Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Conjoined Twins - IFTTT-style application actions using auditing and scheduled tasks under Windows

Conjoined Twins

IFTTT-style application actions using auditing and scheduled tasks under Windows

Conjoined Twins IFTTT-style application actions PowerShell script demo

How it works

The script audits a trigger application to make it raise an event when it's executed, then schedules a task to run an action command on that event. For example an automation script, or a batch file, or another app.

Advantages

  • Action is always conjoined with the trigger app, even when it starts from opening a file or from another script

  • No additional thing running in the background, polling every few seconds to see if your trigger app has started

  • Easily disable/enable in Task Scheduler

Limitations

  • You may not have permissions to audit some Windows executables

  • Slight lag after the trigger before the action runs

  • False positive when clicking properties on your trigger app the action is executed.

Usage

Run from gist:

PS:>iex ((new-object net.webclient).DownloadString('https://gist.github.com/akaleeroy/01ddea07dc51bb2b0509/raw/conjoinedtwins.ps1'))

The script first asks you for the trigger application - this is the one you want to bind the action to. You can type in a path or hit Enter and browse for it with a GUI dialog.

Then it asks you for the action - what you want to start together with the trigger application.

Finally you must enter a task name - so you can find it in Task Scheduler.

# Conjoined Twins
# IFTTT-style application actions using auditing and scheduled tasks under Windows
#TODO: Do something about Write-Host and Read-Host
#TODO: Write output for file selection and auditing setting
Function Get-FileName($initialDirectory, $Title) {
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
$OpenFileDialog.Title = $Title
$OpenFileDialog.initialDirectory = $initialDirectory
$OpenFileDialog.filter = "Executable Files(*.exe;*.bat;*.cmd)|*.exe;*.bat;*.cmd|All files (*.*)|*.*"
$OpenFileDialog.ShowHelp = $true # Without ShowHelp set to true the dialog doesn't show up!
$OpenFileDialog.ShowDialog() | Out-Null
$OpenFileDialog.filename
} #end function Get-FileName
Function Audit-Executable($File) {
if($File) {
$AuditUser = "$env:UserName" # or "Everyone"
$AuditRules = "ExecuteFile"
$AuditType = "Success"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$AuditType)
$ACL = Get-Acl $File
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl $File
# Show the new auditing settings to confirm
# Get-Acl -Audit $File | Select -Expand Audit
}
} #end function Audit-Executable
# Choose trigger application to watch
$triggerapp = Read-Host "Select trigger application to watch... `n[Press Enter to browse]"
if(!$triggerapp) {
$triggerapp = Get-FileName -initialDirectory "D:\Demo" -Title "Select trigger application to watch..."
}
if($triggerapp) { Write-Host "`n$triggerapp is the trigger`n" }
else { Exit }
# Audit ExecuteFile on trigger application executable
Audit-Executable($triggerapp)
# Craft XPath Query for scheduled task trigger
$triggerquery = "*[System[(EventID=4663)]] and *[EventData[Data[@Name='ObjectName'] and (Data='$triggerapp')]]"
# Choose action to run conjoined with trigger app
$action = Read-Host "Select action to run... `n[Press Enter to browse]"
if(!$action) {
$action = Get-FileName -initialDirectory $env:SystemRoot\system32 -Title "Select action to run..."
}
if($action) { Write-Host "`n$action is the action `n" }
if($triggerapp -and $action) {
# Ask user for task name. No description param in schtasks :(
$taskname = Read-Host -Prompt "Name the scheduled task"
# Register scheduled task, via http://serverfault.com/a/533660
schtasks /Create /TN $taskname /TR $action /SC ONEVENT /EC Security /MO $triggerquery
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.