Task Scheduler Files

Task Scheduler Files are XML files that provide information regarding scheduled tasks on an endpoint. These files are created when a new task is scheduled on the endpoint. This artifact is similar to and replaces .job files on Windows XP, but provides more information.

Analysis Value

Command Line OptionsFirst ExecutedLast ExecutedExecution AccountEvidence of ExecutionFile PathSource Identification

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	❌
Windows XP	❌

Artifact Location(s)

• %SystemRoot%\System32\Tasks for tasks scheduled by 64-bit processes

• %SystemRoot%\SysWOW64\Tasks for tasks scheduled by 32-bit processes

Artifact Interpretation

XML Path	Interpretation
Task/Registration Info/Date	Date the task was scheduled
Task/Registration Info/Author	Author of the task. Can be local or remote.
Task/Triggers	Triggers for the scheduled task
Task/Actions	Action taken by the scheduled task
Task/Principals	Authentication used for the task during execution

Analysis Tips

Remote Scheduled Tasks

In the event that a scheduled task was remotely created (an excellent indicator of lateral movement), the Task/Registration Info/Author field will provide the originating endpoint.