Scheduled Tasks

WindowsPersistence MechanismsDisk Image

Location

C:\Windows\System32\Tasks\

Description

XML-based scheduled task definitions containing the trigger schedule, action command line, run-as account, creation timestamp, and author.

Forensic Value

Scheduled tasks are a top persistence mechanism. Each task XML contains the exact command line and arguments the task executes, the user context it runs under, and when it was created. Comparing task creation timestamps against the intrusion timeline isolates attacker-created tasks. Tasks running as SYSTEM with encoded PowerShell or unusual binary paths are high-confidence indicators.

Tools Required

KAPEAutoruns (Sysinternals)PowerShell

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target ScheduledTasks

PowerShell

Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Export-Csv C:\output\scheduled_tasks.csv

Autoruns

autorunsc.exe -a t -ct -h -s -v -vt > C:\output\autoruns_tasks.csv

cmd

schtasks /query /fo CSV /v > C:\output\schtasks_output.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1053.005T1053

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote