Watch
The Watch service is a monitoring service that wait for different types of events and execute actions when those events occur.
The five event groups has their own configuration section.
[Watch Insert] (1)
[Watch Remove] (2)
[Watch Session] (3)
[Watch Startup] (4)
[Watch Shutdown] (5)
1 | A smart card has been inserted. |
2 | A smart card has been removed. |
3 | A Windows session event. |
4 | The service is starting. |
5 | The service is going down. |
Each section has the same format.
ANY_SECTION
The settings described in this section, ANY_SECTION, are applicable for all sections described above.
[Watch ANY_SECTION]
01=-action {ACTION} -match {MATCH} (1) (2)
1 | The action is the same as all other built-in actions, see Actions for more information. |
2 | The match is the same as all other built-in matching, see Match for more information. |
This configuration section is a numbered section. This means that all entries are read from 1 until entry is missing or not found.
Any numbers after missing or not found is ignored.
[Watch ANY_SECTION]
01=-action {ACTION1}
02=-action {ACTION2}
03=
04=-action {WILL-BE-IGNORED} (1)
1 | As written in the example, number 4 is ignored. |
Since Watch can run as both system and user service, you can specify that a specific action only should be executed for one of them.
[Watch ANY_SECTION]
01=-action {ACTION1} -match {MATCH} -user
02=-action {ACTION2} -match {MATCH} -system
Matching
The matching above should cover all types of matching, but for convenience it is possible to specify a lot of matching criteria directly.
Options
- -token <token-name>
-
Token value is the token name.
- -model <token-model>
-
Model value is the token model.
- -flags <token-flags>
-
Flags value is the token flags.
- -signature
-
Only signature certificates are used.
- -authenticate
-
Only authenticate certificates are used.
- -empty
-
The token is empty. Thus, no certificates.
- -logon
-
Only Windows logged on credential is used.
- -not-empty
-
The token is not empty, and at least one certificate is available.
- -once <token|certificate>
-
Only runs the action once. If the action is already executed, it will not run again until Watch is restarted. This is applicable for both the Watch service (system) and background process (user).
- token
-
Watch saves the action name and the token-serial-number to the local configuration to make sure this action is not run again.
- certificate
-
Watch saves the action name and the certificate-thumbprint to the local configuration to make sure this action is not run again.
Insert, Remove
Some special handling is done to terminate a process started at Insert event when the same token is removed:
[Watch Insert]
01=-action {ACTION1} -match {MATCH} -terminate
The matching above is for Insert and Remove events.
Session
Session events are only matched with a specific session event.
[Watch Session]
01=-action {ACTION} -session SessionLock
The list of session events:
-session ConsoleConnect -session ConsoleDisconnect -session License -session RemoteConnect -session RemoteDisconnect -session SessionAbortEnd -session SessionCreate -session SessionEnd -session SessionLogon -session SessionLock -session SessionLogoff -session SessionQueryEnd -session SessionRemoteControl -session SessionTerminate -session SessionUnlock
Only session events that Windows is reporting to the system or user service cause an event. That is, a user service will never get a ConsoleConnect event.
Normally, this component runs as both system and user service.