Windows uses Task Scheduler to run automated jobs, known as Scheduled Tasks, based on defined triggers (e.g., at startup, login, or a specific time). Each task has one or more actions—scripts or programs to execute—configured under its properties. For privilege escalation, the focus is on three key details:
User context: Does the task run as SYSTEM or an administrator?
Triggers: When does it run? Is the condition re-usable within the testing window?
Actions: What program or script runs?
# /fo LIST -> format as list, /v -> display all properties (verbose)
PS C:\Users\steve> schtasks /query /fo LIST /v
Folder: \Microsoft
HostName: CLIENTWK220
TaskName: \Microsoft\CacheCleanup
Next Run Time: 4/7/2025 12:09:21 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 4/7/2025 12:08:22 AM
Last Result: 0
Author: CLIENTWK220\daveadmin
Task To Run: C:\Users\steve\Pictures\BackendCacheCleanup.exe
Start In: C:\Users\steve\Pictures
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode
Run As User: daveadmin
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: Disabled
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only, Minute
Start Time: 7:37:21 AM
Start Date: 7/4/2022
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: 0 Hour(s), 1 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
# alternative
> Get-ScheduledTask
# the task is executed every minute
PS C:\Users\steve> net user
User accounts for \\CLIENTWK220
-------------------------------------------------------------------------------
Administrator BackupAdmin dave
dave2
<SNIP>
PS C:\Users\steve> net LocalGroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
<SNIP>
dave2
>SNIP>
