The Watch service is a monitoring service that wait for different types of events and execute actions when those events occur.

The five event groups has their own configuration section.

Event group configuration sections
[Watch Insert] (1)

[Watch Remove] (2)

[Watch Session] (3)

[Watch Startup] (4)

[Watch Shutdown] (5)
1 A smart card has been inserted.
2 A smart card has been removed.
3 A Windows session event.
4 The service is starting.
5 The service is going down.

Each section has the same format.


The settings described in this section, ANY_SECTION, are applicable for all sections described above.

Section syntax
01=-action {ACTION} -match {MATCH} (1) (2)
1 The action is the same as all other built-in actions, see Actions for more information.
2 The match is the same as all other built-in matching, see Match for more information.

This configuration section is a numbered section. This means that all entries are read from 1 until entry is missing or not found.

Example 1. Ignored numbers

Any numbers after missing or not found is ignored.

01=-action {ACTION1}
02=-action {ACTION2}
04=-action {WILL-BE-IGNORED} (1)
1 As written in the example, number 4 is ignored.
Example 2. Specific actions for system and user service

Since Watch can run as both system and user service, you can specify that a specific action only should be executed for one of them.

01=-action {ACTION1} -match {MATCH} -user
02=-action {ACTION2} -match {MATCH} -system


The matching above should cover all types of matching, but for convenience is it possible to specify a lot of matching criteria direct.


-token <token-name>

Token value is the token name.

-model <token-model>

Model value is the token model.

-flags <token-flags>

Flags value is the token flags.


Only signature certificates are used.


Only authenticate certificates are used.


The token is empty. Thus, no certificates.


The token is not empty, and at least one certificate is available.

-once <token|certificate>

Only runs the action once. If the action is already executed, it will not run again until Watch is restarted. This is applicable for both the Watch service (system) and background process (user).


Watch saves the action name and the token-serial-number to the local configuration to make sure this action is not run again.


Watch saves the action name and the certificate-thumbprint to the local configuration to make sure this action is not run again.

Insert, Remove

Some special handling is done to terminate a process started at Insert event when the same token is removed:

[Watch Insert]
01=-action {ACTION1} -match {MATCH} -terminate

The matching above is for Insert and Remove events.


Session events are only matched with a specific session event.

[Watch Session]
01=-action {ACTION} -session SessionLock

The list of session events:

-session ConsoleConnect
-session ConsoleDisconnect
-session License
-session RemoteConnect
-session RemoteDisconnect
-session SessionLogon
-session SessionLogoff
-session SessionLock
-session SessionUnlock
-session SessionRemoteControl
-session SessionCreate
-session SessionTerminate

Only session events that Windows is reporting to the system or user service cause an event. That is, a user service will never get a ConsoleConnect event.

Normally, this component runs as both system and user service.

Startup, Shutdown

The startup and shutdown actions only have the matching criteria user and system:

[Watch Startup]
01=-action {ACTION}
02=-action {ACTION} -user
03=-action {ACTION} -system

[Watch Shutdown]
01=-action {ACTION}
02=-action {ACTION} -user
03=-action {ACTION} -system