Blog >> Task Scheduler

Investigating Task Scheduler

27/12/2021 Monday

Task scheduler is a component of Windows, which provides a service that allows the system to launch computer programs or scripts at preset times. It monitors the trigger condition chosen by the user and executes when it is met. The task triggers can be calendar-based or event-based, and their actions can include sending emails, starting an application, or displaying a message box. It runs as an ordinary executable program and its tasks can be manipulated manually.

Digital Forensics Value of Task Scheduler Artifacts

Task Scheduler allows for jobs to be scheduled over a network given the user possesses the right admin credentials. Attackers can use the component to aid and/or further their exploitation of a system. The artifacts that can be extracted can aid investigators to find proof of malicious payload execution and track the lateral movement of an intruder.

Location of Task Scheduler Artifacts

Task Scheduler artifacts are located at:

• OS → C:\Windows\System32\Tasks
or C:\Windows\Tasks


• Registry → HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks
and HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree


• Event Logs → C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx

Structure of Task Scheduler Artifacts

The structure of the artifacts includes an XML, a Windows job file format, Windows event logs and Windows registry SOFTWARE hive.

Analyzing Task Scheduler Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract Task Scheduler artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Selection phase, you can select Task Scheduler artifacts:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Task Scheduler artifacts in ArtiFast software.

Task Scheduler (Job) Artifact

The artifact contains information on the scheduled tasks from the system. The details you can view include:

• File Version - Version of the file used by the task.
• Command - Path to the file used by the task.
• Comment - Task comment.
• Creator - User who created the task.
• Error Retry Count - Error retry count.
• Error Retry Interval - Error retry interval.
• Exit Code - Exit code.
• Idle Deadline - Idle deadline.
• Idle Wait - Idle wait.
• Job UUID - Job unique universal ID.
• Last Run Time - Last date and time the task was run.
• Maximum Run Time - The maximum run time.
• Parameter - Parameter.
• Priority - Task priority.
• Product Version - The product version.
• Start Error - Start error.
• Status - Status of the task.
• Task Flags - Task Flags.
• Task Name - Task Name.
• Triggers - The events that must occur for the task to be performed.
• Working Directory - The executed files working directory.
• File Creation Date - File creation date and time.

Task Scheduler (XML) Artifact

The artifact contains information on the scheduled tasks from the system. The details you can view include:

• Registration Date - Date the task was registered.
• Task Name - Name of the task.
• Author - Name of the user who created the task.
• Description - Task description entered by the user.
• Triggers - Condition or event that triggers the execution of the task.
• Actions - Actions the task will perform.
• Principals - Principles.
• Settings - Settings.

Task Scheduler Artifact

The artifact contains information on the scheduled tasks from the SOFTWARE registry hive. The details you can view include:

• GUID - Universally unique identifier.
• Path - Path to the executable file.
• URI - URI.
• Description - Description of the task.
• Data - Data.
• Source - Source.
• Last Update or Registered Date - Last date the action was updated or when it was registered.
• Version - Version.
• Author - Author of the task.
• Security Descriptor - Security descriptor.
• Last Registered Date - Date and time the task was last registered.
• Launch Date - Date and time the task was launched.

Windows Task Scheduler Task (EVTX) Artifact

The artifact contains information on the user accounts in the system. The details you can view include:

• Computer - The computer name.
• Located At - Located at.
• Security User ID - Security user ID.
• Event Date - Date and time the event was recorded.
• Task Name - Name of the task associated with this event log.
• User Context - User context.
• Instance ID - Instance ID.
• Event Type - Type of the event.

For more information or suggestions please contact: ummulkulthum.wambai@forensafe.com