Just a quick post here while I remember to document some more stuff I’ve been using for a while – this time talking about how to capture a process start in Windows.
It was during my recent Teams wrangling that I started thinking about how I used to capture process launches in Windows, so I could launch a program or script at the same time an application started. Obviously if you’re used to using Ivanti/AppSense this is something they’ve had for a long time, which is very useful, and I understand it is possibly arriving soon in Citrix Workspace Environment Management too. In the meantime – if you’re short of tooling like Ivanti you can use this trick to get it working via the Task Scheduler.
Firstly, turn on detailed auditing for process events on your devices – easiest way to do this is through Group Policy (either domain-based or local). Navigate to Computer Config | Windows Settings | Security Settings | Local policies | Audit policy and turn on Audit process tracking for Success
What this does is turn on auditing so that every time a process starts, a 4688 event is logged into the Security log
The Details tab contains the information on the process and the process that spawned it
Next, we need to set up a Scheduled Task on the machines that you wish to perform the process capture and response on. You can either create the Scheduled Task manually, deploy it through Group Policy Preferences, or create it with a script, the choice is yours. I have shown the process through Group Policy as you will probably want to deploy it to many machines so GPP is the easiest way.
Use the New Scheduled Task (at least Windows 7) option to create the task, and create in User Config | Preferences | Control Panel Settings | Scheduled Tasks, as we want it to execute in the user context. Set the options as below
The Trigger tab is key, so pay careful attention on this tab. Click on New, set the task to begin On an event and switch to Custom in the Settings area. Then click on New Event Filter
On the next dialog, set the options as highlighted below (note that if using the GPO method, there are three entries that start Microsoft-Windows-Security-Audit… – it is the third of these that you need to select). If using the manual method, you will need to select a Task Category of Process Creation as well.
Next switch across to the XML tab and tick the box that says Edit query manually. Replace the contents of the field with the code below
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13312 and (band(Keywords,9007199254740992)) and (EventID=4688)]]
and
*[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\regedit.exe')]]
</Select>
</Query>
</QueryList>Note that this example uses regedit.exe as the process start to capture. Change this path to whatever the path is of the executable you are trying to trigger on. Here’s what your event filter will look like
Click OK twice, and now switch to the Actions tab. This is where you configure what you wish to be run at the same time the process starts. You can run anything – applications, scripts, etc. For this example I have simply chosen to run cmd.exe to prove that the trigger is working
If you wish to run a PowerShell script, which admittedly is a very common response to put into place, make sure that you call the PowerShell executable directly with any scripts passed as a parameter – example below
This is all you need to configure so you can finalize the task. However, there seems to be a slight bug in the Task Scheduler GPP interface in that it sometimes puts a “(” at the end of the event ID. Before you deploy it, check the event id that is configured under the Trigger tab and make sure it says 4688 and not 4688(
Now you can run Group Policy update to deliver the new Scheduled Task to all of your target machines. It should show in the local Task Scheduler interface once you have successfully pushed it out.
So now, assuming I have done everything correctly, I should be able to run the Registry Editor and see a command prompt appear as the process start is captured and responded to.
There you have it – a quick and dirty way of leveraging the Task Scheduler to take actions based around the launch of a specified process.
