Channel: Microsoft-Windows-TaskScheduler/Operational (channel not enabled by default).
Events: 100, 102, 103, 106, 107, 108, 110, 118, 119, 129, 140, 141, 200, 201.
Channel: Security (events not enabled by default).
Events: 4698, 4699, 4700, 4701, 4702.
Events: 100, 102, 103, 106, 107, 108, 110, 118, 119, 129, 140, 141, 200, 201.
Channel: Security (events not enabled by default).
Events: 4698, 4699, 4700, 4701, 4702.
Overview
Scheduled tasks are used to automatically perform a task on the system whenever the criteria associated to the scheduled task occurs. The scheduled tasks can either be run at a defined time, on repeat at set intervals, or when a specific event occurs, such as the system boot.
A single scheduled task can be associated with one or multiple trigger(s) and one or multiple action(s). A single task can thus execute multiple distinct executables.
Refer to the registry Scheduled Tasks page for more information on the components that constitute scheduled tasks.
Scheduled Tasks Windows events
| Channel | Conditions | Events |
|---|---|---|
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 106: User "<DOMAIN | WORKGROUP>\<USERNAME>" registered Task Scheduler task "\<TASK_NAME>". Logged whenever a scheduled task is registered. Information of interest: - The registered task name. - The domain and username of the user that registered the task. |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 140: User "<DOMAIN | WORKGROUP>\<USERNAME>" updated Task Scheduler task "<TASK_NAME>". Logged whenever a scheduled task is updated. Information of interest: - The modified task name. - The domain and username of the user that modified the task. The properties modified are not logged. |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 107: Task triggered on scheduler. Event 108: Task triggered on event. Event 110: Task triggered by user. Event 118: Task triggered by computer startup. Event 119: Task triggered on logon. Event payload for each event: Task Scheduler launched "<INSTANCE_GUID>" instance of task "<TASK_NAME>" due to [...]. Logged whenever a scheduled task is started due to the criteria associated with the event (schedule, event, system startup, logon, or manual trigger). Information of interest: - The launched task name. - The execution instance GUID. - The task execution reason. |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 100: Task Scheduler started <INSTANCE_GUID>" instance of the "<TASK_NAME>" task for user "<EXECUTING_ACCOUNT>". Logged whenever a scheduled task is executed. Information of interest: - The launched task name. - The execution instance GUID and the account running the task. |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 129: Task Scheduler launch task "<TASK_NAME>", instance "<EXECUTABLE>" with process ID <PID>. Logged whenever a scheduled task or a scheduled task’s action is executed. Information of interest: - The launched task name and the launched action’s executable full path. - The execution instance GUID and associated process identifier (PID). |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 200: Task Scheduler launched action "<EXECUTABLE>" in instance "<INSTANCE_GUID>" of task "<TASK_NAME>". Logged whenever a scheduled task’s action is executed. A single scheduled task can define one or multiple action(s). Information of interest: - The launched task name and the launched action’s executable full path. - The execution instance GUID. This event can be used to correlate a task name with its / one of its executable. |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 103: Task Scheduler failed to start instance "<INSTANCE_GUID>" instance of the "<TASK_NAME>" task for user "<EXECUTING_ACCOUNT>". Additional Data: Error Value: <ERROR_CODE>. Information of interest: - The launched task name. - The execution instance GUID and the account running the task. - The error code associated with the start failure. |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 201: Task Scheduler successfully completed task "<TASK_NAME>", instance "<INSTANCE_GUID>" , action "<EXECUTABLE>" with return code <INT>". Logged whenever a scheduled task’s action finished its execution. Information of interest: - The launched task name and the finished action’s executable full path. - The execution instance GUID. - The execution return code. Similarly to event 200, this event can be used to correlate a task name with its / one of its executable. |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 102: Task Scheduler successfully finished "<INSTANCE_GUID>" instance of the "<TASK_NAME>" task for user "<EXECUTING_ACCOUNT>". Logged whenever a scheduled task action finished its execution. Information of interest: - The finished task name. - The finished execution instance GUID and the account that ran the task. |
Microsoft-Windows-TaskScheduler/Operational |
Introduced in Windows 7 and Windows 2008. Requires task history to be enabled (non-default). |
Event 141: User "<DOMAIN | WORKGROUP>\<USERNAME>" deleted Task Scheduler task "<TASK_NAME>". Logged whenever a scheduled task is deleted. Information of interest: - The deleted task name. - The domain and username of the user that deleted the task. |
Security |
Audit: Force audit policy subcategory settings to be enabled. And Other Object Access Events set to Success(, Failure). |
Event 4698: A scheduled task was created. Event 4699: A scheduled task was deleted. Event 4700: A scheduled task was enabled. Event 4701: A scheduled task was disabled. Event 4702: A scheduled task was updated. Logged whenever the operation associated with the event (creation, deletion, enabling, disabling, modification) is performed on a scheduled task. Each event holds the same following information of interest: - Domain, username and Logon ID of the user that performed the action. - The scheduled task full parameters: task name, registration timestamp, action(s) (including the associated command(s)), trigger(s), running user and privileges, etc. Legacy: (Only) event 602: Scheduled Task created. |
References
View on GitHub