Run a script when a program is launched or closed in Windows

Run a script when a program is launched or closed in Windows

The scripts offer a great deal to system admins because they help us automate the boring and repetitive tasks. There are various ways to run the scripts in Windows environment but every admin has a unique requirement when it comes to running scripts. Recently someone asked me how we can run a script at the same time when a program is launched in Windows. The simplest way would be to modify your script and include the program you want to run, at the end. So, when the script is executed, your program will also run by the same script. But some admins might not like this idea.

In this article, you will learn how to run a script automatically when a program is launched (or closed).

Agenda

For the sake of this guide, I will use Docker Desktop as a business application and run a batch script to create a Docker directory inside user’s %LocalAppData% directory (if it doesn’t already exist) and set custom permissions on that directory using icalcs.

Background Information

You might be well-aware that you could use group policy to enable Audit process tracking which helps you track the start and exit of a Windows process. Once this setting is enabled, Windows will start recording the process start and process end events with Event ID 4688 and 4689 respectively in Windows Security log. We will then create a scheduled task, define a trigger with a custom filter to include the name of process that we are tracking (Docker Desktop in our example), and finally define the action to run the batch script – only when the criteria set in custom filter is matched.

Enabling audit process tracking

First step is to enable the audit process tracking using group policy. Open the group policy editor and navigate to the following path:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

By the way, you could either use local group policy editor (gpedit.msc) or domain group policy management console (gpmc.msc) to enable the audit process tracking setting.

Viewing process tracking events

After enabling the process tracking, open Event Viewer (eventvwr) and navigate to Security log. Now click on Filter Current Log option in Actions pane on the right and create a filter to list events with event ID 4688 and 4689 (see the following screenshot for reference).

Now you will only see the process start and process end events. You could optionally click on Save Filter to Custom View option under the Actions pane to save the filtered view if you want.

Creating the scheduled task

Now comes the most important part where you need to create a new scheduled task. Launch the Task Scheduler (taskschd.msc) and follow these steps:

1. 1. Right click on the desired folder and select Create Task option.
   2. Under General tab, give it a descriptive name. Under Security options, click Change User or Group button and select BUILTIN\Users.

      

   3. Under Triggers tab, click on New to open a New Trigger window.
   4. Under Begin the Task field, select On an Event from dropdown.
   5. Under Settings, select the Custom radio button and then click on New Event Filter.
   6. Now define the event filter with options as shown in the following screenshot:

      

      If you’re planning to launch your script when a certain program (Docker Desktop in our example) exits or terminates, type the 4689 event ID instead of 4688 in this step.

   7. Don’t click on OK button yet. After defining all the settings, go to XML tab.
   8. Enable the checkbox that says Edit query manually and click OK to confirm the warning popup that appears.
   9. Now edit the existing XML filter query. To do that, just paste the following code before </Select> tag:

      and *[EventData[Data[@Name='NewProcessName'] and (Data='C:\Program Files\Docker\Docker\Docker Desktop.exe')]]

      Don’t forget to adjust the path (highlighted red) with your own application’s executable. At the end, make sure your event filter looks like what is shown in the screenshot:

      

      This screenshot shows an XML query to filter the events based on the following criteria:

      • Event Log: Security
      • Event ID: 4688
      • Keywords: Audit Success
      • Process Name: Docker Desktop

      It’s up to you to modify these criteria to meet your own need.

   10. Now click OK twice to return back to Create Task page.
   11. Under Actions tab, click New and select the script you want to execute when Docker Desktop is launched. I will select a batch script that sets a full-control permission for Authenticated Users on Docker directory. Here is the script:

       @echo OFF
       set folderpath=%LOCALAPPDATA%\Docker
       
       :START
       if not exist %folderpath% GOTO CREATE
       GOTO PERM
       
       :CREATE
       mkdir %folderpath%
       GOTO START
       
       :PERM
       icacls %folderpath% /grant:r "Authenticated Users":(OI)(CI)F /t /c

       

   12. Finally, click OK to create the scheduled task.

Testing the scheduled task and script

Everything is now ready. Before launching Docker Desktop, I will make sure that Docker directory in %LocalAppData% doesn’t already have an access control entry (ACE) for Authenticated Users in it’s access control list (ACL).

Now let’s go ahead and run the Docker Desktop application. As soon as the process is created, the scheduled task will kick-in and the scheduled batch script is executed. If you see the ACL of Docker folder once again, you will notice that Authenticated Users is now listed with a full control permission.

That was all for this guide. You can use this idea to run a script which does something useful – like prepares an environment for your business application. In the same way, you could run a script to clean-up the temporary files or run a backup script when the business application is closed.