# Task Scheduler Operational Log The TaskScheduler/Operational event log channel provides detailed tracing of scheduled tasks on an endpoint. ## Analysis Value {% content-ref url="/pages/agskwSdYbi8RGqMN5CmF" %} [Command Line Options](/windows-forensics/artifacts-by-activity/execution/command-line-options.md) {% endcontent-ref %} {% content-ref url="/pages/NwFJ38aWYFJ7FKQuKQMQ" %} [First Executed](/windows-forensics/artifacts-by-activity/execution/first-executed.md) {% endcontent-ref %} {% content-ref url="/pages/6Pmka7uFtKElhrhDdFDv" %} [Last Executed](/windows-forensics/artifacts-by-activity/execution/last-executed.md) {% endcontent-ref %} {% content-ref url="/pages/vnDLfD9RBoVh5UOGGhiw" %} [Evidence of Execution](/windows-forensics/artifacts-by-activity/execution/evidence-of-execution.md) {% endcontent-ref %} {% content-ref url="/pages/RRVYscBDy6RJr6mTXYPa" %} [Execution Timestamp](/windows-forensics/artifacts-by-activity/execution/execution-timestamp.md) {% endcontent-ref %} {% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %} [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md) {% endcontent-ref %} {% content-ref url="/pages/T5a0mfe6TprUne1T4K7M" %} [Source Identification](/windows-forensics/artifacts-by-activity/network-activity/source-identification.md) {% endcontent-ref %} ## Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ❌ | Server 2003 | ❌ | | Windows XP | ❌ | | | ## Artifact Location(s) * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx` ## Artifact Interpretation The following event IDs are useful to hunt for persistent implants on an endpoint: | Event ID | Description | Information | | -------- | ---------------------------------- | -------------------- | | 106 | Scheduled Task Created | Origin Account/User | | 140 | Scheduled Task Updated | Origin Account/User | | 141 | Scheduled Task Deleted | Origin Account/User | | 200 | Scheduled Task Executed | Executable file path | | 201 | Scheduled Task Execution Completed | Executable file path | This activity is also logged in the Security channel with more granular information, as follows: | Event ID | Description | | -------- | ---------------------- | | 4698 | Scheduled Task Created | | 4702 | Scheduled Task Updated | | 4699 | Scheduled Task Deleted | ## Caveats Logging for these events is disabled by default and must be enabled to provide these artifacts. ## Analysis Tips ### Deleted Scheduled Tasks Scheduled task deletion is a rare event on Windows systems and provides an easy to query, high-fidelity indicator of suspicious activity. The following event IDs may be queried: * `Windows-TaskScheduler\Operational Event 141: Scheduled Task Deleted` * `Security Event 4699: Scheduled Task Deleted` ### Software Installation/Uninstallation When applications are installed on a Windows system, they will sometimes create a scheduled task to run their update functionality, making the Task Scheduler Operational log a possible option for cross-validation of other application installation artifacts such as the `Uninstall` registry key. ### Lateral Movement through Remote Scheduled Task Installation In the event that tasks are remotely scheduled, as is commonly seen during lateral movement attempts, this activity may be identified by observing Type 3 logons via [EventID 4624: An account was successfully logged on](/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon.md) events in close proximity to task creation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.