none
Phantom Task running RRS feed

  • Question

  • Hi All

    In the past I have used task scheduler for some testing but have not used it for a very long time

    Suddenly the other day one started firing part of the exe process (which I wrote) sends and email to me

    I've obviously edited the task and set the date to a year n the future or whatever and the future has now arrived

    Now my issue is I canot find that task anywhere on my system but it must be there somewhere because it is being run

    Nothing in event viewer, nothing in Task Scheduler nothing in the registry

    It may have been associated with another a user account on my machine that I no longer use but I could not see it there either

    Any clues on how else to track it down ?

    Thanks

    Thursday, April 16, 2020 1:37 PM

All replies

  • Well this seems a task for process Monitor...

    if you know at least the hour at which it was scheduled you can fire up ProcMon and wait for the task to be started then you can examine the trace and see from what it was started.. from the registry or from the tasks folder..

    Or you can use Autoruns and inspect the tasks tab for al the users on the machine..

    one way or the other..

    HTH
    -mario

    Thursday, April 16, 2020 3:45 PM
  • Thanks Mario

    I have downloaded it

    I think it will next run on Tuesday around noon ish (thankfully)

    It will only takes around 1 sec to run ?

    What should I filter for to ensure I catch it ?

    Thanks

    Thursday, April 16, 2020 4:05 PM
  • I thought it was nearest in time the next run..

    While you are waiting use Autoruns to check the system and all the users..

    You know that with autoruns you can check the scheduled task for al the users defined on the System:

    So, start here while you are waiting.

    Then for process Monitor. I would execute without any filter.. when the task starts you should see services.exe starting a taskhost for the user under which the task will be run if it is not already in execution, and you will see a search in the registry and/or on the file system for the task.

    HTH
    -mario

    Friday, April 17, 2020 9:41 AM
  • In addition to the great suggestions from Mario, Sysmon ProcessCreate logging will provide you with the details . Also take a look in the Windows Security log. You may have Process create logging enabled already in which case you should see a 4688 event for this.

    MarkC(MSFT)

    Monday, April 27, 2020 2:44 PM