1

I am trying to find a task in Windows Task Scheduler on an image of a Windows 10 x64.

All I know about this taks is that when it is triggered, it disables a service which I also know nothing about.

I have manually gone through Task Scheduler a few times but have not been able to find it.

Event Viewer and auditing was disabled before I started looking for the task, so even if it has run before it is likely unlogged.

Although I have found an option to filter audits in Event Viewer, I do not know about anything similar on Task Scheduler.

I am reletively new to cybersecutiry so I apologize if this is an obvious question.

Is it possible to filter tasks by action in Task Scheduler?

If not, why is it not possible and is there any external code or program I could use to narrow down my search?

Improve this question
1
  • Without specifics, it's hard to help. Which service? Scheduled Tasks can be listed by executable, if you have some idea of the executable name or location. Take a look at Nirsoft's TaskSchedulerView for more search capability. nirsoft.net/utils/task_scheduler_view.html
    – DrMoishe Pippik
    Commented Jul 13, 2020 at 18:08

2 Answers 2

Reset to default
2

If you looking for something to list scheduled tasks, does the following PowerShell help you:

Get-ScheduledTask | ForEach-Object {[pscustomobject]@{
  Name = $_.TaskName;
  Path = $_.TaskPath;
  LastResult = $(($_ | Get-ScheduledTaskInfo).LastTaskResult);
  NextRun = $(($_ | Get-ScheduledTaskInfo).NextRunTime);
  Status = $_.State;
  Command = $_.Actions.execute;
  Arguments = $_.Actions.Arguments }
} | Out-GridView

You should be able to paste that into either a PowerShell or PowerShell ISE windows running as Administrator and it will provide a GridView of the data that can be filtered using the GridView control.

Improve this answer
1
  • Very helpful. Thanks for lending a hand!
    – ChickenFeet
    Commented Nov 24, 2020 at 8:18
0

Are you sure it is a scheduled task that's doing this? Your mention of cybersecurity in this context leads me to believe the service is being disabled maliciously.

Autoruns is a very useful utility which displays many load points in Windows, including scheduled tasks.

  • Use the filter field to help narrow down your search.
  • Use Options > Scan Options and check Check VirusTotal.com to check entries against VirusTotal (though, a simple script/executable which disables a service may not show up).
  • Remove the disk and attach it to another machine (or boot to another Windows OS on the same machine) and choose File > Analyze Offline System. This can reveal items whose presence may be hidden if a rootkit is present.
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .