PowerShell Pipeline
Using the ScheduledTasks Module to Audit Tasks in PowerShell
Not only get regular tasks planned for later, but keep tabs on what you have running and when.
Scheduled tasks are a great way to automate things that need to happen at a specific time or to occur a more recurring time frame. Whether it is auditing things such as services or performing an operation in the middle of the night, scheduled tasks are the way to go! It's not just user created tasks, there are many system-created tasks that run in the background that are created by the OS or by an application that might check for an update for the application.
[Click on image for larger view.] Figure 1.
Usually we would look to the Task Scheduler UI to view the jobs as well as running and creating new ones or use the SchTasks.exe executable to perform the same type of actions via the command line.
[Click on image for larger view.] Figure 2.
These approaches work and get the job done, but today I am going to show you an alternative way using the PowerShell module for managing scheduled tasks called ScheduledTasks. This module is available in Windows 8 and Windows Server 2012 and above to use.
We can look at all of the available commands in the ScheduledTasks by running the following command:
Get-Command -Module ScheduledTasks
CommandType Name Version Source
----------- ---- ------- ------
Function Disable-ScheduledTask 1.0.0.0 ScheduledTasks
Function Enable-ScheduledTask 1.0.0.0 ScheduledTasks
Function Export-ScheduledTask 1.0.0.0 ScheduledTasks
Function Get-ClusteredScheduledTask 1.0.0.0 ScheduledTasks
Function Get-ScheduledTask 1.0.0.0 ScheduledTasks
Function Get-ScheduledTaskInfo 1.0.0.0 ScheduledTasks
Function New-ScheduledTask 1.0.0.0 ScheduledTasks
Function New-ScheduledTaskAction 1.0.0.0 ScheduledTasks
Function New-ScheduledTaskPrincipal 1.0.0.0 ScheduledTasks
Function New-ScheduledTaskSettingsSet 1.0.0.0 ScheduledTasks
Function New-ScheduledTaskTrigger 1.0.0.0 ScheduledTasks
Function Register-ClusteredScheduledTask 1.0.0.0 ScheduledTasks
Function Register-ScheduledTask 1.0.0.0 ScheduledTasks
Function Set-ClusteredScheduledTask 1.0.0.0 ScheduledTasks
Function Set-ScheduledTask 1.0.0.0 ScheduledTasks
Function Start-ScheduledTask 1.0.0.0 ScheduledTasks
Function Stop-ScheduledTask 1.0.0.0 ScheduledTasks
Function Unregister-ClusteredScheduledTask 1.0.0.0 ScheduledTasks
Function Unregister-ScheduledTask 1.0.0.0 ScheduledTasks
With 19 cmdlets here, we pretty much have everything that we need to not only view the scheduled tasks, but also to build them and start/stop them as well. Today I only care about knowing what scheduled tasks that I have an exploring those to see what kind of data I can find within them. PowerShell being an object oriented language means that when I run Get-ScheduledTask I will get back an actual object instead of text that I would have to parse through in order to get the information that I need presented in a useful way.
Before we do that, let's take a quick look at the command to see what we have available using Get-Help.
Get-Help Get-ScheduledTask
[Click on image for larger view.] Figure 3.
This supports remote systems using the –CimSession parmeter which means that you must first create the CimSession for each remote system prior to or you can just supply the computername and the CimSession will be built automatically and used with the command.
Using Get-ScheduledTask, we can begin to look at the object more closely and see what we are actually working with.
$Tasks = Get-ScheduledTask
$Tasks
[Click on image for larger view.] Figure 4.
The tasks are shown in a default table view but we can pick any task and display all of the properties of the object by piping the object to Select-Object and using the Property parameter to specify a * to force everything to be displayed.
PS C:\> $Tasks[0] | Select-Object -Property *
State : Ready
Actions : {MSFT_TaskExecAction}
Author : Dell, Inc.
Date : 2016-07-07T18:29:15.7909868-05:00
Description : Dell SupportAssistAgent Auto Update Task Scheduler
Documentation :
Principal : MSFT_TaskPrincipal2
SecurityDescriptor :
Settings : MSFT_TaskSettings3
Source :
TaskName : Dell SupportAssistAgent AutoUpdate
TaskPath : \
Triggers : {MSFT_TaskWeeklyTrigger}
URI : \Dell SupportAssistAgent AutoUpdate
Version :
PSComputerName :
CimClass : Root/Microsoft/Windows/TaskScheduler:MSFT_ScheduledTask
CimInstanceProperties : {Actions, Author, Date, Description...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
From here we can see some interesting properties such as the Author of the task (in this case it is Dell) as well as the state of the job. I am more interested in the Actions and Triggers properties but have to dive deeper into the object to determine what are in those properties. As you will see, each of these properties house another object with even more properties to view.
First off, we can take a look at the Triggers to see what start the task and when it will run again.
PS C:\> $Tasks[0].Triggers
Enabled : True
EndBoundary :
ExecutionTimeLimit :
Id :
Repetition : MSFT_TaskRepetitionPattern
StartBoundary : 2016-07-11T20:29:15
DaysOfWeek : 2
RandomDelay :
WeeksInterval : 1
PSComputerName :
PS C:\> $Tasks[0].Actions
Id :
Arguments : AutoUpdate
Execute : C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe
WorkingDirectory : C:\Program Files (x86)\Dell\SupportAssistAgent\bin
PSComputerName :
PS C:\> $Tasks[0].Triggers.Repetition
Duration Interval StopAtDurationEnd PSComputerName
-------- -------- ----------------- --------------
False
We can tell by the properties that this will run at 8:29:15PM every Monday (the 2 represents the second day of the week with Sunday being the first day of the week and being a 1). Also we see that the weeksInterval is a 1 meaning that this will one every week. The Repetition property is also another object and we also took a look in there just to see what was available.
Looking at the Actions property will show us what the task will do.
PS C:\> $Tasks[0].Actions
Id :
Arguments : AutoUpdate
Execute : C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe
WorkingDirectory : C:\Program Files (x86)\Dell\SupportAssistAgent\bin
PSComputerName :
Here we see that the taks will run an executable called SupportAssist.exe with an argument of AutoUpdate. This is great information to look at if you see a scheduled task that you are not familiar with and want to know what it is really doing.
Lastly, we want to see what the user context that this job will run under. We can determine this by looking at the Principal property of the scheduled task object.
PS C:\> $Tasks[0].Principal
DisplayName :
GroupId : Users
Id : Author
LogonType : Group
RunLevel : Highest
UserId :
ProcessTokenSidType : Default
RequiredPrivilege :
PSComputerName :
We can see that this scheduled task runs under the users group account (known by looking at the GroupID property) and runs with the highest privileges as shown by the RunLevel property. If this was run under a user account, the UserID property would have data in it instead and the LogonType property would have a different value such as Interactive.
Using this cmdlet, I can quickly find all scheduled tasks which are running under my user account that I may or may not be aware of.
PS C:\> Get-ScheduledTask | Where {
$_.Principal.UserID -eq 'proxb'
}
TaskPath TaskName State
-------- -------- -----
\ G2MUpdateTask-S-1-5-21-1622209... Ready
\ G2MUploadTask-S-1-5-21-1622209... Ready
\ OneDrive Standalone Update Tas... Ready
\ PCDDataUploadTask Ready
\ PCDoctorBackgroundMonitorTask Ready
\ SystemToolsDailyTest Ready
\ TechSmith Updater Ready
\ User_Feed_Synchronization-{A22... Ready
It is interesting to see all of these scheduled tasks which are the result of applications that I have installed which are set to run under my user account. This is just one example of the many things that you can do with these cmdlets to get better grasp on what your systems are running with scheduled tasks!