Scheduled Task Trigger Analysis

I’m trying to find out the what’s triggering certain scheduled task to run, ie at 9am or on reboot. But I’m not getting anything in QnA:

I found and old post that directed me here: https://bigfix.me/relevance/details/2998562

I tried it and I can see that it’s not pulling back the triggers:

Is Bigfix not able to pull back this info? Any help would be appreciated.

Same here. But I can see it if I do xml of it

Started here…
properties whose (it as string as lowercase contains “scheduled”)

then ran
(names of it, xml of it) of scheduled tasks

Messy and hard to read

Yeah, that’s pretty messy. I was hoping that I could pull it from Bigfix. I’m going to use schtask to export the info to a file and us BigFix to read it from there. Thanks.

Here’s a similar case of parsing scheduled task XML if it helps

I’ve looked at the XML and it’s pretty messy. Like if you’re looking for the Start Time, it’s not as simple as “Start Time”. You have to go to Triggers then CalenderTriggers then Startboundray, etc. Yeah if found it easier to export using schtask as it’s more readable.

Fair enough. For what it’s worth (or anyone checking this From The Future) I did put together something I think works

q: (names of it, (node names of parent nodes of it, node name of it, node value of child node of it | "none") of child nodes of xpaths ("xmlns:t='http://schemas.microsoft.com/windows/2004/02/mit/task'", "/t:Task/t:Triggers/t:*") of xml document of xml of it) of scheduled tasks

A: G2MUpdateTask-S-1-5-21-474380057-1838352999-1581317240-10427, ( CalendarTrigger, StartBoundary, 2022-04-21T13:45:00 )
A: G2MUpdateTask-S-1-5-21-474380057-1838352999-1581317240-10427, ( CalendarTrigger, Repetition, none )
A: G2MUpdateTask-S-1-5-21-474380057-1838352999-1581317240-10427, ( CalendarTrigger, ScheduleByDay, none )
A: G2MUploadTask-S-1-5-21-474380057-1838352999-1581317240-10427, ( CalendarTrigger, StartBoundary, 2022-04-21T13:52:00 )

A: OneDrive Reporting Task-S-1-5-21-474380057-1838352999-1581317240-10427, ( TimeTrigger, StartBoundary, 2022-12-11T22:34:17 )
A: OneDrive Reporting Task-S-1-5-21-474380057-1838352999-1581317240-10427, ( TimeTrigger, Repetition, none )
A: OneDrive Standalone Update Task-S-1-5-21-3916983572-338088446-3343564012-1002, ( TimeTrigger, StartBoundary, 1992-05-01T07:00:00 )
A: OneDrive Standalone Update Task-S-1-5-21-3916983572-338088446-3343564012-1002, ( TimeTrigger, Repetition, none )
A: OneDrive Standalone Update Task-S-1-5-21-3916983572-338088446-3343564012-1002, ( TimeTrigger, RandomDelay, PT4H )

A: Start Thunderbolt application on switch user if service is up, ( SessionStateChangeTrigger, StateChange, ConsoleConnect )
A: Start Thunderbolt application when hardware is detected, ( EventTrigger, Subscription, <QueryList><Query Id="0" Path="System"><Select Path="System">*[System[Provider[@Name='nhi'] and EventID=1]]</Select></Query></QueryList> )
2 Likes