Created
January 26, 2023 12:31
-
-
Save Purp1eW0lf/84831280994f77861589285cdd160d77 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Make the schtask for the test | |
| schtasks /create /tn "Find_Me" /tr calc.exe /sc minute /mo 100 /k | |
| # Loop and parse \Taskcache\Tasks Registry location for scheduled tasks | |
| ## Parses Actions to show the underlying binary / commands for the schtask | |
| ## Could replace Actions with Trigggers on line 10, after ExpandedProperty | |
| (Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\*").PSChildName | | |
| Foreach-Object { | |
| write-host "----Schtask ID is $_---" -ForegroundColor Magenta ; | |
| $hexstring = (Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\$_" | Select -ExpandProperty Actions) -join ',' ; | |
| ($hexstring.Split(",",[System.StringSplitOptions]::RemoveEmptyEntries) | ?{$_ -gt '0'} | ForEach{[char][int]"$($_)"}) -join '' | |
| } | |
| # Then for the ID of interest under \Taskcache\Tree subkey | |
| # Example: $ID = "{8E350038-3475-413A-A1AE-20711DD11C95}" ; | |
| $ID = "{XYZ}" ; | |
| get-itemproperty -path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\*" | ? Id -Match "$ID" | fl *Name,Id,PsPath |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This might help: winreg-tasks-amd64.exe
Related blog and GitHub
Actions:
Triggers:
Timestamps: