 'Error' in the title bar. –  Dec 19 '18 at 16:11
  • You should pass $(EventID) literally. And modify your script to use that parameter. – montonero Dec 20 '18 at 08:01
  • Now I am passing `-executionpolicy bypass -windowstyle hidden -file C:\1102.ps1 "$(EventID)"` to my script which I have modified like so: `[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), $(EventID))` and I am still getting 'Error' in the title bar. –  Dec 20 '18 at 14:06
0

I finally figured out how to do this...

My trigger from the OP remains the same but the Action should be modified like so:

-executionpolicy bypass -windowstyle hidden -file C:\1102.ps1 -eventID 1102

And the script itself will now look like this:

param([Int32]$eventID) Add-Type -AssemblyName System.Windows.Forms $lastEvt = Get-EventLog -Log Security -Newest 1000 | where { $_.EventID -eq $eventID } | Select -First 1 [System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Event ID: ' + $eventID)

This will display a message including the Event description with the Event ID in the title bar.