killchain-compendium/Forensics/Windows Task Scheduler.md

Windows Task Scheduler

Files & Paths

By default, scheduled tasks are saved inside C:\Windows\System32\Tasks\

Use Task Scheduler

There is a Task Scheduler GUI application, which uses the XML files inside the (default) path mentioned above to display information about the scheduled tasks.

Malicious Findings: Compare mismatches between modification dates of the XML files and the displayed values inside the GUI app

There is also a Powershell Command-Let which works with the tasks.

List enabled, scheduled tasks via Get-ScheduledTask or use schtasks.exe to get CSV output in the following way.

Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"}
schtasks.exe /query /fo CSV | findstr /V Disabled

List scheduled tasks by creation date through Get-ScheduledTask in the following way.

Get-ScheduledTask | Where-Object {$_.Date -ne $null -and $_.State -ne "Disabled"} | Sort-Object Date | Select Date,TaskName,Author,State,TaskPath | ft