I am trying to track the occurrence of specified Security events. In order to accomplish this, I want a message to be displayed whenever these events are logged in the Windows Security log. Because displaying a message is a deprecated feature in Task Scheduler, I am using Powershell commands to accomplish this like so:
Trigger
On event - Log: Security, Source: Microsoft-Windows-Eventlog, EventID: 1102
Action
-executionpolicy bypass -windowstyle hidden -file C:\1102.ps1
1102.ps1
Add-Type -AssemblyName System.Windows.Forms
$lastEvt = Get-WinEvent -LogName 'Security' -MaxEvents 20 | ? { $_.Id -eq 1102 } | select -First 1
[System.Windows.Forms.MessageBox]::Show(($lastEvt.Message), 'Event ID: 1102')
Event ID 1102 occurs whenever the audit log is cleared. To trigger this, I simply go into Event Viewer, right click on the Security log, and click 'Clear Log...'. Shortly afterwards, a message displays as intended.
However, when I try to trigger Event ID 4719 by changing the system audit policy, no message displays despite the event being logged in the Security log. Both triggers are set up similarly in Task Scheduler so it's unclear to me why this is working for one and not the other.