Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Conjoined Twins - IFTTT-style application actions using auditing and scheduled tasks under Windows

Conjoined Twins

IFTTT-style application actions using auditing and scheduled tasks under Windows

Conjoined Twins IFTTT-style application actions PowerShell script demo

How it works

The script audits a trigger application to make it raise an event when it's executed, then schedules a task to run an action command on that event. For example an automation script, or a batch file, or another app.

Advantages

  • Action is always conjoined with the trigger app, even when it starts from opening a file or from another script

  • No additional thing running in the background, polling every few seconds to see if your trigger app has started

  • Easily disable/enable in Task Scheduler

Limitations

  • You may not have permissions to audit some Windows executables

  • Slight lag after the trigger before the action runs

  • False positive when clicking properties on your trigger app the action is executed.

Usage

Run from gist:

PS:>[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS:>iex ((new-object net.webclient).DownloadString('https://gist.github.com/akaleeroy/01ddea07dc51bb2b0509/raw/conjoinedtwins.ps1'))

The script first asks you for the trigger application - this is the one you want to bind the action to. You can type in a path or hit Enter and browse for it with a GUI dialog.

Then it asks you for the action - what you want to start together with the trigger application.

Finally you must enter a task name - so you can find it in Task Scheduler.

# Conjoined Twins
# IFTTT-style application actions using auditing and scheduled tasks under Windows
#TODO: Do something about Write-Host and Read-Host
#TODO: Write output for file selection and auditing setting
Function Get-FileName($initialDirectory, $Title) {
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.Title = $Title
$OpenFileDialog.initialDirectory = $initialDirectory
$OpenFileDialog.filter = "Executable Files(*.exe;*.bat;*.cmd)|*.exe;*.bat;*.cmd|All files (*.*)|*.*"
$OpenFileDialog.ShowHelp = $true # Without ShowHelp set to true the dialog doesn't show up!
$OpenFileDialog.ShowDialog() | Out-Null
$OpenFileDialog.filename
} #end function Get-FileName
Function Audit-Executable($File) {
if($File) {
$AuditUser = "$env:UserName" # or "Everyone"
$AuditRules = "ExecuteFile"
$AuditType = "Success"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$AuditType)
$ACL = Get-Acl $File
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl $File
# Show the new auditing settings to confirm
# Get-Acl -Audit $File | Select -Expand Audit
}
} #end function Audit-Executable
# Choose trigger application to watch
$triggerapp = Read-Host "Select trigger application to watch... `n[Press Enter to browse]"
if(!$triggerapp) {
$triggerapp = Get-FileName -initialDirectory "D:\Demo" -Title "Select trigger application to watch..."
}
if($triggerapp) { Write-Host "`n$triggerapp is the trigger`n" }
else { Exit }
# Audit ExecuteFile on trigger application executable
Audit-Executable($triggerapp)
# Craft XPath Query for scheduled task trigger
$triggerquery = "*[System[(EventID=4663)]] and *[EventData[Data[@Name='ObjectName'] and (Data='$triggerapp')]]"
# Choose action to run conjoined with trigger app
$action = Read-Host "Select action to run... `n[Press Enter to browse]"
if(!$action) {
$action = Get-FileName -initialDirectory $env:SystemRoot\system32 -Title "Select action to run..."
}
if($action) { Write-Host "`n$action is the action `n" }
if($triggerapp -and $action) {
# Ask user for task name. No description param in schtasks :(
$taskname = Read-Host -Prompt "Name the scheduled task"
# Register scheduled task, via http://serverfault.com/a/533660
schtasks /Create /TN $taskname /TR $action /SC ONEVENT /EC Security /MO $triggerquery
}
@NORXND

This comment has been minimized.

Copy link

NORXND commented Jun 5, 2020

Its not working. Nothing heppends

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.