killchain-compendium/Forensics/Windows Task Scheduler.md

32 lines
990 B
Markdown
Raw Normal View History

2024-04-03 15:41:21 +02:00
# Windows Task Scheduler
## Files & Paths
By default, scheduled tasks are saved inside `C:\Windows\System32\Tasks\`
## Use Task Scheduler
There is a `Task Scheduler` GUI application, which uses the XML files inside
the (default) path mentioned above to display information about the scheduled
tasks.
**Malicious Findings**: Compare mismatches between modification dates of the
XML files and the displayed values inside the GUI app
There is also a Powershell Command-Let which works with the tasks.
List enabled, scheduled tasks via Get-ScheduledTask or use `schtasks.exe` to
get CSV output in the following way.
```sh
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"}
schtasks.exe /query /fo CSV | findstr /V Disabled
```
List scheduled tasks by creation date through `Get-ScheduledTask` in the
following way.
```sh
Get-ScheduledTask | Where-Object {$_.Date -ne $null -and $_.State -ne "Disabled"} | Sort-Object Date | Select Date,TaskName,Author,State,TaskPath | ft
```