# Scheduled Tasks ## Enumerate

Command	Description
`schtasks`	Scheduled tasks
`schtasks /query`	Scheduled tasks with status
`schtasks /query /v`	Detailed info
`schtasks /query /v list /FO`	Scheduled tasks
`schtasks /query /v /tn <taskname> /fo LIST`	Specific task
`schtasks /query /s <System>`	Scheduled tasks on specified remote host
`schtasks /query /v /FO list \| findstr /B "Task Name:" \| sort`	Find specific task and sort
`schtasks /query /fo list /v \| findstr /v "\\Microsoft"`	Filter out key words like "Microsoft"
`Get-ScheduledTask`	List all scheduled
`Get-ScheduledTask -TaskName <TaskName>`	Specific scheduled task
`Get-ScheduledTaskInfo`	Last run time and result for all scheduled tasks
`Get-ScheduledTaskInfo -TaskName <TaskName>`	Last run time and result for specific scheduled task
`Get-ScheduledTask -TaskPath <TaskPath>`	Scheduled tasks in specific folder
`Get-ScheduledTask \| Where-Object {$_.State -eq 'Running'}`	All currently running scheduled tasks
`Get-ScheduledTask \| ft TaskName,TaskPath,State`	All scheduled tasks and only include those three fields
`Get-CimInstance -ClassName Win32_ScheduledJob`	Retrieves a list of AT-style scheduled jobs (not including tasks created via Task Scheduler)

WMIC: WMIC is less effective for enumerating modern scheduled tasks and is primarily used for backward compatibility with older systems. Lists AT-style scheduled jobs on the local computer using WMIC: ```powershell wmic /node:"localhost" /namespace:"\\root\cimv2" path Win32_ScheduledJob get * ``` Filter out keyword "Microsoft\*": ```powershell Get-ScheduledTask | where {$_.TaskPath -notlike "\\Microsoft\*"} | ft Taskname,TaskPath,State ``` ## Modify

Command	Description
`schtasks /create /tn <TaskName> /tr <TaskRun> /sc <ScheduleType>`	Creates a new scheduled task.
`schtasks /create /xml <XMLFile> /tn <TaskName>`	Creates a new scheduled task from an XML file.
`schtasks /change /tn <TaskName> [options]`	Changes properties of a scheduled task.
`schtasks /delete /tn <TaskName>`	Deletes a scheduled task.
`schtasks /run /tn <TaskName>`	Runs a scheduled task immediately.
`schtasks /end /tn <TaskName>`	Stops a currently running scheduled task.
`New-ScheduledTask`	Creates a scheduled task definition.
`Register-ScheduledTask -TaskName <TaskName> -InputObject <ScheduledTask>`	Registers a scheduled task with the Task Scheduler.
`Set-ScheduledTask -TaskName <TaskName> [options]`	Modifies settings of an existing scheduled task.
`Unregister-ScheduledTask -TaskName <TaskName>`	Unregisters (deletes) a scheduled task.
`Start-ScheduledTask -TaskName <TaskName>`	Starts a scheduled task immediately.
`Stop-ScheduledTask -TaskName <TaskName>`	Stops a currently running scheduled task.
`Export-ScheduledTask -TaskName <TaskName>`	Exports a scheduled task to an XML file.
`Import-ScheduledTask -Xml <XMLContent> -TaskName <TaskName>`	Creates a new scheduled task from an XML string or file.

## Registry Locations HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache Contains subkeys with detailed information about scheduled tasks, including: hierarchical structure of task folders and tasks (Tree) individual task definitions (Tasks) tasks scheduled to run at system startup (Boot) or user logon (Logon). HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter Stores information about tasks migrated from older versions of Windows. HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\SchedulingAgent Used in older versions of Windows, contains information about tasks scheduled using the AT command. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.shellspells.net/windows/system-ops/scheduled-tasks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.