You can create tasks that trigger on events, export the task to XML, and then edit the XML to include ValueQueries which provide a way of passing data directly from the XML of the event details to a script. The following example is a task that triggers when a USB device is connected. It passes the ID of the USB device and the timestamp of the actual event to a script that appends the data to a log and emails an alert out.
After importing the modified script you can make changes to the task without losing the ValueQueries. Task Scheduler doesn't provide a GUI method of managing them so they stay preserved as-is. To change them you would have to export the task again, modify the XML, and re-import it.
==============Exported Task Start======================
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2021-05-19T01:48:53.094776</Date>
<Author>JOLETEC-ANDREW\Andrew Schott</Author>
<URI>\Event Viewer Tasks\Event 2003</URI>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational"><Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[Provider[@Name='Microsoft-Windows-DriverFrameworks-UserMode'] and EventID=2003]]</Select></Query></QueryList></Subscription>
<ValueQueries>
<Value name="InstanceId">Event/UserData/UMDFHostDeviceArrivalBegin/InstanceId</Value>
<Value name="TimeCreated">Event/System/TimeCreated/@SystemTime</Value>
</ValueQueries>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-21-2815328991-3959844506-1406902928-1001</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
<Arguments>-Command "C:\PowerShellScript.ps1" '$(InstanceId)' '$(TimeCreated)'</Arguments>
</Exec>
</Actions>
</Task>
==============Exported Task End======================
==============Powershell Script Start======================
filter timestamp {"$(Get-Date -Format G): $_"}
$value = "$env:USERNAME - USB Connected - $args" | timestamp
Add-Content -Path "C:\Users\Andrew Schott\Desktop\Alert.log" -Value $value
Send-MailMessage -To 'andrew@joletec.com','dylan@joletec.com' -From 'alert@frankenmuthpd.com' -SmtpServer 'iis.joletec.com' -Subject 'FPD USB Alert' -Body $value -Attachments 'C:\Alert.log'
==============Powershell Script End======================
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article