Watch

The Watch service is a monitoring service that wait for different types of events and execute actions when those events occur.

The five event groups has their own configuration section.

Event group configuration sections
[Watch Insert] (1)

[Watch Remove] (2)

[Watch Session] (3)

[Watch Startup] (4)

[Watch Shutdown] (5)
1 A smart card has been inserted.
2 A smart card has been removed.
3 A Windows session event.
4 The service is starting.
5 The service is going down.

Each section has the same format.

ANY_SECTION

The settings described in this section, ANY_SECTION, are applicable for all sections described above.

Section syntax
[Watch ANY_SECTION]
01=-action {ACTION} -match {MATCH} (1) (2)
1 The action is the same as all other built-in actions, see Actions for more information.
2 The match is the same as all other built-in matching, see Match for more information.

This configuration section is a numbered section. This means that all entries are read from 1 until entry is missing or not found.

Example 1. Ignored numbers

Any numbers after missing or not found is ignored.

[Watch ANY_SECTION]
01=-action {ACTION1}
02=-action {ACTION2}
03=
04=-action {WILL-BE-IGNORED} (1)
1 As written in the example, number 4 is ignored.
Example 2. Specific actions for system and user service

Since Watch can run as both system and user service, you can specify that a specific action only should be executed for one of them.

[Watch ANY_SECTION]
01=-action {ACTION1} -match {MATCH} -user
02=-action {ACTION2} -match {MATCH} -system

Matching

The matching above should cover all types of matching, but for convenience it is possible to specify a lot of matching criteria directly.

Options

-token <token-name>

Token value is the token name.

-model <token-model>

Model value is the token model.

-flags <token-flags>

Flags value is the token flags.

-signature

Only signature certificates are used.

-authenticate

Only authenticate certificates are used.

-empty

The token is empty. Thus, no certificates.

-logon

Only Windows logged on credential is used.

-not-empty

The token is not empty, and at least one certificate is available.

-once <token|certificate>

Only runs the action once. If the action is already executed, it will not run again until Watch is restarted. This is applicable for both the Watch service (system) and background process (user).

token

Watch saves the action name and the token-serial-number to the local configuration to make sure this action is not run again.

certificate

Watch saves the action name and the certificate-thumbprint to the local configuration to make sure this action is not run again.

Insert, Remove

Some special handling is done to terminate a process started at Insert event when the same token is removed:

[Watch Insert]
01=-action {ACTION1} -match {MATCH} -terminate

The matching above is for Insert and Remove events.

Session

Session events are only matched with a specific session event.

[Watch Session]
01=-action {ACTION} -session SessionLock

The list of session events:

-session ConsoleConnect
-session ConsoleDisconnect
-session License
-session RemoteConnect
-session RemoteDisconnect
-session SessionAbortEnd
-session SessionCreate
-session SessionEnd
-session SessionLogon
-session SessionLock
-session SessionLogoff
-session SessionQueryEnd
-session SessionRemoteControl
-session SessionTerminate
-session SessionUnlock

Only session events that Windows is reporting to the system or user service cause an event. That is, a user service will never get a ConsoleConnect event.

Normally, this component runs as both system and user service.

Startup, Shutdown

The startup and shutdown actions only have the matching criteria user and system:

[Watch Startup]
01=-action {ACTION}
02=-action {ACTION} -user
03=-action {ACTION} -system

[Watch Shutdown]
01=-action {ACTION}
02=-action {ACTION} -user
03=-action {ACTION} -system