Book Excerpt

How to generate actions from events in Microsoft Vista

Microsoft Windows XP and 2003 brought a really nice feature called "event triggers." The idea was that you could use a command-line tool called "eventtriggers.exe" to instruct the Event Log service that if a particular kind of event occurred then the Event Log service would start the application of your choosing. Not many people seemed to discover it, but I wrote about it in a few magazine articles and suggested that you could build a pretty neat system for alerting you to problems in the network. There were three ingredients:
  • You'd need a cell phone that could receive text messages via email. For example, my cell carrier is Verizon Wireless, and you can send an SMS text message to any Verizon cell phone by sending e-mail to cellphonenumber@vtext.com.
  • You need a program that can send simple emails from the command line. There's a free one called "blat" at http://www.blat.org.
  • You need XP or 2003, as they support event triggers.

I put this all together by suggesting that if there were particular events that you were concerned about—say, an account lockout happened—then you could use eventtriggers.exe to tell the Event Log service, "If an account lockout happens, run such-and-such blat command line to send me an alert on my phone as a text message." It worked pretty nicely but was, admittedly, cumbersome. So the new "Attach task to event…" option is a real blessing.

Warning!
Be sure to configure the SMTP server to accept e-mails from this server, or you'll never get an alert via e-mail. All well-configured SMTP servers nowadays have strict rules restricting SMTP relaying and would probably reject the e-mail that the Event Log service tried to send to the SMTP server. Andsetting up random extra SMTP servers without all of those strict rules is areally bad idea, as it's one way that spammers send all of that junk but don'tget caught.
To see this in action, open up the Application log and look at the events in it. If this is your first look into Vista's Event Viewer, look in the folder "Windows Logs"—it's probably already open, if not then open it—and notice that these logs bear the familiar names of Application, Security and System, as well as two new ones named "Setup" and "ForwardedEvents." Click the Application folder in the left-hand pane and in the right-hand pane (I always close the Action pane because I think you'd need a computer with a screen that isn't just in "landscape" mode, you'd need one in "panoramic mode" in order to make use of MMC 3.0's three panes) you'll see the events in that log.

Right-click any one of them and you'll see in the resulting context menu that you've got a new option, "Attach Task To This Event…;" click that, and you'll see a wizard page like the one in Figure 1.14.

Why a wizard? Well, as it turns out, Vista's Event Viewer offers you several options on how to respond. (They even simplified setting up my suggestion about e-mailing admins when an event occurs, as you'll see.) Click Next to see a figure like Figure 1.15.

First, as with eventtriggers.exe, you can specify any given application. Or you can send an email, or display a message on the server's desktop. I'll consider all three options in a moment, but for now, I'll click the radio button next to "Send an email" and then Next to see something like Figure 1.16.

Figure 1.14: Starting the Create Basic Task Wizard

Figure 1.15: Event viewer offers three kinds of responses

Figure 1.16: Setting up an email notification

This page looks very much as you'd expect, allowing you to punch in a from address, to address, subject and text. It even lets you add an attachment, which is a nice touch, and specify the name of the SMTP server to use to send the e-mail.

If I click Next, I get a summary screen like the one in Figure 1.17.

This is a nice summary of what's going to happen once I click Finish, although truthfully it's not necessary. An administrator can always modify or delete an event task, as you'd expect. Ah, but where you modify or delete that event task, that'll surprise you. When I click Finish, I get the message box in Figure 1.18.

Figure 1.17: Sumarizing the trigger

Figure 1.18: Changes? Off to the task scheduler

This seems like a bad idea to me. Vista's user interface does a fairly decent job of providing what Microsoft has come to like calling "discoverability," which is their recently coined term for "a user interface that makes figuring out what you can do with a GUI program easier." So here you've created an event task in the Event Viewer; you'd think that you could modify or delete it in the Event Viewer. But no, instead Microsoft's got you going to the Task Scheduler to do that.

Check out other excerpts from this chapter of Mark's book, Administering Windows Vista Security: The Big Surprises.

SearchWindowsSecurity.com also features excerpts from chapter eight, "Locking Up the Ports: Windows Firewall", of Mark Minasi's book, Mastering Windows Server 2003 Upgrade Edition for SP1 and R2.


This was first published in August 2007

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top