One day, I decided to experiment with Windows Event Viewer and Scheduled Tasks. I discovered that you can use Scheduled Tasks on Windows machines to execute certain actions based on specific Event IDs. In this case, I created a Scheduled Task that triggers when the 4624 Event ID occurs, and sends a notification to a specified Microsoft Teams channel. This allows for interesting automation flows and makes Microsoft Teams even more powerful.
Requirements
- Visual Studio Code or NotePad++
- Microsoft Teams
- Windows Server with Advanced Auditing Settings enabled
Sample files
You can download sample files from my GitHub page:
Create Microsoft Teams Group and Channels
The first step is to set up a Microsoft Teams Group and one channel for the RDP interactive notifications. Notifications are posted from different servers to this channel.
In this example, I’m using the Incoming Webhooks connector for posting information. To configure the channel connector, follow the following steps.
Interactive Logons channel connectors
- Right-click the “Interactive Logons” channel and choose Connectors
- Locate the Incoming Webhooks connector and click Add twice
- Right-click the channel again and choose Connectors
- Click Configure
- Specify the name, upload the image and click Create
- Copy the URL
Sample PowerShell script for Teams
Copy the following script template from GitHub and add the Teams Webhook URL address. You need to modify line 9.
Send-InterActiveLogonDetails.ps1
Event Filter
Copy the following Event ID XPATH filter. You can get the following query from GitHub
Query Interactive Logons XPath query
Scheduled Task creation
- Open the Task Scheduler console and right-click and choose Create New Task
- On the Create Task page, fill out the following information:
- Name: Send Interactive Logon Details
- Description: Send Interactive Logon Details
- User account: SYSTEM
- Configure for: Windows Server 2019
- Select the Triggers panel and choose New
- On the New Trigger windows, choose New Event Filter..
- On the New Event Filter page, select XML and enable the Edit query manually. Copy the Event Filter XPath query and click OK. Click OK
- Select the Actions panel and choose New..
- On the New Action window, fill out the following fields:
- Program/Script: PowerShell.exe
- Add Arguments(Optional): -File “C:\MyScriptFolderLocation\Send-InterActiveLogonDetails.ps1” -TargetUserName $(TargetUserName) -TimeCreated $(TimeCreated)
- Right-click the Scheduled Task and choose Export
- Open the Send Interactive Logon Details.xml with Visual Studio Code or NotePad++
- Locate the Triggers XML node
- Add the ValueQueries section under the Subscription
- Save the XML file
- Delete the first version of the “Send Interactive Logon Details Scheduled” Task
- Right-click again in the Scheduled Task console and choose Import Task
- Locate the modified version of “Send Interactive Logon Details” Scheduled Task and click Open
- Click OK
- Right-click the task again and choose Run
- If everything is done correctly, then you should see the following message in your Teams channel
- Now disconnect and log on again to your test server. Now all the fields should be filled with the correct data
Summary
Event Viewer and Scheduled Tasks are powerful tools for managing and monitoring your Windows servers. By creating custom tasks based on specific Event IDs, you can automate your system management tasks and improve your response to system events.