# Task Scheduler Files Task Scheduler Files are XML files that provide information regarding scheduled tasks on an endpoint. These files are created when a new task is scheduled on the endpoint. This artifact is similar to and replaces `.job` files on Windows XP, but provides more information. ## Analysis Value {% content-ref url="/pages/agskwSdYbi8RGqMN5CmF" %} [Command Line Options](/windows-forensics/artifacts-by-activity/execution/command-line-options.md) {% endcontent-ref %} {% content-ref url="/pages/NwFJ38aWYFJ7FKQuKQMQ" %} [First Executed](/windows-forensics/artifacts-by-activity/execution/first-executed.md) {% endcontent-ref %} {% content-ref url="/pages/6Pmka7uFtKElhrhDdFDv" %} [Last Executed](/windows-forensics/artifacts-by-activity/execution/last-executed.md) {% endcontent-ref %} {% content-ref url="/pages/7PsIbY4z0aa7D6FfSddw" %} [Execution Account](/windows-forensics/artifacts-by-activity/execution/execution-account.md) {% endcontent-ref %} {% content-ref url="/pages/vnDLfD9RBoVh5UOGGhiw" %} [Evidence of Execution](/windows-forensics/artifacts-by-activity/execution/evidence-of-execution.md) {% endcontent-ref %} {% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %} [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md) {% endcontent-ref %} {% content-ref url="/pages/T5a0mfe6TprUne1T4K7M" %} [Source Identification](/windows-forensics/artifacts-by-activity/network-activity/source-identification.md) {% endcontent-ref %} ## Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ✅ | Server 2003 | ❌ | | Windows XP | ❌ | | | ## Artifact Location(s) * `%SystemRoot%\System32\Tasks` for tasks scheduled by 64-bit processes * `%SystemRoot%\SysWOW64\Tasks` for tasks scheduled by 32-bit processes ## Artifact Interpretation | XML Path | Interpretation | | ------------------------------- | ------------------------------------------------- | | `Task/Registration Info/Date` | Date the task was scheduled | | `Task/Registration Info/Author` | Author of the task. Can be local or remote. | | `Task/Triggers` | Triggers for the scheduled task | | `Task/Actions` | Action taken by the scheduled task | | `Task/Principals` | Authentication used for the task during execution | ## Analysis Tips {% hint style="success" %} #### Remote Scheduled Tasks In the event that a scheduled task was remotely created (an excellent indicator of lateral movement), the `Task/Registration Info/Author` field will provide the originating endpoint. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.