Reference The Event That Triggered Your Task
Task Scheduler 2.0 (which shipped with Vista and Windows Server 2008) is a complete re-write of the built-in Windows Task Scheduler. Task Scheduler 2.0 is a fantastic automation tool that includes new powerful triggers like "from Event". From a task's perspective, I'm going to outline how to determine which event is responsible for triggering a task. This can be helpful when the task may want to branch depending on the type of event, or the task may want to report more information about the specific event content.
For example, suppose you want a task to notify you every time a Service is Stopped on your server. This would require a task to inspect the details of the specific Service Control Manager event in order to figure out the affected Service (by name) as well as the state change (was it stopped or started?). This is also a good example because the Service Start/Stopped events use the same EventID, so further event inspection of the event content is required.
Step 1: Create the Task
Create your task (either by selecting "Attach A Task To This Event..." from the Event Viewer, or manually selecting the "On an event" Trigger when building the Task inside the Task Scheduler.
Event Viewer Example:
Task Scheduler Example:
Step 2: Export the Task
From within Task Scheduler, export the newly created task (as an XML file)
Step 3: Modify the Task
Use Notepad (or your text editor of choice - keep in mind the text editor must honor unicode which notepad does) to add the Event parameters you which to pass along to your task. The event parameters below are the most useful for event identification. Notice the entire node <ValueQueries> and its children need to be added to the EventTrigger branch.
Step 4: Pass the Values to Your Action
The following example shows how the event values can be used the simple Message Box action.
Step 5: The Result
Now the following message box will fire every time the Event Trigger condition is met. Notice the 3 Event parameters that are displayed in the message box.
Step 6: Next Steps - Display The Whole Source Event
With the above parameters, the specific event can be tracked down for ever more information about the event. For example, the following WEVTUTIL.EXE utility can be used to display the specific event (substitute the variables $eventLog and $eventRecordID as needed):
wevtutil qe $eventLog /f:RenderedXML /e:EVENTS /q:"<QueryList><Query Id='0' Path='$eventLog'><Select Path='$eventLog'>*[System[(EventRecordID=$eventRecordID)]]</Select></Query></QueryList>"
Step 7: Next Steps - Find Other Event Parameters
Any Event Parameter can be passed to a task. Event parameters can be found by inspecting the specific Event's Properties using the Event Viewer.
Example Task:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="https://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2007-11-09T09:21:33.3102706</Date>
<Author>Otto Helweg</Author>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Application"><Select Path="Application">*</Select><Select Path="Security">*</Select><Select Path="System">*</Select></Query></QueryList></Subscription>
<ValueQueries>
<Value name="eventChannel">Event/System/Channel</Value>
<Value name="eventRecordID">Event/System/EventRecordID</Value>
<Value name="eventSeverity">Event/System/Level</Value>
</ValueQueries>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>SomeUser</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<ShowMessage>
<Title>Event Parameters</Title>
<Body>Record ID = $(eventRecordID)
Log = $(eventChannel)
Severity = $(eventSeverity)</Body>
</ShowMessage>
</Actions>
</Task>