May 01 2007

Automatically Responding to Events in Windows Vista

One of a systems administrator’s most important responsibilities is to improve the efficiency of information technology systems, and one of the best ways to improve efficiency is by using automation. Automatically responding to common problems with straightforward solutions may reduce help desk calls and allow the IT department to focus on other tasks.

Take a look through your help desk ticket logs — if you receive more than a handful of calls for a problem that is solved in a consistent methodical way, you might be able to automate the response and eliminate those calls to the help desk. Windows Vista can automatically respond to any event being added to the event log by displaying a message to the user, sending an e-mail, or running a program or script. Therefore, if you can find an event that coincides with one of your common problems, you can use that event to trigger an automated response.

How to Create a Batch File to Automatically Respond to an Event

For example, Event ID 7 in the System event log with a source of “disk” indicates that a hard disk has a bad block. Typically, this can be fixed by running the CheckDisk utility the next time the computer is restarted. Combine this with the Shutdown command-line tool that can notify the user of the problem and restart the computer, and you can automatically repair disk problems before they cause data loss. The following batch file demonstrates how to do this:

Figure 1: If you need to restart the computer as part of your automatic response, you can display a dialog box to the user with the Shutdown tool.

REM Configure CheckDisk to attempt a disk repair after the computer is restarted.

ChkDsk C: /f /r

REM Shutdown the computer after five minutes (including a warning to the user).

Shutdown /g /t 300 /d p:1:1 /c “A disk error was detected. To help prevent data loss, your computer needs to be restarted so that repairs can be attempted. Please close all programs and restart your computer as soon as possible. Your computer will be automatically restarted in five minutes.”

When the batch file is run, the Shutdown tool will immediately display the comment you provided in the script, as shown in figure 1.

Users will then receive a two-minute warning, as shown in figure 2. After the computer is restarted, Windows Vista will restart registered programs that the user left open, such as Microsoft Office 2007.

Figure 2: The Shutdown tool provides an additional two-minute warning to the user.

How to Respond to an Event

With the batch file written, you just need to schedule it to run when an event occurs by following these steps:

  1. Click Start, right-click Computer, and then click Manage. The Computer Management console appears.
  2. Expand System Tools and Event Viewer. Browse Event Viewer to find an example of the event you want to respond to. Right-click the event and then click Attach Task To This Event.
  3. The Create Basic Task Wizard appears. On the Create A Basic Task page, type a Name and Description, and then click Next.
  4. On the When An Event Is Logged page, click Next.
  5. On the Action page, click one of the following three options:
  6. Start a program. Launches a program, script, or batch file. After clicking Next, specify the program to run, any arguments, and the working directory.
  7. Send an e-mail. Sends an e-mail message, which is an excellent way for the systems administrator of a small organization to be notified of potential problems. After clicking Next, specify the message’s From, To, Subject, Text, an optional attachment, and the outgoing mail (SMTP) server.

    Figure 3: You can display a dialog box with a custom message to the user when an event occurs.
  8. Display a message. Displays a message to the currently logged-on user. After clicking Next, specify the title and message that will appear in a dialog box displayed to the user. The message will resemble figure 3.
  9. On the Summary page, click Finish.

By default, the task will run with the privileges of the user account you used to create the event. The account used must have privileges to run the task and any programs launched by the task, as scheduled tasks cannot use User Account Control to prompt the user for elevated privileges. To specify a different account, open Task Scheduler, right-click the task in the Task Scheduler Library, and click Properties. On the General tab, click the Change User Or Group button to specify the account.

How to Configure Multiple Responses to an Event

The Create Basic Task Wizard is sufficient for responding to an event with a single action. However, you might want to respond with multiple actions. For example, if you saw an event indicating that Windows firewall was disabled, you could display a message to the user that Windows Firewall must remain enabled, run a command that re-enables the firewall, and then send an e-mail notification to your internal systems administration list about the problem.

After creating a task, follow these steps to add additional actions:

  1. Click Start, click All Programs, click Accessories, click System Tools, and then click Task Scheduler.
  2. In the Task Scheduler, right-click the task in the Task Scheduler Library, and then click Properties.
  3. Click the Actions tab, and then click New.
  4. On the New Action dialog box, configure the additional response, and then click OK.
  5. On the Actions tab, use the up and down arrows to place the actions in sequence. Typically, you want the Display A Message action to occur first.
  6. Click OK to save the task.

Similarly, you can use the Triggers tab of the task properties dialog to configure the same task to run when any of several different events is added to the event log.


In larger organizations, event management systems, such as Microsoft Operations Manager, IBM Tivoli or BMC Event Manager , provide robust event management and response. However, having basic event response built into Windows Vista can be extremely useful in smaller organizations or for lab environments with specialized computer configurations.

If you manage internal applications, have a discussion with the developers and encourage them to add events to the application event log or a custom application-specific event log any time something occurs that might be an indication of a problem. By using the Windows event logs, you can automatically respond to events — something that’s not easy to do if the application records events in a text file.

Tony Northrup is a developer, security consultant and author with more than 10 years of professional experience developing applications for Microsoft Windows.