#
Get-ScheduledTask
#
List scheduled tasks
...specifically that exclude Microsoft
or OneDrive
in the name, and also shows tasks that are not disabled:
Get-ScheduledTask | Where-Object {
$_.TaskPath -notlike "\Microsoft*" -and
$_.TaskName -notmatch "OneDrive" -and
$_.State -ne 'Disabled'
} | ForEach-Object {
$info = $_ | Get-ScheduledTaskInfo
$definition = $_.Actions | Select-Object -ExpandProperty Execute
[PSCustomObject]@{
TaskName = $_.TaskName
TaskPath = $_.TaskPath
State = $_.State
RunAs = $_.Principal.UserId
Action = $definition
LastRun = $info.LastRunTime
}
} | Format-Table -AutoSize
#
List specific task info
#
Get the task basic information
Get-ScheduledTask -TaskName "SampleTask"
#
Get details on a specific task name (to understand what it runs/does)
(Get-ScheduledTask -TaskName "NameOfTask").Actions | Format-List *
#
Show the detailed info (runtime state, last run, etc.)
Get-ScheduledTaskInfo -TaskName "SampleTask"
#
Dump everything (properties + nested objects)
Get-ScheduledTask -TaskName "SampleTask" | Format-List *
#
Export a task XML for analysis
Export-ScheduledTask -TaskName "NameOfTask" -TaskPath "\" > "C:\users\public\nameoftask.xml"
#
Stealing tickets with scheduled tasks
While not directly related to Get-ScheduledTask, I wanted to mention that the brilliant CCob gave me an idea (source: BloodHoundGang) for stealing tickets with a scheduled task sent to run klist.