Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Create Task scheduler-run for event with specific Result Code

Copper Contributor

I would like to trigger the task only if the login attempt is against a disabled account. This includes the Result Code 0x12. How can I add this to the trigger? Any help would be much appreciated. Thanks.


Here is the event.



Here is the event details XML View:

- <Event xmlns="">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <TimeCreated SystemTime="2022-04-19T16:40:04.842900000Z" /> 
  <Correlation /> 
  <Execution ProcessID="528" ThreadID="106016" /> 
  <Security /> 
- <EventData>
  <Data Name="TargetUserName">XXXXXXXX</Data> 
  <Data Name="TargetDomainName">XXXXXXX</Data> 
  <Data Name="TargetSid">S-1-0-0</Data> 
  <Data Name="ServiceName">krbtgt/mie</Data> 
  <Data Name="ServiceSid">S-1-0-0</Data> 
  <Data Name="TicketOptions">0x40810010</Data> 
  <Data Name="Status">0x12</Data> 
  <Data Name="TicketEncryptionType">0xffffffff</Data> 
  <Data Name="PreAuthType">-</Data> 
  <Data Name="IpAddress">::ffff:</Data> 
  <Data Name="IpPort">50126</Data> 
  <Data Name="CertIssuerName" /> 
  <Data Name="CertSerialNumber" /> 
  <Data Name="CertThumbprint" /> 

Here is a task trigger that includes everything but the result code:

  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[band(Keywords,4503599627370496) and (EventID=4768)]]</Select>

Not sure where to put the Result Code 0x12

<Data Name="Status">0x12</Data>

0 Replies