How To Use PowerShell for Automated Event Response
This PowerShell tutorial explains how to automate and streamline processes based on system events. Watch the video to learn more.
April 11, 2024
PowerShell is valued by many for its ability to automate tasks. Among its many useful features, PowerShell can respond to systems events, allowing tasks to be automatically carried out when specific events occur.
In this video tutorial, PowerShell expert Brien Posey will discuss how PowerShell works within the Windows Event Viewer framework. You’ll learn how to set up tasks to respond to certain events.
The following transcript has been lightly edited for length and clarity.
Transcript:
Brien Posey: PowerShell can be especially useful for automating tasks. For example, you can configure a PowerShell script to run automatically in response to a system event. Let's look at how this works.
As you can see, I have the Windows Event Viewer on screen. Right now, I have the Application Log selected. If I just right-click on an event at random, you'll notice that there's an option to attach a task to the event. I'll go ahead and click on that menu option.
When I do, you can see that there's a wizard that pops up that allows us to associate a task with a particular system event.
So, let's look at how we might put PowerShell to work with regard to responding to an event.
I'm going to go ahead and cancel out of this. I'm going to open PowerShell. As you can see, I'm working in an elevated PowerShell window, hence the administrator prompt.
Writing Test Events to the Application Log
The first thing that I'm going to do is to create a custom event log source. I'm going to type:
New-EventLog -LogName Application -Source “Demo”
I'll press Enter. What this is going to do is create a new event log source for the application log called Demo.
What I want to do now is write a test event to the Application Log. The way that I'm going to do that is by typing:
Write-EventLog -LogName Application -Source “Demo” -EventID 100 -Message “This is a test event.”
We'll just give this an event ID of 100.
I'll press Enter. We had no visible response, but let's check out our event log.
Here we are in the event log. Right now, I don't see anything but let's click Refresh.
Right here, you can see our Demo event. You can see that the source is set to Demo, and if you look at the event details, you can see this is a test event.
Now, just to be clear: With what we just did with regard to defining an event source and generating a test event, you don't have to do that to get PowerShell to respond to an event. You can run a PowerShell script in response to any Windows event. The reason why I did what I did was because I needed a predictable way of being able to generate events that wouldn't be disruptive to the system. So, by generating demo events, I'm able to test PowerShell’s ability to respond.
Building a Script To Execute
So, now that I've done that, let's go ahead and look at the PowerShell script that I've created.
Here's the script that's going to run in response to any events that occur. As you can see, this is a simple script. It only has two lines of code.
The first line is:
Write-Output “The PowerShell script has executed.”
So, there's a message that's going to be displayed within the console, saying that the script has been executed. Now, in the real world, the console isn't always displayed. Even if the console is displayed, there might not be anybody around to see it. So, we also want to write an event to the event logs.
Here, we have the Write-EventLog command:
Write-EventLog -LogName Application -Source “Demo” -EventID 200 -Message “The PowerShell script has executed.”
I'm using a different event ID this time – the Event ID I'm using is 200 – and the message this time is going to be, “The PowerShell script has executed.” In other words, Event ID 100 is going to be my trigger event and is going to take the place of some sort of system event that I want to respond to. Event ID 200 is going to be my confirmation that the PowerShell script has indeed been executed.
With that said, let me go ahead and close out of this.
Attaching a Task to an Event
What I want to do now is set up a response to an event. I'm just going to right-click on this Demo event that was just logged in, and then I'm going to go to “Attach Task To This Event…” on the shortcut menu. This is going to bring up the Create Basic Task Wizard that you saw a moment ago.
The first thing that we have to do is to provide a name and a description. Since I'm only doing a demo, I'm not going to worry about providing a meaningful name. In the real world, you would, of course, want to do that. I'll go ahead and click Next.
The next thing that we have to do is to specify the event that we want to respond to. Here, you can see the log is the Application Log, the source is Demo, and the Event ID is 100. All of this is grayed out because rather than creating a task from scratch, I'm creating a task based on a specific event. All the event details are prepopulated for me, and I can't change that. I'm going to go ahead and click Next.
Now I'm taken to the Action screen. This is where I define what's going to happen whenever this event occurs. You can see that I have a few options: I can start a program, I can send an email message, and I can display a message. Sending an email message and displaying a message – both of those functions are deprecated. But we can certainly launch a program. I'm going to stick with the “Start a program” option and click Next.
Now I have to specify the program or script that I want to run. Rather than simply entering the name of my PowerShell script, what I need to do instead is enter PowerShell.exe.
Then I have to provide some arguments. So, I'll go down to the arguments field. The first argument that I'm going to provide is:
-ExecutionPolicy Bypass
This makes it so that if the machine has a restrictive execution policy, our PowerShell script is going to run anyway.
The next argument that I need to add is file, so I'll type, -File. Then I need to list the file that I want to run. In my case, it's going to be – and this has to be in quotes – “C:\Scripts\Demo.ps1”.
-ExecutionPolicy Bypass -File “C:\Scripts\Demo.ps1”
I'll go ahead and click Next, and then I'll click Finish. We can see that Event Viewer has created the scheduled task. I'll click OK to clear the message.
Trigger the Event and Observe the Results
Now let's go ahead and trigger our Demo event once again. I'll go back to PowerShell, and I'm going to repeat the command that creates the Demo event:
Write-EventLog -LogName Application -Source “Demo” -EventID 100 -Message “This is a test event.”
I'll press Enter. When I do, you can see that there was very briefly a PowerShell popup. That popup displayed a message. It cleared very quickly, so we didn't have time to read the message, but the script ran nonetheless.
Let me go ahead and minimize this, and let's look at the event log. Once again, I'm going to refresh the display.
Here we have Event 100. This is the event that just ran. This was our trigger event. And you can see the text, “This is a test event.” Then just above that, we have Event ID 200. That's the event that indicated that the PowerShell script has been executed. So, the trigger event was logged, and that kicked off our PowerShell script. The PowerShell script was what created this particular event right here.
So, that's how you configure a PowerShell script to run in response to an event that has been logged within the Windows Event Viewer.
About the author
Brien Posey is a bestselling technology author, speaker, and 21x Microsoft MVP. In addition to his ongoing work in IT, Posey has trained as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.
About the Author
You May Also Like