How To Use PowerShell for Automated Event Response

PowerShell is valued by many for its powerful automation capabilities. One of its standout features is the ability to respond to systems events, enabling automatic task execution when specific events occur.

In this video tutorial, PowerShell expert Brien Posey explains how to use PowerShell with the Windows Event Viewer framework. You will discover how to configure tasks that respond to designated events automatically.

Subscribe to ITPro Today’s YouTube channel for PowerShell tutorials and more.

The following transcript has been lightly edited for length and clarity.

Transcript:

Brien Posey: PowerShell can be useful for automating tasks. For example, you can configure a PowerShell script to run automatically in response to a system event. Let's look at how this works.

I have the Windows Event Viewer on screen. I have the Application Log selected. If I right-click on an event at random, you'll notice an option to attach a task to the event. I'll go ahead and click on that menu option.

When I do, a wizard popup allows us to associate a task with a particular system event.

So, let's look at how we might put PowerShell to work with by responding to an event.

I'm going to go ahead and cancel out of this. I'm going to open PowerShell. I'm working in an elevated PowerShell window, hence the administrator prompt.

Related:Handle Long PowerShell Scripts With Background Jobs

Writing Test Events to the Application Log

The first thing that I'm going to do is to create a custom event log source. I'm going to type:

New-EventLog -LogName Application -Source “Demo”

I'll press Enter. It will create a new event log source for the application log called Demo.

I will now write a test event to the Application Log. The way that I'm going to do that is by typing:

Write-EventLog -LogName Application -Source “Demo” -EventID 100 -Message “This is a test event.”

We'll give this an event ID of 100.

I'll press Enter. We had no visible response, but let's check out our event log.

Here we are in the event log. Right now, I don't see anything but let's click Refresh.

We have our Demo event. The source is set to Demo, and if you look at the event details, this is a test event.

Now, just to be clear: With what we just did by defining an event source and generating a test event, you don't have to do that to get PowerShell to respond to an event. You can run a PowerShell script in response to any Windows event. The reason why I did what I did was because I needed a predictable way to generate events that wouldn't be disruptive to the system. So, by generating demo events, I can test PowerShell’s ability to respond.

Building a Script To Execute

So, now that I've done that, let's go ahead and look at the PowerShell script that I've created.

Related:How To Make PowerShell Speak (Text-to-Speech .NET Tutorial)

Here's the script that's going to run in response to any events that occur. As you can see, this is a simple script. It only has two lines of code.

The first line is:

Write-Output “The PowerShell script has executed.”

So, there's a message that's going to be displayed within the console, saying that the script has been executed. Now, in the real world, the console isn't always displayed. Even if the console is shown, there might not be anybody around to see it. So, we also want to write an event to the event logs.

Here, we have the Write-EventLog command:

Write-EventLog -LogName Application -Source “Demo” -EventID 200 -Message “The PowerShell script has executed.”

I'm using a different event ID this time – the Event ID I'm using is 200 – and the message will be, “The PowerShell script has executed.” In other words, Event ID 100 is going to be my trigger event and is going to take the place of some system event that I want to respond to. Event ID 200 will be my confirmation that the PowerShell script has indeed been executed.

With that said, let me go ahead and close out of this.

Attaching a Task to an Event

What I want to do now is set up a response to an event. I'm just going to right-click on this Demo event that was just logged in, and then I'm going to go to “Attach Task To This Event…” on the shortcut menu. This is going to bring up the Create Basic Task Wizard that you saw a moment ago.

Related:How To Automate PowerShell Scripts With Windows Task Scheduler

The first thing that we have to do is to provide a name and a description. Since I'm only doing a demo, I won't worry about providing a meaningful name. In the real world, you would, of course, want to do that. I'll go ahead and click Next.

The next thing that we have to do is to specify the event that we want to respond to. Here, you can see the log is the Application Log, the source is Demo, and the Event ID is 100. All this is grayed out because rather than creating a task from scratch, I'm creating a task based on a specific event. All the event details are prepopulated for me, and I can't change that. I'm going to go ahead and click Next.

Now I'm taken to the Action screen. This is where I define what will happen whenever this event occurs. You can see that I have a few options: I can start a program, I can send an email message, and I can display a message. Sending an email message and displaying a message – both functions are deprecated. But we can certainly launch a program. I will stick with the “Start a program” option and click Next.

Now I have to specify the program or script I want to run. Rather than simply entering the name of my PowerShell script, I need enter PowerShell.exe.

Then I have to provide some arguments. So, I'll go down to the arguments field. The first argument that I'm going to provide is:

-ExecutionPolicy Bypass

If the machine has a restrictive execution policy, our PowerShell script will run anyway.

The next argument I need to add is -File. Then I need to list the file that I want to run. In my case, it will be – and this has to be in quotes – “C:\Scripts\Demo.ps1”.

-ExecutionPolicy Bypass -File “C:\Scripts\Demo.ps1”

I'll go ahead and click Next, and then I'll click Finish. We can see that Event Viewer has created the scheduled task. I'll click OK to clear the message.

Trigger the Event and Observe the Results

Now let's go ahead and trigger our Demo event once again. I'll go back to PowerShell, and I'm going to repeat the command that creates the Demo event:

Write-EventLog -LogName Application -Source “Demo” -EventID 100 -Message “This is a test event.”

I'll press Enter. When I do, you can see a brief PowerShell popup. That popup displayed a message. It cleared very quickly, so we didn't have time to read the message, but the script ran nonetheless.

Let me go ahead and minimize this, and let's look at the event log. Once again, I'm going to refresh the display.

Here we have Event 100. This is the event that just ran. This was our trigger event. And you can see the text, “This is a test event.” Then just above that, we have Event ID 200. That's the event that indicated that the PowerShell script has been executed. So, the trigger event was logged, and that kicked off our PowerShell script. The PowerShell script created this particular event right here.

So, that's how you configure a PowerShell script to run in response to an event logged within the Windows Event Viewer.