Scheduled Tasks
Overview
Section titled “Overview”Evidence: Scheduled Tasks
Description: Enumerate Scheduled Tasks
Category: System
Platform: windows
Short Name: schldpr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows Task Scheduler allows programs to be executed at specific times or in response to system events. Scheduled tasks are a common persistence mechanism used by both legitimate software and malware.
Tasks can be configured to run at logon, on schedule, or when specific events occur. The Task Scheduler maintains both legacy .job files (Windows XP) and modern XML-based tasks (Windows Vista+).
Data Collected
Section titled “Data Collected”This collector gathers structured data about scheduled tasks.
Scheduled Tasks Data
Section titled “Scheduled Tasks Data”| Field | Description | Example |
|---|---|---|
Name | Task name or path | \Microsoft\Windows\MyTask |
Enabled | Whether task is enabled | TRUE |
Status | Task status | Ready |
CommandLine | Full command line | C:\Windows\System32\cmd.exe /c script.bat |
Triggers | Trigger types (comma-separated) | 0,1,2 |
LastRunTime | Last execution time | 2023-10-15T14:30:00 |
Author | Task author | DOMAIN\Administrator |
CreationTime | Task creation time | 2023-10-01T10:00:00 |
AutorunsScheduledTasksRowID | Foreign key to task entry | 1 |
Collection Method
Section titled “Collection Method”This collector:
- Collects task files from:
Windows\System32\Tasks(Windows Vista+)Windows\Tasks\*.job(Windows XP)
- Uses Task Scheduler COM API to enumerate tasks:
ITaskSchedulerinterface for legacy tasks (v1)ITaskServiceinterface for modern tasks (v2)
- Extracts task actions (EXEC and COM_HANDLER types)
- Parses command lines and arguments
- Resolves CLSID references for COM handler tasks
- Collects file information for all executables
Forensic Value
Section titled “Forensic Value”Scheduled task enumeration is critical for detecting persistence and automated malicious activity. Investigators use this data to identify malicious scheduled tasks, detect persistence mechanisms, track automated attack execution, identify lateral movement tools, detect data exfiltration schedules, verify legitimate administrative tasks, and correlate task execution with system events.