Windows Task Scheduler

Task Scheduler is a system service that allows you to execute automated tasks on a Windows computer. Tasks can be created and managed through the Task Scheduler graphical user interface or the Task Scheduler API.

Task Scheduler is commonly used to perform routine tasks on a system; however, intruders can also use it maliciously to execute code as LocalSystem. On Windows Server 2008 R2 and newer operating systems, a task history is logged to the Windows Event Log. Besides allowing you to identify failing scheduled tasks, collecting and monitoring these events can also help you to detect compromised systems early on.

Enabling Tasks History

Follow these steps to enable logging of Task Scheduler events:

  1. Open Task Scheduler (taskschd.msc).

  2. In the Actions pane on the right-hand side, click Enable All Tasks History.

    Windows Task Scheduler History

Collecting Task Scheduler events from Windows Event Log

Task Scheduler events are logged to the Microsoft-Windows-TaskScheduler/Operational log. To verify that this log is enabled:

  1. Open Event Viewer (eventvwr.msc).

  2. Expand Applications and Services Logs > Microsoft > Windows > TaskScheduler.

  3. Right-click on Operational and select Enable Log.

On Windows Server 2012 R2 and newer operating systems, the Microsoft-Windows-TaskScheduler/Maintenance log is also available. This log contains events related to Task Scheduler maintenance tasks. For more information, see the Microsoft documentation on Automatic maintenance.

Event IDs

The following events are logged when a task is created or deleted and can help in intrusion detection.

Table 1. Task management events
Event ID Task Category

106

Task registered

140

Task registration updated

141

Task registration deleted

142

Task disabled

The following events identify the successful completion or failure of a task.

Table 2. Task monitoring events
Event ID Task Category

100

Task started

101

Task start failed

102

Task completed

103

Action start failed

111

Task terminated

129

Created task process

200

Action started

201

Action completed

202

Action failed

203

Action failed to start

See Task Monitoring and Control in the Microsoft documentation for a complete list of monitoring events.

Example 1. Windows Task Scheduler operational log collection

This configuration uses the im_msvistalog input module to collect events from the Microsoft-Windows-TaskScheduler/Operational log. It then converts log records to JSON format by calling the to_json() procedure of the xm_json module.

nxlog.conf
<Extension json>
    Module    xm_json
</Extension>

<Input task_scheduler>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='Microsoft-Windows-TaskScheduler/Operational'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    Exec      to_json();
</Input>
Output sample
{
  "EventTime": "2022-02-27T11:08:08.367566+01:00",
  "Hostname": "SERVER-1.example.com",
  "Keywords": "9223372036854775808",
  "LevelValue": 4,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 106,
  "SourceName": "Microsoft-Windows-TaskScheduler",
  "ProviderGuid": "{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}",
  "Version": 0,
  "TaskValue": 106,
  "OpcodeValue": 0,
  "RecordNumber": 11316,
  "ExecutionProcessID": 784,
  "ExecutionThreadID": 1292,
  "Channel": "Microsoft-Windows-TaskScheduler/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Message": "User \"SERVER-1\\jdoe\"  registered Task Scheduler task \"\\Malicious Task\"",
  "Category": "Task registered",
  "Opcode": "Info",
  "Level": "Information",
  "EventData.Name": "TaskRegisteredEvent",
  "TaskName": "\\Malicious Task",
  "UserContext": "SERVER-1\\jdoe",
  "EventReceivedTime": "2022-02-27T11:08:10.351190+01:00",
  "SourceModuleName": "task_scheduler",
  "SourceModuleType": "im_msvistalog"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

Windows Server 2016 Standard
Windows Server 2012 R2 Standard
NXLog version 5.4.7431

Last revision: 27 February 2022