Scheduled tasks

(imported topic written by Kenz91)

Is there an easy way to collect the Scheduled tasks , schedule time, and the user account use to run it on Windows servers?

(imported comment written by cstoneba)

This seems to work, but I don’t see an easy way of pulling back the username

(names of it, next run times of it) of scheduled tasks

Run in QnA to see all inspectors for ‘scheduled tasks’

q: properties whose (it as string as lowercase contains “scheduled”)

(imported comment written by NoahSalzman)

I created a task named “Test Task” in Windows 7 and was able to get the user account from it using the XML doc associated with the task. There is one weird bit in this example where I had to get rid of the XML namespace (XMLNS) attribute to make it work with the xpath inspector:

q: node values of child nodes of xpaths (“Task/Principals/Principal/UserId”) of xml document of (concatenation “foo=” of substrings separated by “xmlns=” of xml of scheduled task whose (name of it is “Test Task”))

A: GANYMEDE\Noah Salzman

Edit: here is a better way to do it that works around the namespace issue

q: node values of child nodes of xpaths ("////") of xml document of xml of scheduled task whose (name of it is “Test Task”)

A: GANYMEDE\Noah Salzman

(imported comment written by MattBoyd)

xpath <3

(imported comment written by NoahSalzman)

I dunno man… maybe it’s just lack of familiarity but the syntax seems sorta goofy. But yes, it’s better than "child nodes of child nodes… " over and over. :slight_smile:

(imported comment written by Kenz91)

Thanks for the suggestions. I ended up creating a task using the cmd line to run schtasks.exe and parsed the data into a text file then pulled that out with an analysis. It’s really a shame that the inspector doesn’t include the username property

(imported comment written by NoahSalzman)

I’m a little confused? Isn’t that what I gave you? Are you saying “I want you to finish my homework and complete the solution with the time stamp added in.”? :slight_smile:

(imported comment written by MattBoyd)

Don’t have hate for the namespace, embrace it!

(names of it, node values of child nodes of xpaths (“xmlns:t=‘http://schemas.microsoft.com/windows/2004/02/mit/task’”, “/t:Task/t:Principals/t:Principal/t:UserId”) of xml documents of xmls of it) of scheduled tasks whose (name of it contains “Google”)

Thanks to whoever implemented namespace-prefix mappings into the xpath inspector :slight_smile:

(imported comment written by NoahSalzman)

Ooo… nice, I was looking for an example for what you just did but was having trouble wading through all the C#, xslt, and vb garbage on the nets.

Kenz, here is the version that will answer your original question:

q: ((names of it, node values of child nodes of xpaths (“xmlns:t=‘http://schemas.microsoft.com/windows/2004/02/mit/task’”, “/t:Task/t:Principals/t:Principal/t:UserId”) of xml documents of xmls of it), (next run times of it)) of scheduled tasks

A: ( Test Task, GANYMEDE\Noah Salzman ), ( Thu, 21 Apr 2011 10:00:31 -0700 )

A: ( AitAgent, S-1-5-18 ), ( Thu, 21 Apr 2011 02:30:00 -0700 )

A: ( ProgramDataUpdater, S-1-5-18 ), ( Thu, 21 Apr 2011 00:30:00 -0700 )

(imported comment written by SystemAdmin)

Seems like a good candidate for an official Scheduled Tasks Analysis from IBM…

(imported comment written by MattBoyd)

Noah

Ooo… nice, I was looking for an example for what you just did but was having trouble wading through all the C#, xslt, and vb garbage on the nets.

Yeah, it’s hard to find good examples of advanced xpath stuff. This link gives a good explanation of what’s going on here with the default namespace: http://www.edankert.com/defaultnamespaces.html. The xpath inspector allows use to define our own namespace prefix mappings for such events. Yay!

jaspanitz

Seems like a good candidate for an official Scheduled Tasks Analysis from IBM…

That would be nice! It reminds me of this feature suggestion that you brought up: http://forum.bigfix.com/viewtopic.php?id=5405. I think this is a good example of where that would be useful.

(imported comment written by Kenz91)

Noah

I’m a little confused? Isn’t that what I gave you? Are you saying “I want you to finish my homework and complete the solution with the time stamp added in.”? :slight_smile:

Didn’t mean to upset you. I was just saying I used an alternative method before you posted what you did. When I didn’t see username as one of the properties of the schduled tasks inspector I went with a less elegant solution.

(imported comment written by NoahSalzman)

:slight_smile:

(imported comment written by Kenz91)

Is there something similar that will pull the UserId for services?

(imported comment written by NoahSalzman)

You are probably looking for "login account of ".

q: properties whose (it as string contains “service” and it as string does not contain “firewall”)

A: service key value name of : string

A: service pack major version of : integer

A: service pack minor version of : integer

A: service : service

A: services: service

A: win32 services: service

A: driver services: service

A: all services: service

A: running service : service

A: running services: service

A: win32 running services: service

A: driver running services: service

A: all running services: service

A: relay service: service

A: main gather service: service

A: service name of : string

A: display name of : string

A: state of : string

A: can interact with desktop of : boolean

A: win32 exit code of : integer

A: service specific exit code of : integer

A: checkpoint of : integer

A: login account of : string

A: start type of : string

A: image path of : string

A: file of : file

A: version of : version

A: win32 type of : boolean

A: driver type of : boolean

A: service group: security account

A: local service group: security account

A: network service group: security account

A: security descriptor of : security descriptor

A: service account logon of : boolean

(imported comment written by Kenz91)

Thanks Noah that’s what I was looking for.

(imported comment written by cstoneba)

it appears that “(names of it, node values of child nodes of xpaths (“xmlns:t=‘http://schemas.microsoft.com/windows/2004/02/mit/task’”, “/t:Task/t:Principals/t:Principal/t:UserId”) of xml documents of xmls of it) of scheduled tasks” doesn’t work on Win2003 systems, because i’m getting “,” as a results for those endpoints, but when I run “names of scheduled tasks” in fixlet debugger on one of them, i get results.

Has anyone found a workaround to get this to return the name and userid of scheduled tasks on Win2003 or WinXP?