Task Scheduler Files

Task Scheduler Files are XML files that provide information regarding scheduled tasks on an endpoint. These files are created when a new task is scheduled on the endpoint. This artifact is similar to and replaces .job files on Windows XP, but provides more information.

Analysis Value

pageCommand Line Options pageFirst Executed pageLast Executed pageExecution Account pageEvidence of Execution pageFile Path pageSource Identification

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	❌
Windows XP	❌

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

❌

Windows XP

❌

Artifact Location(s)

%SystemRoot%\System32\Tasks for tasks scheduled by 64-bit processes
%SystemRoot%\SysWOW64\Tasks for tasks scheduled by 32-bit processes

Artifact Interpretation

XML Path Interpretation

XML Path	Interpretation
`Task/Registration Info/Date`	Date the task was scheduled
`Task/Registration Info/Author`	Author of the task. Can be local or remote.
`Task/Triggers`	Triggers for the scheduled task
`Task/Actions`	Action taken by the scheduled task
`Task/Principals`	Authentication used for the task during execution

Task/Registration Info/Date

Date the task was scheduled

Task/Registration Info/Author

Author of the task. Can be local or remote.

Task/Triggers

Triggers for the scheduled task

Task/Actions

Action taken by the scheduled task

Task/Principals

Authentication used for the task during execution

Analysis Tips

Remote Scheduled Tasks

In the event that a scheduled task was remotely created (an excellent indicator of lateral movement), the Task/Registration Info/Author field will provide the originating endpoint.

Last updated 6 months ago