Task Scheduler Operational Log
Last updated
Last updated
The TaskScheduler/Operational event log channel provides detailed tracing of scheduled tasks on an endpoint.
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
❌
Server 2003
❌
Windows XP
❌
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
The following event IDs are useful to hunt for persistent implants on an endpoint:
106
Scheduled Task Created
Origin Account/User
140
Scheduled Task Updated
Origin Account/User
141
Scheduled Task Deleted
Origin Account/User
200
Scheduled Task Executed
Executable file path
201
Scheduled Task Execution Completed
Executable file path
This activity is also logged in the Security channel with more granular information, as follows:
4698
Scheduled Task Created
4702
Scheduled Task Updated
4699
Scheduled Task Deleted
Logging for these events is disabled by default and must be enabled to provide these artifacts.
Scheduled task deletion is a rare event on Windows systems and provides an easy to query, high-fidelity indicator of suspicious activity. The following event IDs may be queried:
Windows-TaskScheduler\Operational Event 141: Scheduled Task Deleted
Security Event 4699: Scheduled Task Deleted
When applications are installed on a Windows system, they will sometimes create a scheduled task to run their update functionality, making the Task Scheduler Operational log a possible option for cross-validation of other application installation artifacts such as the Uninstall registry key.
In the event that tasks are remotely scheduled, as is commonly seen during lateral movement attempts, this activity may be identified by observing Type 3 logons via EventID 4624: An account was successfully logged on events in close proximity to task creation.