Microsoft-Windows-TaskScheduler

148 events across 5 channels

Event ID	Title	Channel
100	Task Scheduler started ".	Operational
101	Task Scheduler failed to start ".	Operational
102	Task Scheduler successfully finished ".	Operational
103	Task Scheduler failed to start instance ".	Operational
104	Task Scheduler failed to log on ".	Operational
105	Task Scheduler failed to impersonate ".	Operational
106	User ".	Operational
107	Task Scheduler launched ".	Operational
108	Task Scheduler launched ".	Operational
109	Task Scheduler launched ".	Operational
110	Task Scheduler launched ".	Operational
111	Task Scheduler terminated ".	Operational
112	Task Scheduler could not start task ".	Operational
113	Task registered task ".	Operational
114	Task Scheduler could not launch task ".	Operational
115	Task Scheduler failed to roll back a transaction when updating or deleting a …	Operational
116	Task Scheduler validated the configuration for task ".	Operational
117	Task Scheduler launched ".	Operational
118	Task Scheduler launched ".	Operational
119	Task Scheduler launched ".	Operational
120	Task Scheduler launched ".	Operational
121	Task Scheduler launched ".	Operational
122	Task Scheduler launched ".	Operational
123	Task Scheduler launched ".	Operational
124	Task Scheduler launched ".	Operational
125	Task Scheduler launched ".	Operational
126	Task Scheduler failed to execute task ".	Operational
127	Task Scheduler failed to execute task ".	Operational
128	Task Scheduler did not launch task ".	Operational
129	Task Scheduler launch task ".	Operational
130	Task Scheduler failed to start task ".	Operational
131	Task Scheduler failed to start task ".	Operational
132	Task Scheduler task launching queue quota is approaching its preset limit of …	Operational
133	Task Scheduler failed to start task %1" in TaskEngine "%2" for user "%3".	Operational
134	Task Engine ".	Operational
135	Task Scheduler could not start task ".	Operational
140	User ".	Operational
141	User ".	Operational
142	User ".	Operational
145	Task Scheduler woke up the computer to run a task.	Operational
146	Task Scheduler failed to load task ".	Operational
147	Task Scheduler recovered sucessfully the image of task ".	Operational
148	Task Scheduler failed to recover the image of task ".	Operational
149	Task ".	Operational
150	Task Scheduler failed to subscribe for the event trigger for task ".	Operational
151	Task instantiation failed ".	Operational
152	Task ".	Operational
153	Task Scheduler did not launch task ".	Operational
155	Task Scheduler is currently waiting on completion of task ".	Operational
200	Task Scheduler launched action ".	Operational
201	Task Scheduler successfully completed task ".	Operational
202	Task Scheduler failed to complete task ".	Operational
203	Task Scheduler failed to launch action ".	Operational
204	Task Scheduler failed to retrieve the event triggering values for task ".	Operational
205	Task Scheduler failed to match the pattern of events for task ".	Operational
300	Task Scheduler started Task Engine ".	Operational
301	Task Scheduler is shutting down Task Engine ".	Operational
303	Task Scheduler is shutting down Task Engine ".	Operational
304	Task Scheduler sent ".	Operational
305	Task Scheduler did not send ".	Operational
306	For Task Scheduler Task Engine ".	Operational
307	Task Scheduler service failed to connect to the Task Engine ".	Operational
308	Task Scheduler connected to the Task Engine ".	Operational
309	Task Scheduler %1 tasks orphaned during Task Engine "%2" shutdown.	Operational
310	Task Scheduler started Task Engine ".	Operational
311	Task Scheduler failed to start Task Engine ".	Operational
312	Task Scheduler created the Win32 job object for Task Engine ".	Operational
313	Task Scheduler channel with Task Engine ".	Operational
314	Task Scheduler has no tasks running for Task Engine ".	Operational
315	Task Engine ".	Operational
316	Task Engine ".	Operational
317	Task Scheduler started Task Engine ".	Operational
318	Task Scheduler shutdown Task Engine ".	Operational
319	Task Engine ".	Operational
320	Task Engine ".	Operational
322	Task Scheduler did not launch task ".	Operational
323	Task Scheduler stopped instance ".	Operational
324	Task Scheduler queued instance ".	Operational
325	Task Scheduler queued instance ".	Operational
326	Task Scheduler did not launch task ".	Operational
327	Task Scheduler stopped instance ".	Operational
328	Task Scheduler stopped instance ".	Operational
329	Task Scheduler terminated ".	Operational
330	Task Scheduler stopped instance ".	Operational
331	Task Scheduler will continue to execute Instance ".	Operational
332	Task Scheduler did not launch task ".	Operational
333	Task Scheduler did not launch task ".	Operational
334	Task Scheduler did not launch task ".	Operational
400	Task Scheduler service has started.	Operational
401	Task Scheduler service failed to start due to an error in ".	System
402	Task Scheduler service is shutting down.	Operational
403	Task Scheduler service has encountered an error in ".	Operational
404	Task Scheduler service has encountered RPC initialization error in ".	System
405	Task Scheduler service has failed to initialize COM.	System
406	Task Scheduler service failed to initialize credentials store.	System
407	Task Scheduler service failed to initialize LSA.	System
408	Task Scheduler service failed to initialize idle state detection module.	System
409	Task Scheduler service failed to initialize time change notification.	System
410	Task Scheduler service failed to set a wakeup timer.	Operational
411	Task Scheduler service received a time system change notification.	Operational
412	Task Scheduler service failed to launch tasks triggered by computer startup.	System
413	Task Scheduler service failed to load tasks at service startup.	System
414	Task Scheduler service found a misconfiguration in the %1 definition.	System
500	Process ID %2 has registered idle task ID %1.	Diagnostic
501	Process ID %2 has completed idle task ID %1.	Diagnostic
502	Execution of idle task ID %1 has started.	Diagnostic
503	Execution of idle task ID %1 has ended.	Diagnostic
504	Idle task ID %1 has been notified that explicit processing has been requested.	Diagnostic
505	Idle task ID %1 has returned from its explicit processing notification.	Diagnostic
506	Explicit execution of all idle tasks has been requested.	Diagnostic
507	Explicit execution of all idle tasks has completed.	Diagnostic
508	Explicit execution of all idle tasks is in progress.	Diagnostic
509	Idle Task Power Notification Received: %1 (%2).	Diagnostic
510		Diagnostic
511		Diagnostic
512	Idle check point: State %1, Reason %2.	Diagnostic
700	Task Scheduler service started Task Compatibility module.	Operational
701	Task Scheduler service failed to start Task Compatibility module.	System
702	Task Scheduler failed to initialize the RPC server for starting the Task …	System
703	Task Scheduler failed to initialize Net Schedule API for starting the Task …	System
704	Task Scheduler failed to initialize LSA for starting the Task Compatibility …	System
705	Task Scheduler failed to start directory monitoring for the Task Compatibility …	System
706	Task Compatibility module failed to update task ".	Operational
707	Task Compatibility module failed to delete task ".	Operational
708	Task Compatibility module failed to set security descriptor ".	Operational
709	Task Compatibility module failed to update task ".	Operational
710	Task Compatibility module failed to upgrade existing tasks.	Operational
711	Task Compatibility module failed to upgrade NetSchedule account ".	Operational
712	Task Compatibility module failed to read existing store to upgrade tasks.	Operational
713	Task Compatibility module failed to load task ".	Operational
714	Task Compatibility module failed to register task ".	Operational
715	Task Compatibility module failed to delete LSA store for upgrade.	Operational
716	Task Compatibility module failed to upgrade existing scheduled tasks.	System
717	Task Compatibility module failed to determine if upgrade is needed.	Operational
718	Task scheduler was unable to upgrade the credential store from the Beta 2 …	System
719	To help optimize for performance, Task Scheduler has automatically disabled …	System
800	Maintenance state changed to %1 (Last Run: %2).	Maintenance
801	Maintenance launch operation failed.	Maintenance
802	Maintenance re-configuration failed.	Maintenance
803	Maintenance Scheduler engine task ".	Maintenance
804	Maintenance Scheduler has detected cyclic dependency for the following …	Maintenance
805	Maintenance Task ".	Maintenance
806	Maintenance task ".	Maintenance
807	Maintenance complete (launch type %1).	Maintenance
808	Maintenance Task ".	Maintenance
809	Maintenance Scheduler Group Policy Settings are not properly specified for ".	System
998	DEBUG!	Debug
999	DEBUG!	Debug

Event ID 100 — Task Scheduler started ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler started "%3" instance of the "%1" task for user "%2".

Fields

Name	Description
`Name`	—
`TaskName`	—
`UserContext`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 100
  version: 0
  level: 4
  task: 100
  opcode: 1
  keywords: 9223372036854775809
  time_created: '2023-11-06T02:00:01.374223+00:00'
  event_record_id: 1052
  correlation:
    ActivityID: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
  execution:
    process_id: 1392
    thread_id: 18152
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskStartEvent
  TaskName: \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
  UserContext: NT AUTHORITY\SYSTEM
  InstanceId: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 101 — Task Scheduler failed to start ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 2
Samples: 1

Message

Task Scheduler failed to start "%1" task for user "%2". Additional Data: Error Value: %3.

Fields

Name	Description
`Name`	—
`TaskName`	—
`UserContext`	—
`ResultCode`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 101
  version: 0
  level: 2
  task: 101
  opcode: 101
  keywords: 9223372036854775809
  time_created: '2023-11-06T01:06:15.745482+00:00'
  event_record_id: 929
  correlation: {}
  execution:
    process_id: 1392
    thread_id: 16668
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskStartFailedEvent
  TaskName: \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker
  UserContext: NT AUTHORITY\SYSTEM
  ResultCode: 2147942402
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 102 — Task Scheduler successfully finished ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler successfully finished "%3" instance of the "%1" task for user "%2".

Fields

Name	Description
`Name`	—
`TaskName`	—
`UserContext`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 102
  version: 0
  level: 4
  task: 102
  opcode: 2
  keywords: 9223372036854775809
  time_created: '2023-11-06T02:00:01.421291+00:00'
  event_record_id: 1055
  correlation:
    ActivityID: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
  execution:
    process_id: 1392
    thread_id: 18152
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskSuccessEvent
  TaskName: \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
  UserContext: NT AUTHORITY\SYSTEM
  InstanceId: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 103 — Task Scheduler failed to start instance ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 2
Samples: 1

Message

Task Scheduler failed to start instance "%2" of "%1"  task for user "%3" . Additional Data: Error Value: %4.

Fields

Name	Description
`Name`	—
`TaskName`	—
`InstanceId`	—
`UserContext`	—
`ResultCode`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 103
  version: 0
  level: 2
  task: 103
  opcode: 102
  keywords: 9223372036854775809
  time_created: '2022-04-07T17:15:16.721848+00:00'
  event_record_id: 605
  correlation:
    ActivityID: B0ED2490-E028-43FD-88A4-97F63AB32B71
  execution:
    process_id: 1528
    thread_id: 4560
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskFailureEvent
  TaskName: \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319
  InstanceId: B0ED2490-E028-43FD-88A4-97F63AB32B71
  UserContext: NT AUTHORITY\SYSTEM
  ResultCode: 2147946720
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 104 — Task Scheduler failed to log on ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to log on "%1" . Failure occurred in "%2" . User Action: Ensure the credentials for the task are correctly specified. Additional Data: Error Value: %3.

Fields

Name	Description
`UserName`	—
`ErrorDescription`	—
`ResultCode`	—

Event ID 105 — Task Scheduler failed to impersonate ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to impersonate "%1" . Additional Data: Error Value: %2.

Fields

Name	Description
`Context`	—
`ResultCode`	—

Event ID 106 — User ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

User "%2"  registered Task Scheduler task "%1"

Fields

Name	Description
`Name`	—
`TaskName`	—
`UserContext`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 106
  version: 0
  level: 4
  task: 106
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:50:56.574711+00:00'
  event_record_id: 1046
  correlation: {}
  execution:
    process_id: 1392
    thread_id: 17484
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskRegisteredEvent
  TaskName: \Mozilla\Firefox Background Update 308046B0AF4A39CB
  UserContext: WINDEV2310EVAL\User
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd363640(v=ws.10)
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 107 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler launched "%2"  instance of task "%1" due to a time trigger condition.

Fields

Name	Description
`Name`	—
`TaskName`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 107
  version: 0
  level: 4
  task: 107
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T02:00:01.223731+00:00'
  event_record_id: 1050
  correlation:
    ActivityID: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
  execution:
    process_id: 1392
    thread_id: 18152
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TimeTriggerEvent
  TaskName: \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
  InstanceId: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 108 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler launched "%2"  instance of task "%1"  according to an event trigger.

Fields

Name	Description
`Name`	—
`TaskName`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 108
  version: 0
  level: 4
  task: 108
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T00:51:19.199741+00:00'
  event_record_id: 873
  correlation:
    ActivityID: 42D4830B-24FF-4813-B67B-31D1A7EDFA95
  execution:
    process_id: 1392
    thread_id: 15980
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: EventTriggerEvent
  TaskName: \Avira_Security_Service_SCM_Watchdog
  InstanceId: 42D4830B-24FF-4813-B67B-31D1A7EDFA95
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 109 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler launched "%2"  instance of task "%1"  according to a registration trigger.

Fields

Name	Description
`Name`	—
`TaskName`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 109
  version: 0
  level: 4
  task: 109
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:57:17.740121+00:00'
  event_record_id: 490
  correlation:
    ActivityID: D9A56AB9-DA1B-4E8C-ABB6-0297EE74232D
  execution:
    process_id: 1528
    thread_id: 932
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: RegistrationTriggerEvent
  TaskName: \CreateExplorerShellUnelevatedTask
  InstanceId: D9A56AB9-DA1B-4E8C-ABB6-0297EE74232D
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 110 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler launched "%2"  instance of task "%1"  for user "%3" .

Fields

Name	Description
`Name`	—
`TaskName`	—
`InstanceId`	—
`UserContext`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 110
  version: 0
  level: 4
  task: 110
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:45:55.147729+00:00'
  event_record_id: 1035
  correlation:
    ActivityID: 3F188DA8-D0E4-4751-AE11-48AA36395E99
  execution:
    process_id: 1392
    thread_id: 14340
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskRunEvent
  TaskName: \Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
  InstanceId: 3F188DA8-D0E4-4751-AE11-48AA36395E99
  UserContext: LOCAL SERVICE
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd363721(v=ws.10)
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 111 — Task Scheduler terminated ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler terminated "%2"  instance of the "%1"  task.

Fields

Name	Description
`Name`	—
`TaskName`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 111
  version: 0
  level: 4
  task: 111
  opcode: 103
  keywords: 9223372036854775809
  time_created: '2022-04-07T17:04:28.075331+00:00'
  event_record_id: 584
  correlation:
    ActivityID: F3FE9E7B-2EAA-4ADC-A87D-F751736AF46C
  execution:
    process_id: 1528
    thread_id: 1832
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskTerminationEvent
  TaskName: \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan
  InstanceId: F3FE9E7B-2EAA-4ADC-A87D-F751736AF46C
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 112 — Task Scheduler could not start task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler could not start task "%1"  because the network was unavailable. User Action: Ensure the computer is connected to the required network as specified in the task. If the task does not require network presence, remove the network condition from the task configuration.

Fields

Name	Description
`TaskName`	—

Event ID 113 — Task registered task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task registered task "%1" , but not all specified triggers will start the task. User Action: Ensure all the task triggers are valid as configured. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 114 — Task Scheduler could not launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 3
Samples: 1

Message

Task Scheduler could not launch task "%1"  as scheduled. Instance "%2"  is started now as required by the configuration option to start the task when available, if schedule is missed.

Fields

Name	Description
`Name`	—
`TaskName`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 114
  version: 0
  level: 3
  task: 114
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:13:11.834762+00:00'
  event_record_id: 957
  correlation:
    ActivityID: BDD12A1E-2CB7-4353-8C11-BD828F20ABC1
  execution:
    process_id: 1392
    thread_id: 14508
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: MissedTaskLaunched
  TaskName: \Microsoft\Windows\Speech\SpeechModelDownloadTask
  InstanceId: BDD12A1E-2CB7-4353-8C11-BD828F20ABC1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 115 — Task Scheduler failed to roll back a transaction when updating or deleting a task.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to roll back a transaction when updating or deleting a task. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 116 — Task Scheduler validated the configuration for task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler validated the configuration for task "%1" , but credentials could not be stored. User Action: Re-register the task ensuring the credentials are valid. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 117 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler launched "%2"  instance of task "%1"  due to an idle condition.

Fields

Name	Description
`TaskName`	—
`InstanceId`	—

Event ID 118 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler launched "%2"  instance of task "%1"  due to system startup.

Fields

Name	Description
`Name`	—
`TaskName`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 118
  version: 0
  level: 4
  task: 118
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:33:13.191335+00:00'
  event_record_id: 608
  correlation:
    ActivityID: CEC1B472-A8F7-4346-930D-03F9473C9804
  execution:
    process_id: 1528
    thread_id: 1108
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: BootTrigger
  TaskName: \Microsoft\Windows\Autochk\Proxy
  InstanceId: CEC1B472-A8F7-4346-930D-03F9473C9804
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 119 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler launched "%3"  instance of task "%1" due to user "%2"  logon.

Fields

Name	Description
`Name`	—
`TaskName`	—
`UserName`	—
`InstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 119
  version: 0
  level: 4
  task: 119
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:13:11.548668+00:00'
  event_record_id: 948
  correlation:
    ActivityID: 7883A91A-AE57-4AD3-B9A9-F6B93677D5B6
  execution:
    process_id: 1392
    thread_id: 14508
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: LogonTrigger
  TaskName: \Microsoft\Windows\Management\Provisioning\Logon
  UserName: WINDEV2310EVAL\User
  InstanceId: 7883A91A-AE57-4AD3-B9A9-F6B93677D5B6
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 120 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler launched "%3"  instance of task "%1"  due to user "%2"  connecting to the console trigger.

Fields

Name	Description
`TaskName`	—
`UserName`	—
`InstanceId`	—

Event ID 121 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler launched "%3"  instance of task "%1"  due to user "%2"  disconnecting from the console trigger.

Fields

Name	Description
`TaskName`	—
`UserName`	—
`InstanceId`	—

Event ID 122 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler launched "%3"  instance of task "%1"  due to user "%2"  remotely connecting trigger.

Fields

Name	Description
`TaskName`	—
`UserName`	—
`InstanceId`	—

Event ID 123 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler launched "%3"  instance of task "%1"  due to user "%2"  remotely disconnecting trigger.

Fields

Name	Description
`TaskName`	—
`UserName`	—
`InstanceId`	—

Event ID 124 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler launched "%3"  instance of task "%1"  due to user "%2"  locking the computer trigger.

Fields

Name	Description
`TaskName`	—
`UserName`	—
`InstanceId`	—

Event ID 125 — Task Scheduler launched ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler launched "%3"  instance of task "%1"  due to user "%2"  unlocking the computer trigger.

Fields

Name	Description
`TaskName`	—
`UserName`	—
`InstanceId`	—

Event ID 126 — Task Scheduler failed to execute task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to execute task "%1" . Attempting to restart. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 127 — Task Scheduler failed to execute task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to execute task "%1"  due to a shutdown race condition. Attempting to restart.

Fields

Name	Description
`TaskName`	—

Event ID 128 — Task Scheduler did not launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler did not launch task "%1" , because current time exceeds the configured task end time. User Action: Extend the end time boundary for the task if required.

Fields

Name	Description
`TaskName`	—

Event ID 129 — Task Scheduler launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler launch task "%1" , instance "%2"  with process ID %3.

Fields

Name	Description
`Name`	—
`TaskName`	—
`Path`	—
`ProcessID`	—
`Priority`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 129
  version: 0
  level: 4
  task: 129
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T02:00:01.371079+00:00'
  event_record_id: 1051
  correlation: {}
  execution:
    process_id: 1392
    thread_id: 18152
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: CreatedTaskProcess
  TaskName: \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
  Path: '%SystemRoot%\System32\wsqmcons.exe'
  ProcessID: 16312
  Priority: 16384
message: ''

Sigma Rules

Scheduled Task Executed From A Suspicious Location
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 130 — Task Scheduler failed to start task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to start task "%1" due to the service being busy.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 131 — Task Scheduler failed to start task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to start task "%1" because the number of tasks in the task queue exceeding the quota currently configured to %2. User Action: Reduce the number of running tasks or increase the configured queue quota.

Fields

Name	Description
`TaskName`	—
`CurrentQuota`	—

Event ID 132 — Task Scheduler task launching queue quota is approaching its preset limit of tasks currently configured to %1.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler task launching queue quota is approaching its preset limit of tasks currently configured to %1. User Action: Reduce the number of running tasks or increase the configured queue quota.

Fields

Name	Description
`CurrentQuota`	—

Event ID 133 — Task Scheduler failed to start task %1" in TaskEngine "%2" for user "%3".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to start task %1" in TaskEngine "%2"  for user "%3". User Action: Reduce the number of tasks running in the specified user context.

Fields

Name	Description
`TaskName`	—
`TaskEngineName`	—
`UserName`	—

Event ID 134 — Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Engine "%1"  for user "%2" is approaching its preset limit of tasks. User Action: Reduce the number of tasks running in the specified user context.

Fields

Name	Description
`TaskEngineName`	—
`UserName`	—

Event ID 135 — Task Scheduler could not start task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler could not start task "%1"  because the machine was not idle.

Fields

Name	Description
`TaskName`	—

Event ID 140 — User ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

User "%2"  updated Task Scheduler task "%1"

Fields

Name	Description
`Name`	—
`TaskName`	—
`UserName`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 140
  version: 0
  level: 4
  task: 140
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T02:00:32.944571+00:00'
  event_record_id: 1057
  correlation: {}
  execution:
    process_id: 1392
    thread_id: 16536
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskUpdated
  TaskName: \Microsoft\Windows\UpdateOrchestrator\Schedule Work
  UserName: WORKGROUP\WINDEV2310EVAL$
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 141 — User ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

User "%2"  deleted Task Scheduler task "%1"

Fields

Name	Description
`Name`	—
`TaskName`	—
`UserName`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 141
  version: 0
  level: 4
  task: 141
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:01:44.133714+00:00'
  event_record_id: 911
  correlation: {}
  execution:
    process_id: 1392
    thread_id: 13064
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskDeleted
  TaskName: \TVInstallRestore
  UserName: WINDEV2310EVAL\User
message: ''

Sigma Rules

Important Scheduled Task Deleted
Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

References

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348535(v=ws.10)
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 142 — User ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

User "%2"  disabled Task Scheduler task "%1"

Fields

Name	Description
`TaskName`	—
`UserName`	—

Event ID 145 — Task Scheduler woke up the computer to run a task.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler woke up the computer to run a task.

Event ID 146 — Task Scheduler failed to load task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to load task "%1" at service startup. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 147 — Task Scheduler recovered sucessfully the image of task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler recovered sucessfully the image of task "%1" after a corruption occured during OS upgrade.

Fields

Name	Description
`TaskName`	—

Event ID 148 — Task Scheduler failed to recover the image of task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to recover the image of task "%1" after a corruption occured during OS upgrade. Additional Data: Error Value: 0x%2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 149 — Task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task "%1" is using a combination of properties that is incompatible with the scheduling engine.

Fields

Name	Description
`TaskName`	—

Event ID 150 — Task Scheduler failed to subscribe for the event trigger for task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to subscribe for the event trigger for task "%1". Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 151 — Task instantiation failed ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task instantiation failed "%1". Check point: %2. Error Value: %3.

Fields

Name	Description
`TaskName`	—
`LogPoint`	—
`ResultCode`	—

Event ID 152 — Task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task "%1" was re-directed to legacy scheduling engine.

Fields

Name	Description
`TaskName`	—

Event ID 153 — Task Scheduler did not launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler did not launch task "%1" as it missed its schedule. Consider using the configuration option to start the task when available, if schedule is missed.

Fields

Name	Description
`TaskName`	—

Event ID 155 — Task Scheduler is currently waiting on completion of task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler is currently waiting on completion of task "%1".

Fields

Name	Description
`TaskPath`	—

Event ID 200 — Task Scheduler launched action ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler launched action "%2" in instance "%3" of task "%1".

Fields

Name	Description
`Name`	—
`TaskName`	—
`ActionName`	—
`TaskInstanceId`	—
`EnginePID`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 200
  version: 1
  level: 4
  task: 200
  opcode: 1
  keywords: 9223372036854775808
  time_created: '2023-11-06T02:00:01.374228+00:00'
  event_record_id: 1053
  correlation:
    ActivityID: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
  execution:
    process_id: 1392
    thread_id: 18152
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: ActionStart
  TaskName: \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
  ActionName: '%SystemRoot%\System32\wsqmcons.exe'
  TaskInstanceId: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
  EnginePID: 16312
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 201 — Task Scheduler successfully completed task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler successfully completed task "%1" , instance "%3" , action "%2" .

Fields

Name	Description
`Name`	—
`TaskName`	—
`TaskInstanceId`	—
`ActionName`	—
`ResultCode`	—
`EnginePID`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 201
  version: 2
  level: 4
  task: 201
  opcode: 2
  keywords: 9223372036854775808
  time_created: '2023-11-06T02:00:01.421064+00:00'
  event_record_id: 1054
  correlation:
    ActivityID: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
  execution:
    process_id: 1392
    thread_id: 18152
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: ActionSuccess
  TaskName: \Microsoft\Windows\Customer Experience Improvement Program\Consolidator
  TaskInstanceId: 99F1DF4D-A460-47A9-93D3-3FF029F93E31
  ActionName: '%SystemRoot%\System32\wsqmcons.exe'
  ResultCode: 0
  EnginePID: 16312
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 202 — Task Scheduler failed to complete task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 2
Samples: 1

Message

Task Scheduler failed to complete task "%1" , instance "%2" , action "%3" . Additional Data: Error Value: %4.

Fields

Name	Description
`Name`	—
`TaskName`	—
`TaskInstanceId`	—
`ActionName`	—
`ResultCode`	—
`EnginePID`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 202
  version: 1
  level: 2
  task: 202
  opcode: 102
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:15:16.721847+00:00'
  event_record_id: 604
  correlation:
    ActivityID: B0ED2490-E028-43FD-88A4-97F63AB32B71
  execution:
    process_id: 1528
    thread_id: 4560
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: ActionFailure
  TaskName: \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319
  TaskInstanceId: B0ED2490-E028-43FD-88A4-97F63AB32B71
  ActionName: ''
  ResultCode: 2147946720
  EnginePID: 3796
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 203 — Task Scheduler failed to launch action ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 2
Samples: 1

Message

Task Scheduler failed to launch action "%3" in instance "%2" of task "%1". Additional Data: Error Value: %4.

Fields

Name	Description
`Name`	—
`TaskName`	—
`TaskInstanceId`	—
`ActionName`	—
`ResultCode`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 203
  version: 0
  level: 2
  task: 203
  opcode: 101
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:06:15.745198+00:00'
  event_record_id: 928
  correlation:
    ActivityID: 0EBFF706-5D1E-403C-8FEB-AA1502A28BF9
  execution:
    process_id: 1392
    thread_id: 16668
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: ActionLaunchFailure
  TaskName: \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker
  TaskInstanceId: 0EBFF706-5D1E-403C-8FEB-AA1502A28BF9
  ActionName: '%systemroot%\system32\MusNotification.exe'
  ResultCode: 2147942402
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 204 — Task Scheduler failed to retrieve the event triggering values for task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to retrieve the event triggering values for task "%1" . The event will be ignored. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 205 — Task Scheduler failed to match the pattern of events for task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to match the pattern of events for task "%1" . The events will be ignored. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 300 — Task Scheduler started Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler started Task Engine "%1"  with process ID %2.

Fields

Name	Description
`TaskEngineName`	—
`ProcessID`	—

Event ID 301 — Task Scheduler is shutting down Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler is shutting down Task Engine "%1"

Fields

Name	Description
`TaskEngineName`	—

Event ID 303 — Task Scheduler is shutting down Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler is shutting down Task Engine "%1"  due to an error in "%2" .  Additional Data: Error Value: %3.

Fields

Name	Description
`TaskEngineName`	—
`ErrorDescription`	—
`ResultCode`	—

Event ID 304 — Task Scheduler sent ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler sent "%1"  task to Task Engine "%2" . The task instance Id is "%3" .

Fields

Name	Description
`TaskName`	—
`TaskEngineName`	—
`TaskInstanceId`	—

Event ID 305 — Task Scheduler did not send ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler did not send "%1"  task to Task Engine "%2" . Additional Data: Error Value: %3.

Fields

Name	Description
`TaskName`	—
`TaskEngineName`	—
`ResultCode`	—

Event ID 306 — For Task Scheduler Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

For Task Scheduler Task Engine "%1" , the thread pool failed to process the message. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskEngineName`	—
`ResultCode`	—

Event ID 307 — Task Scheduler service failed to connect to the Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler service failed to connect to the Task Engine "%1"  process. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskEngineName`	—
`ResultCode`	—

Event ID 308 — Task Scheduler connected to the Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler connected to the Task Engine "%1"  process.

Fields

Name	Description
`TaskEngineName`	—

Event ID 309 — Task Scheduler %1 tasks orphaned during Task Engine "%2" shutdown.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler %1 tasks orphaned during Task Engine "%2"  shutdown. User Action: Find the process run by this task in the Task Manager and kill it manually.

Fields

Name	Description
`TaskCount`	—
`TaskEngineName`	—

Event ID 310 — Task Scheduler started Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler started Task Engine "%1"  process. Command="%2" , ProcessID=%3, ThreadID=%4

Fields

Name	Description
`TaskEngineName`	—
`Command`	—
`ProcessID`	—
`ThreadID`	—

Event ID 311 — Task Scheduler failed to start Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler failed to start Task Engine "%1"  process due to an error occurring in "%3" . Command="%2" . Additional Data: Error Value: %4.

Fields

Name	Description
`TaskEngineName`	—
`Command`	—
`ErrorDescription`	—
`ResultCode`	—

Event ID 312 — Task Scheduler created the Win32 job object for Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler created the Win32 job object for Task Engine "%1" .

Fields

Name	Description
`TaskEngineName`	—

Event ID 313 — Task Scheduler channel with Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler channel with Task Engine "%1"  is ready to send and receive messages.

Fields

Name	Description
`TaskEngineName`	—

Event ID 314 — Task Scheduler has no tasks running for Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler has no tasks running for Task Engine "%1" , and the idle timer has started.

Fields

Name	Description
`TaskEngineName`	—

Event ID 315 — Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Engine "%1"  process failed to connect to the Task Scheduler service. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskEngineName`	—
`ResultCode`	—

Event ID 316 — Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Engine "%1"  failed to send a message to the Task Scheduler service. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskEngineName`	—
`ResultCode`	—

Event ID 317 — Task Scheduler started Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler started Task Engine "%1"  process.

Fields

Name	Description
`TaskEngineName`	—

Event ID 318 — Task Scheduler shutdown Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler shutdown Task Engine "%1"  process.

Fields

Name	Description
`TaskEngineName`	—

Event ID 319 — Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Engine "%1"  received a message from Task Scheduler service requesting to launch task "%2" .

Fields

Name	Description
`TaskEngineName`	—
`TaskName`	—

Event ID 320 — Task Engine ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Engine "%1"  received a message from Task Scheduler service requesting to stop task instance "%2" .

Fields

Name	Description
`TaskEngineName`	—
`TaskInstanceId`	—

Event ID 322 — Task Scheduler did not launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 3
Samples: 1

Message

Task Scheduler did not launch task "%1"  because instance "%2"  of the same task is already running.

Fields

Name	Description
`Name`	—
`TaskName`	—
`TaskInstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 322
  version: 0
  level: 3
  task: 322
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T00:37:25.158852+00:00'
  event_record_id: 819
  correlation:
    ActivityID: 3428C28C-0C94-487C-AC7E-0E29218A38C7
  execution:
    process_id: 1392
    thread_id: 13712
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: NewInstanceIgnored
  TaskName: \Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task
  TaskInstanceId: 3428C28C-0C94-487C-AC7E-0E29218A38C7
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 323 — Task Scheduler stopped instance ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler stopped instance "%2"  of task "%1"  in order to launch new instance "%3" .

Fields

Name	Description
`TaskName`	—
`StoppedTaskInstanceId`	—
`NewTaskInstanceId`	—

Event ID 324 — Task Scheduler queued instance ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 3
Samples: 1

Message

Task Scheduler queued instance "%2"  of task "%1"  and will launch it as soon as instance "%3"  completes.

Fields

Name	Description
`Name`	—
`TaskName`	—
`QueuedTaskInstanceId`	—
`RunningTaskInstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 324
  version: 0
  level: 3
  task: 324
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:41:42.776465+00:00'
  event_record_id: 999
  correlation:
    ActivityID: A0104592-5DBE-4AC7-B2A0-2CB2CC5B61A3
  execution:
    process_id: 1392
    thread_id: 12756
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: NewInstanceQueued
  TaskName: \microsoft\windows\applicationdata\appuriverifierinstall
  QueuedTaskInstanceId: A0104592-5DBE-4AC7-B2A0-2CB2CC5B61A3
  RunningTaskInstanceId: B5155744-8897-4FDF-AC62-B9A099F510CF
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 325 — Task Scheduler queued instance ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 3
Samples: 1

Message

Task Scheduler queued instance "%2"  of task "%1".

Fields

Name	Description
`Name`	—
`TaskName`	—
`QueuedTaskInstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 325
  version: 0
  level: 3
  task: 325
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T00:55:40.184688+00:00'
  event_record_id: 895
  correlation:
    ActivityID: 8C63C2B3-9A13-4121-9DF4-C0123018D079
  execution:
    process_id: 1392
    thread_id: 12608
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: TaskInstanceQueued
  TaskName: \Avira_Security_Systray
  QueuedTaskInstanceId: 8C63C2B3-9A13-4121-9DF4-C0123018D079
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 326 — Task Scheduler did not launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler did not launch task "%1"  because computer is running on batteries. User Action: If launching the task on batteries is required, change the respective flag in the task configuration.

Fields

Name	Description
`TaskName`	—

Event ID 327 — Task Scheduler stopped instance ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler stopped instance "%2"  of task "%1"  because the computer is switching to battery power.

Fields

Name	Description
`TaskName`	—
`TaskInstanceId`	—

Event ID 328 — Task Scheduler stopped instance ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler stopped instance "%2"  of task "%1"  because computer is no longer idle.

Fields

Name	Description
`TaskName`	—
`TaskInstanceId`	—

Event ID 329 — Task Scheduler terminated ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler terminated "%2"  instance of the "%1"  task due to exceeding the time allocated for execution, as configured in the task definition. User Action: Increase the configured task timeout or investigate external reasons for the delay.

Fields

Name	Description
`Name`	—
`TaskName`	—
`TaskInstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 329
  version: 0
  level: 4
  task: 329
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T00:39:49.792094+00:00'
  event_record_id: 825
  correlation:
    ActivityID: 83261A6E-4DC3-414F-BFB6-8B4046A8C7BC
  execution:
    process_id: 1392
    thread_id: 12576
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: StoppedOnTimeout
  TaskName: \Microsoft\Windows\Flighting\OneSettings\RefreshCache
  TaskInstanceId: 83261A6E-4DC3-414F-BFB6-8B4046A8C7BC
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 330 — Task Scheduler stopped instance ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler stopped instance "%2"  of task "%1"  as request by user "%3" .

Fields

Name	Description
`Name`	—
`TaskName`	—
`TaskInstanceId`	—
`UserContext`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 330
  version: 0
  level: 4
  task: 330
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:04:28.074982+00:00'
  event_record_id: 581
  correlation:
    ActivityID: F3FE9E7B-2EAA-4ADC-A87D-F751736AF46C
  execution:
    process_id: 1528
    thread_id: 1832
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: StoppedOnRequest
  TaskName: \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan
  TaskInstanceId: F3FE9E7B-2EAA-4ADC-A87D-F751736AF46C
  UserContext: NT AUTHORITY\SYSTEM
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 331 — Task Scheduler will continue to execute Instance ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler will continue to execute Instance "%2"  of task "%1"  even after the designated timeout, due to a failure to create the timeout mechanism. Additional Data: Error Value: %3.

Fields

Name	Description
`TaskName`	—
`TaskInstanceId`	—
`ResultCode`	—

Event ID 332 — Task Scheduler did not launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 3
Samples: 1

Message

Task Scheduler did not launch task "%1"  because user "%2" was not logged on when the launching conditions were met. User Action: Ensure user is logged on or change the task definition to allow launching when user is logged off.

Fields

Name	Description
`Name`	—
`TaskName`	—
`UserName`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 332
  version: 0
  level: 3
  task: 332
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:13:11.824978+00:00'
  event_record_id: 956
  correlation: {}
  execution:
    process_id: 1392
    thread_id: 14508
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: NoStartUserNotLogged
  TaskName: \Microsoft\VisualStudio\Updates\BackgroundDownload
  UserName: WINDEV2310EVAL\Administrator
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 333 — Task Scheduler did not launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler did not launch task "%1"  because target session is RemoteApp session. User Action: If launching the task on RemoteApp sessions is required, change the respective flag in the task configuration.

Fields

Name	Description
`TaskName`	—

Event ID 334 — Task Scheduler did not launch task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler did not launch task "%1"  because target session is a WORKER session.

Fields

Name	Description
`TaskName`	—

Event ID 400 — Task Scheduler service has started.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler service has started.

Fields

Name	Description
`Name`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 400
  version: 0
  level: 4
  task: 400
  opcode: 1
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:53:13.896426+00:00'
  event_record_id: 407
  correlation: {}
  execution:
    process_id: 1528
    thread_id: 1544
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: ServiceStartEvent
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 401 — Task Scheduler service failed to start due to an error in ".

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service failed to start due to an error in "%1" . Additional Data: Error Value: %2.

Fields

Name	Description
`ErrorDescription`	—
`ResultCode`	—

Event ID 402 — Task Scheduler service is shutting down.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler service is shutting down.

Fields

Name	Description
`Name`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 402
  version: 0
  level: 4
  task: 402
  opcode: 2
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:38:25.808031+00:00'
  event_record_id: 405
  correlation: {}
  execution:
    process_id: 1536
    thread_id: 1644
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: ServiceStopEvent
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 403 — Task Scheduler service has encountered an error in ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler service has encountered an error in "%1" . Additional Data: Error Value: %2.

Fields

Name	Description
`ErrorDescription`	—
`ResultCode`	—

Event ID 404 — Task Scheduler service has encountered RPC initialization error in ".

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service has encountered RPC initialization error in "%1". Additional Data: Error Value: %2.

Fields

Name	Description
`ErrorDescription`	—
`ResultCode`	—

Event ID 405 — Task Scheduler service has failed to initialize COM.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service has failed to initialize COM. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 406 — Task Scheduler service failed to initialize credentials store.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service failed to initialize credentials store. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 407 — Task Scheduler service failed to initialize LSA.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service failed to initialize LSA. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 408 — Task Scheduler service failed to initialize idle state detection module.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service failed to initialize idle state detection module. Idle tasks may not be started as required. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 409 — Task Scheduler service failed to initialize time change notification.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service failed to initialize time change notification. System time updates may not be picked by the service and task schedules may not be updated. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 410 — Task Scheduler service failed to set a wakeup timer.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler service failed to set a wakeup timer. As a result, some scheduled tasks may not run while the system is suspended. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 411 — Task Scheduler service received a time system change notification.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Scheduler service received a time system change notification.

Event ID 412 — Task Scheduler service failed to launch tasks triggered by computer startup.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service failed to launch tasks triggered by computer startup. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 413 — Task Scheduler service failed to load tasks at service startup.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service failed to load tasks at service startup. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 414 — Task Scheduler service found a misconfiguration in the %1 definition.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service found a misconfiguration in the %1 definition. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`Parameter`	—

Event ID 500 — Process ID %2 has registered idle task ID %1.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Process ID %2 has registered idle task ID %1.

Fields

Name	Description
`IdleTaskId`	—
`ProcessId`	—

Event ID 501 — Process ID %2 has completed idle task ID %1.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Process ID %2 has completed idle task ID %1.

Fields

Name	Description
`IdleTaskId`	—
`ProcessId`	—

Event ID 502 — Execution of idle task ID %1 has started.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Execution of idle task ID %1 has started.

Fields

Name	Description
`IdleTaskId`	—
`ProcessId`	—

Event ID 503 — Execution of idle task ID %1 has ended.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Execution of idle task ID %1 has ended.

Fields

Name	Description
`IdleTaskId`	—
`ProcessId`	—

Event ID 504 — Idle task ID %1 has been notified that explicit processing has been requested.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Idle task ID %1 has been notified that explicit processing has been requested.

Fields

Name	Description
`IdleTaskId`	—
`ProcessId`	—

Event ID 505 — Idle task ID %1 has returned from its explicit processing notification.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Idle task ID %1 has returned from its explicit processing notification.

Fields

Name	Description
`IdleTaskId`	—
`ProcessId`	—

Event ID 506 — Explicit execution of all idle tasks has been requested.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Explicit execution of all idle tasks has been requested.

Event ID 507 — Explicit execution of all idle tasks has completed.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Explicit execution of all idle tasks has completed.

Event ID 508 — Explicit execution of all idle tasks is in progress.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Explicit execution of all idle tasks is in progress.

Event ID 509 — Idle Task Power Notification Received: %1 (%2).

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Idle Task Power Notification Received: %1 (%2)

Fields

Name	Description
`NotificationType`	—
`State`	—

Event ID 510 —

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Fields

Name	Description
`NoIdleReason`	—
`DATA1`	—
`DATA2`	—

Event ID 511 —

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Fields

Name	Description
`TimeSinceUserNotPresent`	—
`DATA`	—

Event ID 512 — Idle check point: State %1, Reason %2.

Provider: Microsoft-Windows-TaskScheduler
Channel: Diagnostic

Message

Idle check point: State %1, Reason %2.

Fields

Name	Description
`DetectionResult`	—
`Reason`	—

Event ID 700 — Task Scheduler service started Task Compatibility module.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational
Level: 4
Samples: 1

Message

Task Scheduler service started Task Compatibility module.

Fields

Name	Description
`Name`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 700
  version: 0
  level: 4
  task: 700
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:53:13.090470+00:00'
  event_record_id: 406
  correlation: {}
  execution:
    process_id: 1528
    thread_id: 1544
  channel: Microsoft-Windows-TaskScheduler/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: CompatibilityAdapterLaunch
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 701 — Task Scheduler service failed to start Task Compatibility module.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler service failed to start Task Compatibility module. Tasks may not be able to register on previous Window versions. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 702 — Task Scheduler failed to initialize the RPC server for starting the Task Compatibility module.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler failed to initialize the RPC server for starting the Task Compatibility module. Tasks may not be able to register on previous Window versions. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 703 — Task Scheduler failed to initialize Net Schedule API for starting the Task Compatibility module.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler failed to initialize Net Schedule API for starting the Task Compatibility module. Tasks may not be able to register on previous Window versions. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 704 — Task Scheduler failed to initialize LSA for starting the Task Compatibility module.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler failed to initialize LSA for starting the Task Compatibility module. Tasks may not be able to register on previous Window versions. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 705 — Task Scheduler failed to start directory monitoring for the Task Compatibility module.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Scheduler failed to start directory monitoring for the Task Compatibility module. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 706 — Task Compatibility module failed to update task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to update task "%1"  to the required status %2. Additional Data: Error Value: %3.

Fields

Name	Description
`TaskName`	—
`TaskStatus`	—
`ResultCode`	—

Event ID 707 — Task Compatibility module failed to delete task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to delete task "%1" . Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 708 — Task Compatibility module failed to set security descriptor ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to set security descriptor "%1"  for task "%2" . Additional Data: Error Value: %3.

Fields

Name	Description
`SecurityDescriptor`	—
`TaskName`	—
`ResultCode`	—

Event ID 709 — Task Compatibility module failed to update task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to update task "%1" . Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 710 — Task Compatibility module failed to upgrade existing tasks.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to upgrade existing tasks. Upgrade will be attempted again next time 'Task Scheduler' service starts. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 711 — Task Compatibility module failed to upgrade NetSchedule account ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to upgrade NetSchedule account "%1" . Additional Data: Error Value: %2.

Fields

Name	Description
`Account`	—
`ResultCode`	—

Event ID 712 — Task Compatibility module failed to read existing store to upgrade tasks.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to read  existing store to upgrade tasks. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 713 — Task Compatibility module failed to load task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to load task  "%1" for upgrade. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 714 — Task Compatibility module failed to register task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to register  task  "%1" for upgrade. Additional Data: Error Value: %2.

Fields

Name	Description
`TaskName`	—
`ResultCode`	—

Event ID 715 — Task Compatibility module failed to delete LSA store for upgrade.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to delete  LSA store for upgrade. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 716 — Task Compatibility module failed to upgrade existing scheduled tasks.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task Compatibility module failed to upgrade existing scheduled tasks. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 717 — Task Compatibility module failed to determine if upgrade is needed.

Provider: Microsoft-Windows-TaskScheduler
Channel: Operational

Message

Task Compatibility module failed to determine if upgrade is needed. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 718 — Task scheduler was unable to upgrade the credential store from the Beta 2 version.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Task scheduler was unable to upgrade the credential store from the Beta 2 version.  You may need to re-register any tasks that require passwords. Additional Data: Error Value: %1.

Fields

Name	Description
`ResultCode`	—

Event ID 719 — To help optimize for performance, Task Scheduler has automatically disabled logging.

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

To help optimize for performance, Task Scheduler has automatically disabled logging. To re-enable logging, please use Event Viewer.

Event ID 800 — Maintenance state changed to %1 (Last Run: %2).

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance
Level: 4
Samples: 1

Message

Maintenance state changed to %1 (Last Run: %2).

Fields

Name	Description
`Name`	—
`hc_stateid`	—
`LastRunDateTime`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 800
  version: 0
  level: 4
  task: 800
  opcode: 0
  keywords: 576460752303423488
  time_created: '2023-11-05T22:27:35.111632+00:00'
  event_record_id: 20
  correlation: {}
  execution:
    process_id: 1880
    thread_id: 1568
  channel: Microsoft-Windows-TaskScheduler/Maintenance
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: MaintenanceStateChanged
  hc_stateid: 1
  LastRunDateTime: ‎11/‎5/‎2023 2:27 PM
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 801 — Maintenance launch operation failed.

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance

Message

Maintenance launch operation failed. Additional error info: %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 802 — Maintenance re-configuration failed.

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance

Message

Maintenance re-configuration failed. Additional error info: %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 803 — Maintenance Scheduler engine task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance

Message

Maintenance Scheduler engine task "%1" cannot be accessed. Additional error info: %2.

Fields

Name	Description
`Task`	—
`ErrorCode`	—

Event ID 804 — Maintenance Scheduler has detected cyclic dependency for the following maintenance tasks.

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance

Message

Maintenance Scheduler has detected cyclic dependency for the following maintenance tasks: %1.

Fields

Name	Description
`Task`	—

Event ID 805 — Maintenance Task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance

Message

Maintenance Task "%1" is behind deadline.

Fields

Name	Description
`Task`	—

Event ID 806 — Maintenance task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance

Message

Maintenance task "%1" processing error. Additional error info %2.

Fields

Name	Description
`Task`	—
`InfoCode`	—

Event ID 807 — Maintenance complete (launch type %1).

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance

Message

Maintenance complete (launch type %1).

Fields

Name	Description
`LauncherId`	—

Event ID 808 — Maintenance Task ".

Provider: Microsoft-Windows-TaskScheduler
Channel: Maintenance
Level: 3
Samples: 1

Message

Maintenance Task "%1" requests computer wakeup during next regular maintenance run.

Fields

Name	Description
`Name`	—
`Task`	—

Example Event

system:
  provider: Microsoft-Windows-TaskScheduler
  guid: DE7B24EA-73C8-4A09-985D-5BDADCFA9017
  event_source_name: ''
  event_id: 808
  version: 0
  level: 3
  task: 808
  opcode: 0
  keywords: 576460752303423488
  time_created: '2023-10-26T04:22:01.225790+00:00'
  event_record_id: 5
  correlation: {}
  execution:
    process_id: 1860
    thread_id: 2172
  channel: Microsoft-Windows-TaskScheduler/Maintenance
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  Name: MaintenanceTaskWakeupRequested
  Task: NT TASK\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 809 — Maintenance Scheduler Group Policy Settings are not properly specified for ".

Provider: Microsoft-Windows-TaskScheduler
Channel: System

Message

Maintenance Scheduler Group Policy Settings are not properly specified for "%1". Default settings are being used.

Fields

Name	Description
`FailureReason`	—

Event ID 998 — DEBUG!

Provider: Microsoft-Windows-TaskScheduler
Channel: Debug

Message

DEBUG! (%3:%4) "%1" failed. (%2).

Fields

Name	Description
`Name`	—
`HRESULT`	—
`File`	—
`Line`	—

Event ID 999 — DEBUG!

Provider: Microsoft-Windows-TaskScheduler
Channel: Debug

Message

DEBUG! "%1".

Fields

Name	Description
`String`	—