Scheduled Tasks

Introduction

Windows uses the Task Scheduler to execute various automated tasks, such as clean-up activities or update management. On Windows, they are called Scheduled Tasks, or Tasks, and are defined with one or more triggers. A trigger is used as a condition, causing one or more actions to be executed when met. For example, a trigger can be set to a specific time and date, at startup, at log on, or on a Windows event. An action specifies which program or script to execute. There are various other possible configurations for a task, categorized in the Conditions, Settings, and General menu tabs of a task's property.

For us, three pieces of information are vital to obtain from a scheduled task to identify possible privilege escalation vectors:

• As which user account (principal) does this task get executed?

• What triggers are specified for the task?

• What actions are executed when one or more of these triggers are met?

Viewing Scheduled Tasks

We can view scheduled tasks on Windows with the Get-ScheduledTask Cmdlet or the command schtasks /query. We'll use the latter for this example to review all scheduled tasks on CLIENTWK220. We enter /fo with LIST as argument to specify the output format as list. Additionally, we add /v to display all properties of a task.

PS C:\Users\steve> schtasks /query /fo LIST /v
...
Folder: \Microsoft
HostName:                             CLIENTWK220
TaskName:                             \Microsoft\CacheCleanup
Next Run Time:                        7/11/2022 2:47:21 AM
Status:                               Ready
Logon Mode:                           Interactive/Background
Last Run Time:                        7/11/2022 2:46:22 AM
Last Result:                          0
Author:                               CLIENTWK220\daveadmin
Task To Run:                          C:\Users\steve\Pictures\BackendCacheCleanup.exe
Start In:                             C:\Users\steve\Pictures
Comment:                              N/A
Scheduled Task State:                 Enabled
Idle Time:                            Disabled
Power Management:                     Stop On Battery Mode
Run As User:                          daveadmin
Delete Task If Not Rescheduled:       Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule:                             Scheduling data is not available in this format.
Schedule Type:                        One Time Only, Minute
Start Time:                           7:37:21 AM
Start Date:                           7/4/2022
...

In the example above, the task named \Microsoft\CacheCleanup was interestingly created by the user daveadmin and the specified action is to execute BackendCacheCleanup.exe in the Pictures home directory of the user steve.