Task Scheduler Operational Log

windowsPersistence MechanismsDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx

Description

Task Scheduler operational log capturing task lifecycle events: Event 106 (task registered), Event 140 (task updated), Event 141 (task deleted), Event 200/201 (task execution started/completed).

Forensic Value

Task Scheduler events complement the XML task definitions in C:\Windows\System32\Tasks by providing exact timestamps for when tasks were created, modified, and executed. Event 106 timestamps pinpoint when an attacker installed a scheduled task for persistence. Event 141 detects anti-forensic deletion of tasks after execution. Correlating Event 200/201 execution times with other artifact timelines confirms which tasks actually ran.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical