Scheduled Tasks
Overview
Evidence: Scheduled Tasks Description: Enumerate Scheduled Tasks Category: System Platform: windows Short Name: schldpr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes
Background
Windows Task Scheduler allows programs to be executed at specific times or in response to system events. Scheduled tasks are a common persistence mechanism used by both legitimate software and malware.
Tasks can be configured to run at logon, on schedule, or when specific events occur. The Task Scheduler maintains both legacy .job files (Windows XP) and modern XML-based tasks (Windows Vista+).
Data Collected
This collector gathers structured data about scheduled tasks.
Scheduled Tasks Data
Name
Task name or path
\Microsoft\Windows\MyTask
Enabled
Whether task is enabled
TRUE
Status
Task status
Ready
CommandLine
Full command line
C:\Windows\System32\cmd.exe /c script.bat
Triggers
Trigger types (comma-separated)
0,1,2
LastRunTime
Last execution time
2023-10-15T14:30:00
Author
Task author
DOMAIN\Administrator
CreationTime
Task creation time
2023-10-01T10:00:00
AutorunsScheduledTasksRowID
Foreign key to task entry
1
Collection Method
This collector:
Collects task files from:
Windows\System32\Tasks(Windows Vista+)Windows\Tasks\*.job(Windows XP)
Uses Task Scheduler COM API to enumerate tasks:
ITaskSchedulerinterface for legacy tasks (v1)ITaskServiceinterface for modern tasks (v2)
Extracts task actions (EXEC and COM_HANDLER types)
Parses command lines and arguments
Resolves CLSID references for COM handler tasks
Collects file information for all executables
Forensic Value
Scheduled task enumeration is critical for detecting persistence and automated malicious activity. Investigators use this data to identify malicious scheduled tasks, detect persistence mechanisms, track automated attack execution, identify lateral movement tools, detect data exfiltration schedules, verify legitimate administrative tasks, and correlate task execution with system events.
Last updated
Was this helpful?