32 lines
990 B
Markdown
32 lines
990 B
Markdown
|
# Windows Task Scheduler
|
||
|
|
|
||
|
|
## Files & Paths
|
||
|
|
|
||
|
|
By default, scheduled tasks are saved inside `C:\Windows\System32\Tasks\`
|
||
|
|
|
||
|
|
## Use Task Scheduler
|
||
|
|
|
||
|
|
There is a `Task Scheduler` GUI application, which uses the XML files inside
|
||
|
|
the (default) path mentioned above to display information about the scheduled
|
||
|
|
tasks.
|
||
|
|
|
||
|
|
**Malicious Findings**: Compare mismatches between modification dates of the
|
||
|
|
XML files and the displayed values inside the GUI app
|
||
|
|
|
||
|
|
There is also a Powershell Command-Let which works with the tasks.
|
||
|
|
|
||
|
|
List enabled, scheduled tasks via Get-ScheduledTask or use `schtasks.exe` to
|
||
|
|
get CSV output in the following way.
|
||
|
|
|
||
|
|
```sh
|
||
|
|
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"}
|
||
|
|
schtasks.exe /query /fo CSV | findstr /V Disabled
|
||
|
|
```
|
||
|
|
|
||
|
|
List scheduled tasks by creation date through `Get-ScheduledTask` in the
|
||
|
|
following way.
|
||
|
|
|
||
|
|
```sh
|
||
|
|
Get-ScheduledTask | Where-Object {$_.Date -ne $null -and $_.State -ne "Disabled"} | Sort-Object Date | Select Date,TaskName,Author,State,TaskPath | ft
|
||
|
|
```
|