Back to binalyze.com

Scheduled Tasks

Overview

Evidence: Scheduled Tasks Description: Enumerate Scheduled Tasks Category: Persistence Platform: Windows Short Name: schldpr Is Parsed: Yes - Task configuration parsed with file information Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows Task Scheduler allows programs to be executed at specific times or in response to system events. Scheduled tasks are a common persistence mechanism used by both legitimate software and malware.

Tasks can be configured to run at logon, on schedule, or when specific events occur. The Task Scheduler maintains both legacy .job files (Windows XP) and modern XML-based tasks (Windows Vista+).

Data Collected

Scheduled Tasks Table

Field
Description
Example

Name

Task name or path

\Microsoft\Windows\MyTask

Enabled

Whether task is enabled

TRUE

Status

Task status

Ready

CommandLine

Full command line

C:\Windows\System32\cmd.exe /c script.bat

File information columns for the main executable

Triggers

Trigger types (comma-separated)

0,1,2

LastRunTime

Last execution time

2023-10-15T14:30:00

Author

Task author

DOMAIN\Administrator

CreationTime

Task creation time

2023-10-01T10:00:00

Scheduled Tasks Arguments Table

Field
Description
Example

AutorunsScheduledTasksRowID

Foreign key to task entry

1

File information columns for each argument file path

Collection Method

This collector:

  • Collects task files from:

    • Windows\System32\Tasks (Windows Vista+)

    • Windows\Tasks\*.job (Windows XP)

  • Uses Task Scheduler COM API to enumerate tasks:

    • ITaskScheduler interface for legacy tasks (v1)

    • ITaskService interface for modern tasks (v2)

  • Extracts task actions (EXEC and COM_HANDLER types)

  • Parses command lines and arguments

  • Resolves CLSID references for COM handler tasks

  • Collects file information for all executables

Usage

Scheduled task enumeration is critical for detecting persistence and automated malicious activity. Investigators use this data to identify malicious scheduled tasks, detect persistence mechanisms, track automated attack execution, identify lateral movement tools, detect data exfiltration schedules, verify legitimate administrative tasks, and correlate task execution with system events.

Known Limitations

  • Task state captured at collection time

  • Task history may be limited

  • Some tasks may be hidden

  • Group Policy tasks may not be editable

  • Disabled tasks still appear in enumeration

Notes

Attackers often create scheduled tasks with names similar to legitimate Windows tasks to avoid detection. Pay attention to task authors, creation times, unusual trigger patterns, and executables in non-standard locations.

PreviousSamNextService List

Last updated

Was this helpful?