locked
Editing scheduled task via powershell RRS feed

  • Question

  • Hello,

    Below I have a snip from one of our systems

    PS C:\WINDOWS\system32>  Get-ScheduledTask -Taskname cachetask |fl


    Actions            : {MSFT_TaskComHandlerAction}{MSFT_TaskExecAction}
    Author             : Microsoft
    Date               : 
    Description        : Wininet Cache Task
    Documentation      : 
    Principal          : MSFT_TaskPrincipal2
    SecurityDescriptor : D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x001200a9;;;BU)(A;;0x001200a9;;;WD)(A;;0x001200a9;;;LW)
    Settings           : MSFT_TaskSettings3
    Source             : 
    State              : Running
    TaskName           : CacheTask
    TaskPath           : \Microsoft\Windows\Wininet\
    Triggers           : {MSFT_TaskLogonTrigger}
    URI                : \Microsoft\Windows\Wininet\CacheTask
    Version            : 
    PSComputerName     : 


    What I am looking to do here is remove the {MSFT_TaskExecAction} as it is malicious code injected into the system. {MSFT_TaskExecAction} is a cdm that exec some nasty powershell code. 

    Did some digging and I could not come up with a native way with in power shell to edit these scheduled tasks. 

    Thursday, February 8, 2018 10:01 PM

All replies

  • Removing that will not get rid of the malware.  Contact your AV vendor for a solution.  Removing it will only allow it to be reapplied on next logon or boot.

    This is how to remove an action from a task.  You will have to determine the exact ID on each task.

    $task = Get-ScheduledTask -Taskname cachetask
    $to_remove = $task.Actions | Where {$_.ClassId -eq '{0358B920-0AC7-461F-98F4-58E32CD89148}'}
    $task.Actions.Remove($to_remove)


    \_(ツ)_/

    Thursday, February 8, 2018 10:26 PM
  • Unregister-ScheduledTask

    Thursday, February 8, 2018 10:40 PM