Schedule Task search & delete

vk.khurava 2017-04-04 04:43:01 UTC #1

Is there any option we can search a schedule task by its action & if relevant found then delete it, please help.

steini44 2017-04-04 05:34:59 UTC #2

HI @vk.khurava

There is a scheduled task inspector in BigFix:

names of scheduled tasks

So you can play around with it (add a whose clause to it to filter on the name you want) and then use the DOS commando's (straight in BigFix or with batchfile) to delete the scheduled task:

schtasks /Delete /TN "name of scheduled task"

vk.khurava 2017-04-04 13:22:43 UTC #3

I have this method in place but the problem is , there are more than 10 task with the same name on across 17000 servers but different action so if i try to delete them with name all will be deleted, so is there any option we can find out task with action and then delete it.

JasonWalker 2017-04-04 14:17:38 UTC #4

You can look at xml of scheduled task to get the details and parse it using the XML inspectors. Here's an example I'm using

Here's a search for a scheduled task "My Task Name" with an action pointing to c:\Windows\myscript.cmd:

(not exists scheduled tasks "My Task Name" whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "%22" & pathname of windows folder & "\myscript.cmd%22")))

vk.khurava 2017-04-04 17:05:00 UTC #5

Sorry but I didnt get it, you are referring to specific schedule task name & then its action, but in my case there are all schedule task on servers named as At, At1, At2 .... At100 then how can I write a deletion action for that specific one which containing my desired action.

And what it is xml of scheduled task how can I use it.

Is there any registry entry of scheduled task which we can search for such task name which containing my desired action & delete them.

JasonWalker 2017-04-04 17:24:22 UTC #6

There's no registry key for scheduled tasks. They're stored in files, but are inspectable with the 'scheduled tasks' inspector, which can also parse the XML definition of the scheduled task. I assure you, everything you need to find what you want is in my previous post. You will need to modify it to fit your environment, and find the scheduled task action you're looking for.

Since you don't care about the task name, take it out of the query -
(exists scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "the command I'm looking for")))

In the Fixlet Debugger, see what q: (concatenation of substrings separated by "%0d%0a" of it)of xmls of scheduled tasks gives you and it should make it a bit more clear.

vk.khurava 2017-04-11 16:17:16 UTC #7

I tried it but it giving me false answer on test server's fixlet debugger.

but after running this I am getting xml answers which containing whole list of sch. tasks. but still confused how can I run task removal by using these relevance code.

JasonWalker 2017-04-11 16:27:40 UTC #8

Yes, you'll need to customize the queries to match what you're looking for.

vk.khurava 2017-04-14 04:01:09 UTC #9

I really tried but dont come up with a solution, coz I am not good with relevance, if I work below -

I am getting true & false values but how I can delete those scheduled task from all servers which having my desired action/command in it.

This all is really confusing.

JasonWalker 2017-04-14 04:20:44 UTC #10

Ok so this is returning the true/false values correctly, right? You'd make a Fixlet and include this in the Relevance:

(exists scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "the command I'm looking for")))

That should make the fixlet Relevant for the systems where the task exists (you'd also want to include normal targetting relevance like windows of operating system for efficiency to prevent this from trying to evaluate on Linux hosts, etc.)

For the Action Script, you need to build the commands to delete the Scheduled Task. For that you need to retrieve the Task Names matching this condition:

(names of scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "the command I'm looking for")))

If you were certain that there is only one matching scheduled task, you could have a one-liner in the Action Script:

waithidden schtasks.exe /delete /TN {(names scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "the command I'm looking for")))} /F

However, there's a chance that there is more than one Scheduled Task on a system matching the condition (for example if the task was created twice, you may have an 'AT1', 'AT2', 'AT3', etc. all doing the same function). In that case, you need to loop through all of the matching tasks, building a batch file to delete each of them. Action Script doesn't have a loop operator, but it does have a way to iterate through the results by building a 'concatenation'. In this example, "%0d%0a" represents the Carriage Return / Line Feed pair of characters that mark the end of a line, so this will build a batch file, with one 'schtasks' command on each line

delete __appendfile
appendfile {concatenation "%0d%0a" of ("schtasks.exe /delete /TN " & it & " /F") of (names scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "the command I'm looking for")))}
delete RemoveTasks.cmd
move __appendfile RemoveTasks.cmd
waithidden cmd.exe /C RemoveTasks.cmd

vk.khurava 2017-04-14 09:18:25 UTC #11

Thank you so much Jason its a great help !

One more concern, when I am checking below relevance I am getting task name but its not taking full command line "C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\BES Support\changeservicestartmode.exe BESClient auto"

and

C:\Windows\system32\cmd.exe /c net start BESClient"

Q:(names of scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\BES Support\changeservicestartmode.exe")))
A: At1
T: 87.405 ms

Q:(names of scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\BES Support\changeservicestartmode.exe BESClient auto")))
T: 83.173 ms

Q: (names of scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "C:\Windows\system32\cmd.exe /c net start BESClient")))
T: 83.749 ms

Q: (names of scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "C:\Windows\system32\cmd.exe")))
A: At2
T: 82.219 ms

JasonWalker 2017-04-14 14:34:01 UTC #12

Print out the XML and see how the command line is presented. You could be hitting against a couple of cases.

If the command line has literal embedded quotes, you'd match those with percent-encode, where %22 is a doublequote character. So it'd be something like
whose (it="%22C:\Windows\system32\cmd.exe%22 /c net start BESClient")

Or the xml may split out the "Command" from the "Arguments", so you'd match something like "Command"="c:\windows\system32.cmd" AND "Arguments"="/c net start BESClient". (But I don't know whether the node name is "Arguments" or "Argument" or "Args" or whatever, but if you print out the XML it should be evident)

strawgate 2017-04-14 14:50:53 UTC #13

Just a note -- there are scheduled task inspectors that let you look at this stuff:

Q: (path of it, argument string of it) of (actions of definitions of scheduled tasks as exec task action)
A: cmd.exe, /c "echo n | gpupdate /target:user /force /wait:120"
A: C:\Windows\system32\msfeedssync.exe, sync
A: C:\Windows\system32\msfeedssync.exe, sync
A: C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe, -task
A: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe, /update SCHEDULEDTASK displaylevel=False
A: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe, /WatchService
A: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\Office16\OLicenseHeartbeat.exe, 
A: C:\Program Files\Microsoft Office\root\Office16\msoia.exe, scan upload mininterval:2880
A: C:\Program Files\Microsoft Office\root\Office16\msoia.exe, scan upload

So you could probably do something like:

names of scheduled tasks whose ((path of it = "C:\windows\system32\cmd.exe" and argument string of it = "/c net start BESClient") of (action of definition of it as exec task action))

Your relevance would just be:

exists scheduled tasks whose ((path of it = "C:\windows\system32\cmd.exe" and argument string of it = "/c net start BESClient") of (action of definition of it as exec task action))

And your action would just be

waithidden schtasks.exe /delete /TN {unique values of names of scheduled tasks whose ((path of it = "C:\windows\system32\cmd.exe" and argument string of it = "/c net start BESClient") of (action of definition of it as exec task action))} /F

Or you could take Jason's example that handles multiple instances!

vk.khurava 2017-04-18 09:09:45 UTC #14

Thank you so much @JasonWalker & @strawgate, I was able to run this but this task is getting completed successfully but scheduled task are still there.

When I am looking into log file, I am seeing this -

Command succeeded (Exit Code=1) waithidden schtasks.exe /delete /TN At2At4At6At8 /F

any idea please.

strawgate 2017-04-18 15:39:12 UTC #15

You may have to use the path to the task and wrap it in quotes.

path of <scheduled task>

My task for removing a cleanup SCCM scheduled task looks like this:

waithidden schtasks /delete /tn "Microsoft\Microsoft\Configuration Manager\Configuration Manager Client Retry Task" /f

vk.khurava 2017-04-18 15:41:49 UTC #16

I tried these -

waithidden schtasks.exe /delete /TN {unique values of names of scheduled tasks whose ((path of it = "C:\Windows\system32\cmd.exe" and argument string of it = "/c net start BESClient") of (action of definition of it as exec task action))} /F

waithidden schtasks.exe /delete /TN {unique values of names of scheduled tasks whose ((path of it = "C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\BES Support\changeservicestartmode.exe" and argument string of it = "BESClient auto") of (action of definition of it as exec task action))} /F

strawgate 2017-04-18 16:00:02 UTC #17

Yes,

The issue is that you are providing the name of the scheduled task. Every scheduled task has a path as well,

In this instance it's not enough to delete Proxy, we need to delete \Microsoft\Windows\Authchk\Proxy.

So for your relevance you want to do paths of scheduled tasks:

waithidden schtasks.exe /delete /TN {unique values of paths of scheduled tasks whose ((path of it = "C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\BES Support\changeservicestartmode.exe" and argument string of it = "BESClient auto") of (action of definition of it as exec task action))} /F

JasonWalker 2017-04-19 00:39:12 UTC #18

You're getting multiple results, the "at1at2at3" are three separate scheduled task names all run together. You need to go back and look at my post on "multiple tasks matching the query" and use the concatenation operator.

vk.khurava 2017-04-20 09:09:20 UTC #19

Ok I tried that too & below is the result -

Command failed (Relevance substitution failed) appendfile {concatenation "%0d%0a" of ("schtasks.exe /delete /TN " & it & " /F") of (names scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "%22C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\BES Support\changeservicestartmode.exe%22 BESClient auto")))}

This was the action -

appendfile {concatenation "%0d%0a" of ("schtasks.exe /delete /TN " & it & " /F") of (names scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "%22C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\BES Support\changeservicestartmode.exe%22 BESClient auto")))}
appendfile {concatenation "%0d%0a" of ("schtasks.exe /delete /TN " & it & " /F") of (names scheduled tasks whose (exists (node values of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Actions/t:Exec/t:Command") of xml document of xml of it) whose (it = "%22C:\Windows\system32\cmd.exe%22 /c net start BESClient")))}
delete RemoveTasks.cmd
move __appendfile RemoveTasks.cmd
waithidden cmd.exe /C RemoveTasks.cmd

vk.khurava 2017-04-20 09:11:35 UTC #20

I tried your suggestion too but still throwing exit code 1 -
Command succeeded (Exit Code=1) waithidden schtasks.exe /delete /TN \At2\At4\At6\At8 /F