Blog >> Task Scheduler

Investigating Task Scheduler

07/06/2021 Monday

Task scheduler is a component of Windows, which provides a service that allows the system to launch computer programs or scripts at preset times. It monitors the trigger condition chosen by the user and executes when it is met. The task triggers can be calendar based or event-based, and their actions can include sending emails, starting an application, or displaying a message box. It runs as an ordinary executable program and its tasks can be manipulated manually.


Digital Forensics Value of Task Scheduler Artifacts


Task Scheduler allows for jobs to be scheduled over a network given the user possesses the right admin credentials. Attackers can use the component to aid and/or further their exploitation of a system. The artifacts that can be extracted can aid investigators to find proof of malicious payload execution and track the lateral movement of an intruder.


Location of Task Scheduler Artifacts


Task Scheduler artifacts are located at:


Structure of Task Scheduler Artifacts


The structure of the artifacts includes an XML, a Windows job file format, Windows event logs and Windows registry SOFTWARE hive.


Analyzing Task Scheduler Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to extract Task Scheduler artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Task Scheduler artifacts:







Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Task Scheduler artifacts in ArtiFast software.


Task Scheduler (Job) Artifact

The artifact contains information on the scheduled tasks from the system. The details you can view include:


Task Scheduler (XML) Artifact

The artifact contains information on the scheduled tasks from the system. The details you can view include:


Task Scheduler Artifact

The artifact contains information on the scheduled tasks from the SOFTWARE registry hive. The details you can view include:


Windows Task Scheduler Task (EVTX) Artifact

The artifact contains information on the user accounts in the system. The details you can view include: