A
A
Andrey Strelkov2021-02-11 12:03:09
Windows
Andrey Strelkov, 2021-02-11 12:03:09

Why doesn't the task scheduler catch events with ID 4647?

Good afternoon, I ran into one task scheduler problem, namely
, there is a task when logging in, logging out (rebooting, shutting down), blocking, unlocking computers (which are in the AD domain) in the database, update rows
In other words, you need to mark the current user status in the database, those. online, offline or away

A simple console application has been created that takes a certain number as an argument (which is the event identifier in the database).
Group policies have created tasks on each machine in the task scheduler that respond to the following events

  • 4800, 4802 (lock, screensaver)
  • 4801, 4803 (unlock, stop screensaver)
  • 7001 (input)


And here the problem arose, as such, I did not find the restart and shutdown events, but in theory, the exit always works before this action, it turns out you only need to respond to the exit event, googling found that there is an event 4647 (it really works just when the exit process is initialized, and does not guarantee that this really happened), but this is enough (of course, there is also 4634 - which exactly confirms the exit, but in the event viewer for some reason it works very often during normal work)

However, the nuance is that by creating a task in the scheduler on Security - Microsoft Windows Security Auditing - 4647

It does not work in any way, that is, I do an exit, reboot, shutdown
In the event viewer there are events for 4647, but the scheduler does not show up :/

What could be the matter?

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question