phbits/Create-EventTrigger.ps1

## Create-EventTrigger.ps1
# Created for: https://github.com/phbits/WebsiteFailedLogins/issues/2

# NOTE - ExecutionPolicy set to Unrestricted should only be used for testing.
$Action = New-ScheduledTaskAction -Execute 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe' `
        -Argument '-NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -File .\Application-EventID10.ps1 -RecordID $(eventRecordID) -ExecutionPolicy Unrestricted' `
        -WorkingDirectory 'C:\WebsiteFailedLogins\'

$Principal = New-ScheduledTaskPrincipal -UserId 'NT AUTHORITY\SYSTEM' -LogonType ServiceAccount

$Settings = New-ScheduledTaskSettingsSet -DisallowDemandStart -Compatibility Win8 -Hidden -WakeToRun `
                                         -RunOnlyIfNetworkAvailable -AllowStartIfOnBatteries

$Settings.RunOnlyIfIdle = $FALSE
$Settings.ExecutionTimeLimit = 'PT5M'
$Settings.StartWhenAvailable = $TRUE
$Settings.StopIfGoingOnBatteries = $FALSE
$Settings.DisallowStartOnRemoteAppSession = $FALSE
$Settings.DisallowStartIfOnBatteries = $FALSE

# Create Trigger via Security Event ID 1102
$cimTriggerClass = Get-CimClass -ClassName MSFT_TaskEventTrigger `
                                -Namespace Root/Microsoft/Windows/TaskScheduler:MSFT_TaskEventTrigger

$Trigger = New-CimInstance -CimClass $cimTriggerClass -ClientOnly
$Trigger.Subscription = "<QueryList><Query Id=`"0`" Path=`"Application`"><Select Path=`"Application`">*[System[Provider[@Name='WebsiteFailedLogins'] and (EventID=10)]]</Select></Query></QueryList>"

$Trigger.ExecutionTimeLimit = 'PT5M'
$Trigger.Enabled = $TRUE

# Set ValueQueries so the RecordID can be passed to the script
$Trigger.ValueQueries = [CimInstance[]] $(Get-CimClass -ClassName MSFT_TaskNamedValue -Namespace Root/Microsoft/Windows/TaskScheduler:MSFT_TaskNamedValue)

$Trigger.ValueQueries[0].Name = 'eventRecordID'
$Trigger.ValueQueries[0].Value = 'Event/System/EventRecordID'

Register-ScheduledTask -TaskName 'ApplicationEventID10' `
                       -Description 'Run script on Application Event 10' `
                       -TaskPath '\WebsiteFailedLogins\' `
                       -Action $Action `
                       -Trigger $Trigger `
                       -Settings $Settings `
                       -Principal $Principal
	# Created for: https://github.com/phbits/WebsiteFailedLogins/issues/2

	# NOTE - ExecutionPolicy set to Unrestricted should only be used for testing.
	$Action = New-ScheduledTaskAction -Execute 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe' `
	-Argument '-NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -File .\Application-EventID10.ps1 -RecordID $(eventRecordID) -ExecutionPolicy Unrestricted' `
	-WorkingDirectory 'C:\WebsiteFailedLogins\'

	$Principal = New-ScheduledTaskPrincipal -UserId 'NT AUTHORITY\SYSTEM' -LogonType ServiceAccount

	$Settings = New-ScheduledTaskSettingsSet -DisallowDemandStart -Compatibility Win8 -Hidden -WakeToRun `
	-RunOnlyIfNetworkAvailable -AllowStartIfOnBatteries

	$Settings.RunOnlyIfIdle = $FALSE
	$Settings.ExecutionTimeLimit = 'PT5M'
	$Settings.StartWhenAvailable = $TRUE
	$Settings.StopIfGoingOnBatteries = $FALSE
	$Settings.DisallowStartOnRemoteAppSession = $FALSE
	$Settings.DisallowStartIfOnBatteries = $FALSE

	# Create Trigger via Security Event ID 1102
	$cimTriggerClass = Get-CimClass -ClassName MSFT_TaskEventTrigger `
	-Namespace Root/Microsoft/Windows/TaskScheduler:MSFT_TaskEventTrigger

	$Trigger = New-CimInstance -CimClass $cimTriggerClass -ClientOnly
	$Trigger.Subscription = "<QueryList><Query Id=`"0`" Path=`"Application`"><Select Path=`"Application`">*[System[Provider[@Name='WebsiteFailedLogins'] and (EventID=10)]]</Select></Query></QueryList>"

	$Trigger.ExecutionTimeLimit = 'PT5M'
	$Trigger.Enabled = $TRUE

	# Set ValueQueries so the RecordID can be passed to the script
	$Trigger.ValueQueries = [CimInstance[]] $(Get-CimClass -ClassName MSFT_TaskNamedValue -Namespace Root/Microsoft/Windows/TaskScheduler:MSFT_TaskNamedValue)

	$Trigger.ValueQueries[0].Name = 'eventRecordID'
	$Trigger.ValueQueries[0].Value = 'Event/System/EventRecordID'

	Register-ScheduledTask -TaskName 'ApplicationEventID10' `
	-Description 'Run script on Application Event 10' `
	-TaskPath '\WebsiteFailedLogins\' `
	-Action $Action `
	-Trigger $Trigger `
	-Settings $Settings `
	-Principal $Principal