Scheduled Tasks: On Event Triggers with variables

Surprisingly, I haven’t really had the need to grab variables from specific events within an eventlog directly until very recently – I normally utilize an event management platform or SIEM.

Imagine a scenario where you wish to trap something every time a specific event occurs on a specific server. Yes, there are many event management tools and platforms out there; but what if you are running in some special Tier 0 environment where such things are taboo. What if you do not have an event management platform?

There are many ways to achieve the desired results – at the most basic level, you could process something like this using a scheduled task.

There’s quite a number of methods by which a scheduled task may be triggered – chances are you already know most of them. Trigger by date, time, at log in, trigger based on event and many more.

Sure, I can trigger a scheduled task based on an event – but! How can I get data from the actual event to my script as a variable?

I didn’t find anything all that comprehensive out there so I thought I would put up this article that may hopefully help someone one day.

Scheduled Task – ValueQueries: Get Data as variables from an Event

It turns out that it isn’t possible to get data from events and store them as variables for processing by a script using the Scheduled Task GUI. You CAN do this by tweaking an exported schedule task’s XML file: At the most basic level, this involves exporting, modifying and re-importing a schedule task.

In order to clearly demonstrate this, let’s take a fictitious use case:

I want to run a script every time my CA issues a certificate. I want to feed in the certificate request number and Requester from each Windows Event into a powershell script that will email me. I will call that script cert.ps1. If you really want an example of a script like this, feel free to pop a comment on this post and I’ll have a think about it. The purpose of this post is just to demonstrate that parameters can be pushed to a script (not the script itself).

Trapping CA Event 52 – Certificate Issued

Separate to setting up a scheduled task, for my fictitious use-case, my CA must also have a loglevel of 4 configured and auditing must be enabled.

Eg; In the screenshot below, the LogLevel value of a CA called “UAT-Issuing-CA” Is 4:

Once configured, we need to be looking for Event 52 > Certification Authority within the Application Log of the CA.

The simple lab for this example consists of:

A Domain Controller
An Offline ADCS Root CA
An Issuing CA

For the purpose of this example, I will be working with events on the Issuing CA and we will simply be showing how to call a script with parameters from an event.

Here is an example Event 52:

Note that in this example, there are two pieces of information of interest under the EventData section; “RequestId” and “SubjectName”. We want to access these values when processing an Event 52

Create a schedule task based on event 52:
Log: Application;
Source: CertificationAuthority
Event ID 52.

NOTE: You could use the custom radio check box and define multiple if you feel like processing multiple events in a single task

Give the scheduled task a name, run it as System and choose whether it runs with highest privileges or not, perhaps you’d like to define the actions:

NOTE: On the settings tab, be sure to set the task so that multiple tasks can run in parallel; this is in the case where multiple certificates are issued at around the same time – without changing this setting, events may be missed:

From here we need to close this dialogue off and save the task. We then want to export the task:

Here’s an example default export of the scheduled task above:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2022-12-6T18:28:31.4227522</Date>
    <Author>UAT\administrator</Author>
    <URI>\Certificate Processing</URI>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription><QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-CertificationAuthority'] and EventID=52]]</Select></Query></QueryList></Subscription>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell.exe</Command>
      <Arguments>-file C:\scripts\cert.ps1 -requestID "$(RequestId)" -SubjectName "$(SubjectName)"</Arguments>
    </Exec>
  </Actions>
</Task>

In order to add the two values to the scheduled task for later processing, we must add in the <ValueQueries> Section and define our values that should be parsed through the scheduled task. See below:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2022-12-06T18:28:31.4227522</Date>
    <Author>UAT\administrator</Author>
    <URI>\Certificate Processing</URI>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription><QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-CertificationAuthority'] and EventID=52]]</Select></Query></QueryList></Subscription>
      <ValueQueries>
        <Value name="RequestId">Event/EventData/Data[@Name="RequestId"]</Value>
        <Value name="SubjectName">Event/EventData/Data[@Name="SubjectName"]</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>powershell.exe</Command>
      <Arguments>-file C:\scripts\cert.ps1 -requestID "$(RequestId)" -SubjectName "$(SubjectName)"</Arguments>
    </Exec>
  </Actions>
</Task>

Once the <ValueQueries> section has been created  within the exported XML file, the existing task must be deleted and the modified XML file needs to be imported as a scheduled task. The values will then be made available to the script, which has been declared in the arguments section. Be mindful that this is case sensitive.

I encourage you to experiment in your lab environment.

The sky is the limit

You could go crazy and tune this to only alert on certain conditions – you could even have it process multiple event ids – Maybe also trap Event 25 (when a certificate is revoked).

I hope this helps in some way.