Page 1 of 1

Windows Events: send e-mail

Posted: 2022-Oct-12, 2:32 pm
by Simon_Weel
I've setup a task in Task Scheduler to act upon a series of events triggered by Windows Defender. When triggered, it executes a script to send me an e-mail that there's something going on with Defender. Works fine. Now I want the e-mail to be a bit more informative, like what is the event and what is the description for that event. This is fairly easy in PowerShell, but I don't master that - I'd rather use a cmd-script. So I've been fiddling with wevtutil and I've got it to filter out the Event ID's triggering the script. But that lists the complete event. I could include the whole event text into the mail, but I'd rather keep it snappy? Only thing is, I don't know how.

So here's the line filtering out a bunch of events:

Code: Select all

wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /count:1 /rd:true /format:text /q:"*[System[((EventID=1005 and EventID=1015) or (EventID= 1116 and EventID= 1119) or EventID=1127 or EventID=2001 or EventID=2003 or EventID=2006 or EventID=2012 or EventID=3002 or EventID=5001 or EventID=5007 or EventID=5008 or EventID=5010 or EventID=5012 or EventID=5013)]]"
The result could be something like this:

Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 2022-10-12T10:18:34.6960000Z
Event ID: 5001
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: <computername>
Description:
Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled.


I would like to have the Event ID (5001) and description (Microsoft Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled) added to the mail. Any idea's how to do that?

Re: Windows Events: send e-mail

Posted: 2022-Oct-13, 8:58 pm
by SimonLothar
This works for me:

Code: Select all

@echo off
cls

SET YOUR_COMMAND=wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /count:10 /rd:true /format:text /q:"*[System[((EventID=1005 and EventID=1015) or (EventID= 1116 and EventID= 1119) or EventID=1127 or EventID=2001 or EventID=2003 or EventID=2006 or EventID=2012 or EventID=3002 or EventID=5001 or EventID=5007 or EventID=5008 or EventID=5010 or EventID=5012 or EventID=5013)]]"
SET IN_DESCRIPTION=0
for /F "tokens=1 delims=" %%i in ('%YOUR_COMMAND%') do call :proc "%%i"
pause
goto :eof

:proc
set work=%~1
if /i "%WORK:~0,6%" EQU "EVENT[" (
 echo %work%
 SET IN_DESCRIPTION=0
 goto :finalization
) else (
 if %IN_DESCRIPTION% EQU 1 (
  echo %work%
  goto :finalization
 )
)
if /i "%WORK:~0,11%" EQU "  Event ID:" (
 echo %work%
 goto :finalization
)
if /i "%WORK:~0,14%" EQU "  Description:" (
 echo %work%
 SET IN_DESCRIPTION=1
 goto :finalization
)
:finalization
goto :eof

Re: Windows Events: send e-mail

Posted: 2022-Oct-14, 7:04 am
by SimonLothar
Or slightly more compact:

Code: Select all

...
for /F "tokens=*" %%i in ('%YOUR_COMMAND%') do call :proc "%%i"
...
if /i "%WORK:~0,9%" EQU "Event ID:" (
...
if /i "%WORK:~0,12%" EQU "Description:" (
...