Task Scheduler Operational Log
WindowsPersistence MechanismsDisk ImageSIEM / Log Aggregator
Location
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtxDescription
Task Scheduler operational log capturing task lifecycle events: Event 106 (task registered), Event 140 (task updated), Event 141 (task deleted), Event 200/201 (task execution started/completed).
Forensic Value
Task Scheduler events complement the XML task definitions in C:\Windows\System32\Tasks by providing exact timestamps for when tasks were created, modified, and executed. Event 106 timestamps pinpoint when an attacker installed a scheduled task for persistence. Event 141 detects anti-forensic deletion of tasks after execution. Correlating Event 200/201 execution times with other artifact timelines confirms which tasks actually ran.
Tools Required
KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target EventLogs
EvtxECmd
EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx" --csv C:\output --csvf TaskScheduler.csv
PowerShell
Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-TaskScheduler/Operational"; Id=106,141,200,201} | Export-Csv C:\output\task_scheduler_events.csvCollection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
T1053.005T1070.004