Task Scheduler Files

Task Scheduler Files are XML files that provide information regarding scheduled tasks on an endpoint. These files are created when a new task is scheduled on the endpoint. This artifact is similar to and replaces .job files on Windows XP, but provides more information.

Analysis Value

Command Line Options First Executed Last Executed Execution Account Evidence of Execution File Path Source Identification

Operating System Availability

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

❌

Windows XP

❌

Artifact Location(s)

%SystemRoot%\System32\Tasks for tasks scheduled by 64-bit processes
%SystemRoot%\SysWOW64\Tasks for tasks scheduled by 32-bit processes

Artifact Interpretation

XML Path

Interpretation

Task/Registration Info/Date

Date the task was scheduled

Task/Registration Info/Author

Author of the task. Can be local or remote.

Task/Triggers

Triggers for the scheduled task

Task/Actions

Action taken by the scheduled task

Task/Principals

Authentication used for the task during execution

Analysis Tips

Remote Scheduled Tasks

In the event that a scheduled task was remotely created (an excellent indicator of lateral movement), the Task/Registration Info/Author field will provide the originating endpoint.

Last updated 1 year ago