Topic
  • 16 replies
  • Latest Post - ‏2013-06-27T13:38:21Z by cstoneba
Kenz91
Kenz91
29 Posts

Pinned topic Scheduled tasks

‏2011-04-19T15:07:57Z |
Is there an easy way to collect the Scheduled tasks , schedule time, and the user account use to run it on Windows servers?
Updated on 2011-04-26T15:59:34Z at 2011-04-26T15:59:34Z by Kenz91
  • cstoneba
    cstoneba
    286 Posts

    Re: Scheduled tasks

    ‏2011-04-19T15:26:30Z  
    This seems to work, but I don't see an easy way of pulling back the username

    (names of it, next run times of it) of scheduled tasks

    Run in QnA to see all inspectors for 'scheduled tasks'
    q: properties whose (it as string as lowercase contains "scheduled")
    Updated on 2011-04-19T15:26:30Z at 2011-04-19T15:26:30Z by cstoneba
  • NoahSalzman
    NoahSalzman
    676 Posts

    Re: Scheduled tasks

    ‏2011-04-19T21:41:41Z  
    I created a task named "Test Task" in Windows 7 and was able to get the user account from it using the XML doc associated with the task. There is one weird bit in this example where I had to get rid of the XML namespace (XMLNS) attribute to make it work with the xpath inspector:

    q: node values of child nodes of xpaths ("Task/Principals/Principal/UserId") of xml document of (concatenation "foo=" of substrings separated by "xmlns=" of xml of scheduled task whose (name of it is "Test Task"))
    A: GANYMEDE\Noah Salzman

    Edit: here is a better way to do it that works around the namespace issue

    q: node values of child nodes of xpaths ("/*/*/*/*") of xml document of xml of scheduled task whose (name of it is "Test Task")
    A: GANYMEDE\Noah Salzman
  • MattBoyd
    MattBoyd
    227 Posts

    Re: Scheduled tasks

    ‏2011-04-20T01:49:20Z  
    xpath <3
  • NoahSalzman
    NoahSalzman
    676 Posts

    Re: Scheduled tasks

    ‏2011-04-20T04:21:46Z  
    I dunno man... maybe it's just lack of familiarity but the syntax seems sorta goofy. But yes, it's better than "child nodes of child nodes... " over and over. :-)
  • Kenz91
    Kenz91
    29 Posts

    Re: Scheduled tasks

    ‏2011-04-20T13:54:37Z  
    Thanks for the suggestions. I ended up creating a task using the cmd line to run schtasks.exe and parsed the data into a text file then pulled that out with an analysis. It's really a shame that the inspector doesn't include the username property
  • NoahSalzman
    NoahSalzman
    676 Posts

    Re: Scheduled tasks

    ‏2011-04-20T16:15:43Z  
    I'm a little confused? Isn't that what I gave you? Are you saying "I want you to finish my homework and complete the solution with the time stamp added in."? :-)
  • MattBoyd
    MattBoyd
    227 Posts

    Re: Scheduled tasks

    ‏2011-04-20T22:59:31Z  
    Don't have hate for the namespace, embrace it!

    (names of it, node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal/t:UserId") of xml documents of xmls of it) of scheduled tasks whose (name of it contains "Google")

    Thanks to whoever implemented namespace-prefix mappings into the xpath inspector :)
  • NoahSalzman
    NoahSalzman
    676 Posts

    Re: Scheduled tasks

    ‏2011-04-20T23:28:56Z  
    Ooo... nice, I was looking for an example for what you just did but was having trouble wading through all the C#, xslt, and vb garbage on the nets.

    Kenz, here is the version that will answer your original question:

    q: ((names of it, node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal/t:UserId") of xml documents of xmls of it), (next run times of it)) of scheduled tasks
    A: ( Test Task, GANYMEDE\Noah Salzman ), ( Thu, 21 Apr 2011 10:00:31 -0700 )
    A: ( AitAgent, S-1-5-18 ), ( Thu, 21 Apr 2011 02:30:00 -0700 )
    A: ( ProgramDataUpdater, S-1-5-18 ), ( Thu, 21 Apr 2011 00:30:00 -0700 )
  • SystemAdmin
    SystemAdmin
    2808 Posts

    Re: Scheduled tasks

    ‏2011-04-21T13:09:07Z  
    Seems like a good candidate for an official Scheduled Tasks Analysis from IBM.....
  • MattBoyd
    MattBoyd
    227 Posts

    Re: Scheduled tasks

    ‏2011-04-21T17:46:37Z  
    Noah
    Ooo... nice, I was looking for an example for what you just did but was having trouble wading through all the C#, xslt, and vb garbage on the nets.
    Yeah, it's hard to find good examples of advanced xpath stuff. This link gives a good explanation of what's going on here with the default namespace: http://www.edankert.com/defaultnamespaces.html. The xpath inspector allows use to define our own namespace prefix mappings for such events. Yay!

    jaspanitz
    Seems like a good candidate for an official Scheduled Tasks Analysis from IBM.....
    That would be nice! It reminds me of this feature suggestion that you brought up: http://forum.bigfix.com/viewtopic.php?id=5405. I think this is a good example of where that would be useful.
  • Kenz91
    Kenz91
    29 Posts

    Re: Scheduled tasks

    ‏2011-04-22T15:31:40Z  
    Noah
    I'm a little confused? Isn't that what I gave you? Are you saying "I want you to finish my homework and complete the solution with the time stamp added in."? :-)
    Didn't mean to upset you. I was just saying I used an alternative method before you posted what you did. When I didn't see username as one of the properties of the schduled tasks inspector I went with a less elegant solution.
  • NoahSalzman
    NoahSalzman
    676 Posts

    Re: Scheduled tasks

    ‏2011-04-22T17:28:04Z  
    :-)
  • Kenz91
    Kenz91
    29 Posts

    Re: Scheduled tasks

    ‏2011-04-26T15:39:22Z  
    Is there something similar that will pull the UserId for services?
  • NoahSalzman
    NoahSalzman
    676 Posts

    Re: Scheduled tasks

    ‏2011-04-26T15:44:18Z  
    You are probably looking for "login account of <service>".
    q: properties whose (it as string contains "service" and it as string does not contain "firewall")
    A: service key value name of <active device>: string
    A: service pack major version of <operating system>: integer
    A: service pack minor version of <operating system>: integer
    A: service <string>: service
    A: services: service
    A: win32 services: service
    A: driver services: service
    A: all services: service
    A: running service <string>: service
    A: running services: service
    A: win32 running services: service
    A: driver running services: service
    A: all running services: service
    A: relay service: service
    A: main gather service: service
    A: service name of <service>: string
    A: display name of <service>: string
    A: state of <service>: string
    A: can interact with desktop of <service>: boolean
    A: win32 exit code of <service>: integer
    A: service specific exit code of <service>: integer
    A: checkpoint of <service>: integer
    A: login account of <service>: string
    A: start type of <service>: string
    A: image path of <service>: string
    A: file of <service>: file
    A: version of <service>: version
    A: win32 type of <service>: boolean
    A: driver type of <service>: boolean
    A: service group: security account
    A: local service group: security account
    A: network service group: security account
    A: security descriptor of <service>: security descriptor
    A: service account logon of <task principal>: boolean
  • Kenz91
    Kenz91
    29 Posts

    Re: Scheduled tasks

    ‏2011-04-26T15:59:34Z  
    Thanks Noah that's what I was looking for.
  • cstoneba
    cstoneba
    286 Posts

    Re: Scheduled tasks

    ‏2013-06-27T13:38:21Z  

    it appears that "(names of it, node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal/t:UserId") of xml documents of xmls of it) of scheduled tasks"  doesn't work on Win2003 systems, because i'm getting ",<none>" as a results for those endpoints, but when I run "names of scheduled tasks" in fixlet debugger on one of them, i get results.  

    Has anyone found a workaround to get this to return the name and userid of scheduled tasks on Win2003 or WinXP?