How to target an event by the process name as well as the ID?

Question

I have managed to create a scheduled task that will be triggered by an event ID. For example, I have a task that will run winver.exe whenever event ID 4688 is logged. So if I run notepad.exe from Run prompt, the winver.exe will run as well. But this means that any EXE that runs will trigger that task, which in turn runs winver.exe. This is too wide scope. I want to narrow this down so that only when the right kind of 4688 event - viz. cmd.exe or diskpart.exe - is logged, only then will the task be triggered.

Is there any easy way to do this? To target not only the event ID but also the predefined process name that logs that event ID?

Supplementary screenshot...

Answer 1

It appears that there is no easy (simple) way to do this. It is only possible by creating a custom event filter that will be used for the trigger, using XPath expressions. In other words, there are no GUI control elements on the Edit Event Filter dialog box that will help you select a specific data field, such as process name to trigger a task.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
        *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task = 13312 and (band(Keywords,9007199254740992)) and (EventID=4688)]]
        and
        *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Windows\System32\cmd.exe')]]
</Select>
  </Query>
</QueryList>

This example triggers the task to perform an action (runs winver.exe in my case) only when event ID 4688 is logged, and the New Process Name field contains the string "C:\Windows\System32\cmd.exe".

If you want to do something similar, but you want other fields to trigger the task, then have a look at the event you want to target. Run eventvwr.msc from Run prompt and browse to Windows Logs, Security. Double click on an even or right click and then click Event Properties to open the properties dialog box. Then click on Details tab and choose XML View. This will help you figure out what other fields are possible to use as target. Use the same syntax as in the example above.

Supplementary screenshot...

Answer 2

is this query correct, based on below event [couldn't upload screenshot picture]: enter image description here * [System[Provider[@Name='Microsoft-Windows-NetworkProfile'] and EventID=10000] and [System[Data Name[@Name='donain.local']]

Log Name:      Microsoft-Windows-NetworkProfile/Operational
Source:        Microsoft-Windows-NetworkProfile
Date:          30/01/2024 11:22:17
Event ID:      10000
Task Category: None
Level:         Information
Keywords:      (35184372088832),(32)
User:          LOCAL SERVICE
Computer:      hostname.domain.local
Description:
Network Connected
    Name: domain.local
    Desc: domain.local
    Type: Managed
    State: Connected,IPV4 (Internet)
    Category: Domain Authenticated

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-NetworkProfile" Guid="{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}" />
    <EventID>10000</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000200000000020</Keywords>
    <TimeCreated SystemTime="2024-01-30T11:22:17.7886211Z" />
    <EventRecordID>2958</EventRecordID>
    <Correlation />
    <Execution ProcessID="3060" ThreadID="10400" />
    <Channel>Microsoft-Windows-NetworkProfile/Operational</Channel>
    <Computer>hostname.domain.local</Computer>
    <Security UserID="S-1-5-19" />
  </System>
  <EventData>
    <Data Name="Name">domain.local</Data>
    **<Data Name="Description">domain.local</Data>**
    <Data Name="Guid">{87863f8a-97c6-47f3-918d-1503887f4e70}</Data>
    <Data Name="Type">1</Data>
    <Data Name="State">9</Data>
    <Data Name="Category">2</Data>
  </EventData>
</Event>