Scheduled Tasks

windowsPersistence MechanismsDisk Image

Location

C:\Windows\System32\Tasks\

Description

XML-based scheduled task definitions containing the trigger schedule, action command line, run-as account, creation timestamp, and author.

Forensic Value

Scheduled tasks are a top persistence mechanism. Each task XML contains the exact command line and arguments the task executes, the user context it runs under, and when it was created. Comparing task creation timestamps against the intrusion timeline isolates attacker-created tasks. Tasks running as SYSTEM with encoded PowerShell or unusual binary paths are high-confidence indicators.

Tools Required

KAPEAutoruns (Sysinternals)PowerShell

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical