hey,
I tried to create an analysis for Task Scheduler - to get the “RunAs” from each task.
I found this - Analysis for Task Scheduler
but it does not help me.
is there another solution for this?
thx a lot!!
You can pull the UserID from the XML definition of the task though that will only give you the SID, not the human readable account name.
Q: ((xpath ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal/t:UserId") of it) of (xml documents of xmls of definitions of scheduled tasks whose (name of it = "MyTask"))) as text
A: S-1-5-21-1455835243-714552405-1575997552-501
T: 57.443 ms
I: plural string
3 Likes
first of all - thank you about the answer.
second - the final goal is to find all the users in entire the Domain - and after - change the password.
with your answer is not practical. is ton of work.
and again thank you so much about the answer, I appreciate it .
I just have to point out that three messages in, we still don’t know what problem you’re trying to solve. It might be helpful if you can explain what you’re trying to do, what approach you’re taking, and where you’re having difficulty.
At this point, I could think of three or four different problem statements, each will require an hour or two of my time to solve, and I don’t want to spend that time solving the wrong problem if it can be helped.
Please don’t consider this a complaint, I’m honestly doing my best to try to be helpful.
2 Likes
@JasonWalker Thanks for the response.
The main goal is to know where user service runs as a service and where it runs as a task.
After, I’ll have a list of every user service and I can change the password. For each user, I need to change the password in all places (tasks and services).
for example - I have this code (to analyze) :
(service name of it, display name of it, login account of it) of services
This code gives me all of the names of the services and who is running them. In a similar fashion, I need this for task scheduler.
Ok, based on the relevance from @SLB, we can cast the “SID String” result into a SID object - and the default property of a SID object is the account name, if Windows can resolve it.
This relevance should show all of the scheduled task names and the user under which it executes -
q: (name of it, sids ((xpath ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal/t:UserId") of it) of (xml documents of xmls of definitions of it) as text)) of scheduled tasks
A: GoogleUpdateTaskMachineCore, NT AUTHORITY\SYSTEM
A: GoogleUpdateTaskMachineUA, NT AUTHORITY\SYSTEM
A: MicrosoftEdgeUpdateTaskMachineCore1d7f5299781d611, NT AUTHORITY\SYSTEM
A: MicrosoftEdgeUpdateTaskMachineUA, NT AUTHORITY\SYSTEM
A: OneDrive Reporting Task-S-1-5-21-180872656-3818583024-2697280795-1001, ENDPOINT-1\User1#
A: OneDrive Reporting Task-S-1-5-21-2394941984-4125370002-1414427154-1106, D\TestUser1
A: OneDrive Reporting Task-S-1-5-21-2394941984-4125370002-1414427154-500, D\Administrator
A: OneDrive Standalone Update Task-S-1-5-21-180872656-3818583024-2697280795-1001, ENDPOINT-1\User1#
A: OneDrive Standalone Update Task-S-1-5-21-2394941984-4125370002-1414427154-1106, D\TestUser1
A: OneDrive Standalone Update Task-S-1-5-21-2394941984-4125370002-1414427154-500, D\Administrator
A: Configuration Manager Health Evaluation, NT AUTHORITY\SYSTEM
A: Configuration Manager Idle Detection, NT AUTHORITY\SYSTEM
A: Configuration Manager Passport for Work Certificate Enrollment Task, NT AUTHORITY\SYSTEM
If we want to filter for only Domain accounts, you can put a whose() clause on the SID result, cast it as String and compare it with your domain name (or even your DOMAIN\username). Here, my test domain is named “D”
q: (name of it, sids ((xpath ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal/t:UserId") of it) of (xml documents of xmls of definitions of it) as text) whose (it as string starts with "D\")) of scheduled tasks
A: OneDrive Reporting Task-S-1-5-21-2394941984-4125370002-1414427154-1106, D\TestUser1
A: OneDrive Reporting Task-S-1-5-21-2394941984-4125370002-1414427154-500, D\Administrator
A: OneDrive Standalone Update Task-S-1-5-21-2394941984-4125370002-1414427154-1106, D\TestUser1
A: OneDrive Standalone Update Task-S-1-5-21-2394941984-4125370002-1414427154-500, D\Administrator
2 Likes
Thank for the help.!
I thought you solved my problem
But what you send me does not work, so I made few changes.
And the code below gives me all the list I needed.
(name of it, sids ((xpath ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal") of it) of (xml documents of xmls of definitions of it) as text) whose (it as string starts with "S-1-5-21-")) of scheduled tasks
But the problem - it is show me ‘SID’ instead of ‘User name account’ and I don’t succus to resolve it.
And thank again for the help.
Is it showing any user names?
Generally the “sid” property will return the account name if it can be resolved, or the sid component string if the account name cannot be resolved - like for an account that has been deleted.
No, its show only SIDs.
So, is not resolve the name at all.
if you run this code, its resolve?
P.S.
I created a task - called “test”.
and when I run this code: is good - but show me at most one line at the time
Q:(name of it, sids ((xpath ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal/t:UserId") of it) of (xml documents of xmls of definitions of it) as text))of scheduled tasks whose (name of it = "test")
A:test, Domin\ori
But if I do this
(name of it, sids ((xpath ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Principals/t:Principal") of it) of (xml documents of xmls of definitions of it) as text))of scheduled tasks
and delete the “/t:UserId” is gives me the full list but only with SID.