# Task Scheduler Files

Task Scheduler Files are XML files that provide information regarding scheduled tasks on an endpoint. These files are created when a new task is scheduled on the endpoint. This artifact is similar to and replaces `.job` files on Windows XP, but provides more information.

## Analysis Value

{% content-ref url="../../artifacts-by-activity/execution/command-line-options" %}
[command-line-options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options)
{% endcontent-ref %}

{% content-ref url="../../artifacts-by-activity/execution/first-executed" %}
[first-executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed)
{% endcontent-ref %}

{% content-ref url="../../artifacts-by-activity/execution/last-executed" %}
[last-executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/last-executed)
{% endcontent-ref %}

{% content-ref url="../../artifacts-by-activity/execution/execution-account" %}
[execution-account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account)
{% endcontent-ref %}

{% content-ref url="../../artifacts-by-activity/execution/evidence-of-execution" %}
[evidence-of-execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution)
{% endcontent-ref %}

{% content-ref url="../../artifacts-by-activity/file-activity/file-path" %}
[file-path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path)
{% endcontent-ref %}

{% content-ref url="../../artifacts-by-activity/network-activity/source-identification" %}
[source-identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ✅       | Server 2003   | ❌       |
| Windows XP    | ❌       |               |         |

## Artifact Location(s)

* `%SystemRoot%\System32\Tasks` for tasks scheduled by 64-bit processes
* `%SystemRoot%\SysWOW64\Tasks` for tasks scheduled by 32-bit processes

## Artifact Interpretation

| XML Path                        | Interpretation                                    |
| ------------------------------- | ------------------------------------------------- |
| `Task/Registration Info/Date`   | Date the task was scheduled                       |
| `Task/Registration Info/Author` | Author of the task. Can be local or remote.       |
| `Task/Triggers`                 | Triggers for the scheduled task                   |
| `Task/Actions`                  | Action taken by the scheduled task                |
| `Task/Principals`               | Authentication used for the task during execution |

## Analysis Tips

{% hint style="success" %}

#### Remote Scheduled Tasks

In the event that a scheduled task was remotely created (an excellent indicator of lateral movement), the `Task/Registration Info/Author` field will provide the originating endpoint.
{% endhint %}