# Windows Task Scheduler

## Files & Paths

By default, scheduled tasks are saved inside `C:\Windows\System32\Tasks\`

## Use Task Scheduler

There is a `Task Scheduler` GUI application, which uses the XML files inside
the (default) path mentioned above to display information about the scheduled
tasks.

**Malicious Findings**: Compare mismatches between modification dates of the
XML files and the displayed values inside the GUI app

There is also a Powershell Command-Let which works with the tasks.

List enabled, scheduled tasks via Get-ScheduledTask or use `schtasks.exe` to
get CSV output in the following way.

```sh
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"}
schtasks.exe /query /fo CSV | findstr /V Disabled
```

List scheduled tasks by creation date through `Get-ScheduledTask` in the
following way.

```sh
Get-ScheduledTask | Where-Object {$_.Date -ne $null -and $_.State -ne "Disabled"} | Sort-Object Date | Select Date,TaskName,Author,State,TaskPath | ft
```