Scheduled Tasks

Windows uses Task Scheduler to run automated jobs, known as Scheduled Tasks, based on defined triggers (e.g., at startup, login, or a specific time). Each task has one or more actions—scripts or programs to execute—configured under its properties. For privilege escalation, the focus is on three key details:

  1. User context: Does the task run as SYSTEM or an administrator?

  2. Triggers: When does it run? Is the condition re-usable within the testing window?

  3. Actions: What program or script runs?

# /fo LIST -> format as list, /v -> display all properties (verbose)
> schtasks /query /fo LIST /v

HostName:                             CLIENTWK220
TaskName:                             \Microsoft\CacheCleanup
Next Run Time:                        4/7/2025 12:09:21 AM
Status:                               Ready
Logon Mode:                           Interactive/Background
Author:                               CLIENTWK220\daveadmin
Task To Run:                      C:\Users\steve\Pictures\BackendCacheCleanup.exe
Start In:                             C:\Users\steve\Pictures
Scheduled Task State:                 Enabled
Run As User:                          daveadmin
Schedule Type:                        One Time Only, Minute
Start Time:                           7:37:21 AM
Start Date:                           7/4/2022
Repeat: Every:                        0 Hour(s), 1 Minute(s)

# Alternative
> Get-ScheduledTask

# Check the binary's persmissions
> icacls BackendCacheCleanup.exe
BackendCacheCleanup.exe NT AUTHORITY\SYSTEM:(I)(F)
                        BUILTIN\Administrators:(I)(F)
                        CLIENTWK220\steve:(I)(F)
PreviousSeImpersonatePrivilegeNextServices

Last updated

Was this helpful?