Scheduled Tasks

Enumerate

schtasks

Scheduled tasks

schtasks /query

Scheduled tasks with status

schtasks /query /v

Detailed info

schtasks /query /v list /FO

Scheduled tasks

schtasks /query /v /tn <taskname> /fo LIST

Specific task

schtasks /query /s <System>

Scheduled tasks on specified remote host

schtasks /query /v /FO list | findstr /B "Task Name:" | sort

Find specific task and sort

schtasks /query /fo list /v | findstr /v "\\Microsoft"

Filter out key words like "Microsoft"

Get-ScheduledTask

List all scheduled

Get-ScheduledTask -TaskName <TaskName>

Specific scheduled task

Get-ScheduledTaskInfo

Last run time and result for all scheduled tasks

Get-ScheduledTaskInfo -TaskName <TaskName>

Last run time and result for specific scheduled task

Get-ScheduledTask -TaskPath <TaskPath>

Scheduled tasks in specific folder

Get-ScheduledTask | Where-Object {$_.State -eq 'Running'}

All currently running scheduled tasks

Get-ScheduledTask | ft TaskName,TaskPath,State

All scheduled tasks and only include those three fields

Get-CimInstance -ClassName Win32_ScheduledJob

Retrieves a list of AT-style scheduled jobs (not including tasks created via Task Scheduler)

WMIC:

WMIC is less effective for enumerating modern scheduled tasks and is primarily used for backward compatibility with older systems. Lists AT-style scheduled jobs on the local computer using WMIC:

wmic /node:"localhost" /namespace:"\\root\cimv2" path Win32_ScheduledJob get *

Filter out keyword "Microsoft*":

Get-ScheduledTask | where {$_.TaskPath -notlike "\\Microsoft\*"} | ft Taskname,TaskPath,State

Modify

schtasks /create /tn <TaskName> /tr <TaskRun> /sc <ScheduleType>

Creates a new scheduled task.

schtasks /create /xml <XMLFile> /tn <TaskName>

Creates a new scheduled task from an XML file.

schtasks /change /tn <TaskName> [options]

Changes properties of a scheduled task.

schtasks /delete /tn <TaskName>

Deletes a scheduled task.

schtasks /run /tn <TaskName>

Runs a scheduled task immediately.

schtasks /end /tn <TaskName>

Stops a currently running scheduled task.

New-ScheduledTask

Creates a scheduled task definition.

Register-ScheduledTask -TaskName <TaskName> -InputObject <ScheduledTask>

Registers a scheduled task with the Task Scheduler.

Set-ScheduledTask -TaskName <TaskName> [options]

Modifies settings of an existing scheduled task.

Unregister-ScheduledTask -TaskName <TaskName>

Unregisters (deletes) a scheduled task.

Start-ScheduledTask -TaskName <TaskName>

Starts a scheduled task immediately.

Stop-ScheduledTask -TaskName <TaskName>

Stops a currently running scheduled task.

Export-ScheduledTask -TaskName <TaskName>

Exports a scheduled task to an XML file.

Import-ScheduledTask -Xml <XMLContent> -TaskName <TaskName>

Creates a new scheduled task from an XML string or file.

Registry Locations

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache

Contains subkeys with detailed information about scheduled tasks, including:

hierarchical structure of task folders and tasks (Tree)

individual task definitions (Tasks)

tasks scheduled to run at system startup (Boot) or user logon (Logon).

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter

Stores information about tasks migrated from older versions of Windows.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent

Used in older versions of Windows, contains information about tasks scheduled using the AT command.

PreviousModify NextProcesses

Last updated 1 year ago

Was this helpful?

Enumerate

schtasks

Scheduled tasks

schtasks /query

Scheduled tasks with status

schtasks /query /v

Detailed info

schtasks /query /v list /FO

Scheduled tasks

schtasks /query /v /tn <taskname> /fo LIST

Specific task

schtasks /query /s <System>

Scheduled tasks on specified remote host

schtasks /query /v /FO list | findstr /B "Task Name:" | sort

Find specific task and sort

schtasks /query /fo list /v | findstr /v "\\Microsoft"

Filter out key words like "Microsoft"

Get-ScheduledTask

List all scheduled

Get-ScheduledTask -TaskName <TaskName>

Specific scheduled task

Get-ScheduledTaskInfo

Last run time and result for all scheduled tasks

Get-ScheduledTaskInfo -TaskName <TaskName>

Last run time and result for specific scheduled task

Get-ScheduledTask -TaskPath <TaskPath>

Scheduled tasks in specific folder

Get-ScheduledTask | Where-Object {$_.State -eq 'Running'}

All currently running scheduled tasks

Get-ScheduledTask | ft TaskName,TaskPath,State

All scheduled tasks and only include those three fields

Get-CimInstance -ClassName Win32_ScheduledJob

Retrieves a list of AT-style scheduled jobs (not including tasks created via Task Scheduler)

WMIC:

WMIC is less effective for enumerating modern scheduled tasks and is primarily used for backward compatibility with older systems. Lists AT-style scheduled jobs on the local computer using WMIC:

wmic /node:"localhost" /namespace:"\\root\cimv2" path Win32_ScheduledJob get *

Filter out keyword "Microsoft*":

Get-ScheduledTask | where {$_.TaskPath -notlike "\\Microsoft\*"} | ft Taskname,TaskPath,State

Modify

schtasks /create /tn <TaskName> /tr <TaskRun> /sc <ScheduleType>

Creates a new scheduled task.

schtasks /create /xml <XMLFile> /tn <TaskName>

Creates a new scheduled task from an XML file.

schtasks /change /tn <TaskName> [options]

Changes properties of a scheduled task.

schtasks /delete /tn <TaskName>

Deletes a scheduled task.

schtasks /run /tn <TaskName>

Runs a scheduled task immediately.

schtasks /end /tn <TaskName>

Stops a currently running scheduled task.

New-ScheduledTask

Creates a scheduled task definition.

Register-ScheduledTask -TaskName <TaskName> -InputObject <ScheduledTask>

Registers a scheduled task with the Task Scheduler.

Set-ScheduledTask -TaskName <TaskName> [options]

Modifies settings of an existing scheduled task.

Unregister-ScheduledTask -TaskName <TaskName>

Unregisters (deletes) a scheduled task.

Start-ScheduledTask -TaskName <TaskName>

Starts a scheduled task immediately.

Stop-ScheduledTask -TaskName <TaskName>

Stops a currently running scheduled task.

Export-ScheduledTask -TaskName <TaskName>

Exports a scheduled task to an XML file.

Import-ScheduledTask -Xml <XMLContent> -TaskName <TaskName>

Creates a new scheduled task from an XML string or file.

Registry Locations

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache

Contains subkeys with detailed information about scheduled tasks, including:

hierarchical structure of task folders and tasks (Tree)

individual task definitions (Tasks)

tasks scheduled to run at system startup (Boot) or user logon (Logon).

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter

Stores information about tasks migrated from older versions of Windows.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent

Used in older versions of Windows, contains information about tasks scheduled using the AT command.