Microsoft-Windows-TaskScheduler
148 events across 5 channels
Event ID 100 — Task Scheduler started "UserContext" instance of the "Name" task for user "TaskName".
#Description
Task Scheduler started "UserContext" instance of the "Name" task for user "TaskName".
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserContext UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 100,
"version": 0,
"level": 4,
"task": 100,
"opcode": 1,
"keywords": 9223372036854775809,
"time_created": "2023-11-06T02:00:01.374223+00:00",
"event_record_id": 1052,
"correlation": {
"ActivityID": "99F1DF4D-A460-47A9-93D3-3FF029F93E31"
},
"execution": {
"process_id": 1392,
"thread_id": 18152
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskStartEvent",
"TaskName": "\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator",
"UserContext": "NT AUTHORITY\\SYSTEM",
"InstanceId": "99F1DF4D-A460-47A9-93D3-3FF029F93E31"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 101 — Task Scheduler failed to start "Name" task for user "TaskName".
#Description
Task Scheduler failed to start "Name" task for user "TaskName". Additional Data: Error Value: UserContext.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserContext UnicodeString | — |
ResultCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 101,
"version": 0,
"level": 2,
"task": 101,
"opcode": 101,
"keywords": 9223372036854775809,
"time_created": "2023-11-06T01:06:15.745482+00:00",
"event_record_id": 929,
"correlation": {},
"execution": {
"process_id": 1392,
"thread_id": 16668
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskStartFailedEvent",
"TaskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker",
"UserContext": "NT AUTHORITY\\SYSTEM",
"ResultCode": 2147942402
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 102 — Task Scheduler successfully finished "UserContext" instance of the "Name" task for user "TaskName".
#Description
Task Scheduler successfully finished "UserContext" instance of the "Name" task for user "TaskName".
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserContext UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 102,
"version": 0,
"level": 4,
"task": 102,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2023-11-06T02:00:01.421291+00:00",
"event_record_id": 1055,
"correlation": {
"ActivityID": "99F1DF4D-A460-47A9-93D3-3FF029F93E31"
},
"execution": {
"process_id": 1392,
"thread_id": 18152
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskSuccessEvent",
"TaskName": "\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator",
"UserContext": "NT AUTHORITY\\SYSTEM",
"InstanceId": "99F1DF4D-A460-47A9-93D3-3FF029F93E31"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 103 — Task Scheduler failed to start instance "TaskName" of "Name" task for user "InstanceId" .
#Description
Task Scheduler failed to start instance "TaskName" of "Name" task for user "InstanceId" . Additional Data: Error Value: UserContext.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
InstanceId GUID | — |
UserContext UnicodeString | — |
ResultCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 103,
"version": 0,
"level": 2,
"task": 103,
"opcode": 102,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T17:15:16.721848+00:00",
"event_record_id": 605,
"correlation": {
"ActivityID": "B0ED2490-E028-43FD-88A4-97F63AB32B71"
},
"execution": {
"process_id": 1528,
"thread_id": 4560
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskFailureEvent",
"TaskName": "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v4.0.30319",
"InstanceId": "B0ED2490-E028-43FD-88A4-97F63AB32B71",
"UserContext": "NT AUTHORITY\\SYSTEM",
"ResultCode": 2147946720
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 104 — Task Scheduler failed to log on "UserName" .
Description
Task Scheduler failed to log on "UserName" . Failure occurred in "ErrorDescription" . User Action: Ensure the credentials for the task are correctly specified. Additional Data: Error Value: ResultCode.
Message #
Fields #
| Name | Description |
|---|---|
UserName UnicodeString | — |
ErrorDescription UnicodeString | — |
ResultCode UInt32 | — |
Event ID 105 — Task Scheduler failed to impersonate "Context" .
Event ID 106 — User "TaskName" registered Task Scheduler task "Name".
#Description
User "TaskName" registered Task Scheduler task "Name".
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserContext UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 106,
"version": 0,
"level": 4,
"task": 106,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:50:56.574711+00:00",
"event_record_id": 1046,
"correlation": {},
"execution": {
"process_id": 1392,
"thread_id": 17484
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskRegisteredEvent",
"TaskName": "\\Mozilla\\Firefox Background Update 308046B0AF4A39CB",
"UserContext": "WINDEV2310EVAL\\User"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd363640(v=ws.10)
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 107 — Task Scheduler launched "TaskName" instance of task "Name" due to a time trigger condition.
#Description
Task Scheduler launched "TaskName" instance of task "Name" due to a time trigger condition.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 107,
"version": 0,
"level": 4,
"task": 107,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:00:01.223731+00:00",
"event_record_id": 1050,
"correlation": {
"ActivityID": "99F1DF4D-A460-47A9-93D3-3FF029F93E31"
},
"execution": {
"process_id": 1392,
"thread_id": 18152
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TimeTriggerEvent",
"TaskName": "\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator",
"InstanceId": "99F1DF4D-A460-47A9-93D3-3FF029F93E31"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 108 — Task Scheduler launched "TaskName" instance of task "Name" according to an event trigger.
#Description
Task Scheduler launched "TaskName" instance of task "Name" according to an event trigger.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 108,
"version": 0,
"level": 4,
"task": 108,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:51:19.199741+00:00",
"event_record_id": 873,
"correlation": {
"ActivityID": "42D4830B-24FF-4813-B67B-31D1A7EDFA95"
},
"execution": {
"process_id": 1392,
"thread_id": 15980
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "EventTriggerEvent",
"TaskName": "\\Avira_Security_Service_SCM_Watchdog",
"InstanceId": "42D4830B-24FF-4813-B67B-31D1A7EDFA95"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 109 — Task Scheduler launched "TaskName" instance of task "Name" according to a registration trigger.
#Description
Task Scheduler launched "TaskName" instance of task "Name" according to a registration trigger.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 109,
"version": 0,
"level": 4,
"task": 109,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T16:57:17.740121+00:00",
"event_record_id": 490,
"correlation": {
"ActivityID": "D9A56AB9-DA1B-4E8C-ABB6-0297EE74232D"
},
"execution": {
"process_id": 1528,
"thread_id": 932
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "RegistrationTriggerEvent",
"TaskName": "\\CreateExplorerShellUnelevatedTask",
"InstanceId": "D9A56AB9-DA1B-4E8C-ABB6-0297EE74232D"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 110 — Task Scheduler launched "TaskName" instance of task "Name" for user "InstanceId" .
#Description
Task Scheduler launched "TaskName" instance of task "Name" for user "InstanceId" .
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
InstanceId GUID | — |
UserContext UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 110,
"version": 0,
"level": 4,
"task": 110,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:45:55.147729+00:00",
"event_record_id": 1035,
"correlation": {
"ActivityID": "3F188DA8-D0E4-4751-AE11-48AA36395E99"
},
"execution": {
"process_id": 1392,
"thread_id": 14340
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskRunEvent",
"TaskName": "\\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck",
"InstanceId": "3F188DA8-D0E4-4751-AE11-48AA36395E99",
"UserContext": "LOCAL SERVICE"
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd363721(v=ws.10)
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 111 — Task Scheduler terminated "TaskName" instance of the "Name" task.
#Description
Task Scheduler terminated "TaskName" instance of the "Name" task.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 111,
"version": 0,
"level": 4,
"task": 111,
"opcode": 103,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T17:04:28.075331+00:00",
"event_record_id": 584,
"correlation": {
"ActivityID": "F3FE9E7B-2EAA-4ADC-A87D-F751736AF46C"
},
"execution": {
"process_id": 1528,
"thread_id": 1832
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskTerminationEvent",
"TaskName": "\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan",
"InstanceId": "F3FE9E7B-2EAA-4ADC-A87D-F751736AF46C"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 112 — Task Scheduler could not start task "TaskName" because the network was unavailable.
Event ID 113 — Task registered task "TaskName" , but not all specified triggers will start the task.
Event ID 114 — Task Scheduler could not launch task "Name" as scheduled.
#Description
Task Scheduler could not launch task "Name" as scheduled. Instance "TaskName" is started now as required by the configuration option to start the task when available, if schedule is missed.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 114,
"version": 0,
"level": 3,
"task": 114,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:13:11.834762+00:00",
"event_record_id": 957,
"correlation": {
"ActivityID": "BDD12A1E-2CB7-4353-8C11-BD828F20ABC1"
},
"execution": {
"process_id": 1392,
"thread_id": 14508
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "MissedTaskLaunched",
"TaskName": "\\Microsoft\\Windows\\Speech\\SpeechModelDownloadTask",
"InstanceId": "BDD12A1E-2CB7-4353-8C11-BD828F20ABC1"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 115 — Task Scheduler failed to roll back a transaction when updating or deleting a task.
Event ID 116 — Task Scheduler validated the configuration for task "TaskName" , but credentials could not be stored.
Event ID 117 — Task Scheduler launched "InstanceId" instance of task "TaskName" due to an idle condition.
Event ID 118 — Task Scheduler launched "TaskName" instance of task "Name" due to system startup.
#Description
Task Scheduler launched "TaskName" instance of task "Name" due to system startup.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 118,
"version": 0,
"level": 4,
"task": 118,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T17:33:13.191335+00:00",
"event_record_id": 608,
"correlation": {
"ActivityID": "CEC1B472-A8F7-4346-930D-03F9473C9804"
},
"execution": {
"process_id": 1528,
"thread_id": 1108
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "BootTrigger",
"TaskName": "\\Microsoft\\Windows\\Autochk\\Proxy",
"InstanceId": "CEC1B472-A8F7-4346-930D-03F9473C9804"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 119 — Task Scheduler launched "UserName" instance of task "Name" due to user "TaskName" logon.
#Description
Task Scheduler launched "UserName" instance of task "Name" due to user "TaskName" logon.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserName UnicodeString | — |
InstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 119,
"version": 0,
"level": 4,
"task": 119,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:13:11.548668+00:00",
"event_record_id": 948,
"correlation": {
"ActivityID": "7883A91A-AE57-4AD3-B9A9-F6B93677D5B6"
},
"execution": {
"process_id": 1392,
"thread_id": 14508
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "LogonTrigger",
"TaskName": "\\Microsoft\\Windows\\Management\\Provisioning\\Logon",
"UserName": "WINDEV2310EVAL\\User",
"InstanceId": "7883A91A-AE57-4AD3-B9A9-F6B93677D5B6"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 120 — Task Scheduler launched "InstanceId" instance of task "TaskName" due to user "UserName" connecting to the console trigger.
Event ID 121 — Task Scheduler launched "InstanceId" instance of task "TaskName" due to user "UserName" disconnecting from the console trigger.
Event ID 122 — Task Scheduler launched "InstanceId" instance of task "TaskName" due to user "UserName" remotely connecting trigger.
Event ID 123 — Task Scheduler launched "InstanceId" instance of task "TaskName" due to user "UserName" remotely disconnecting trigger.
Event ID 124 — Task Scheduler launched "InstanceId" instance of task "TaskName" due to user "UserName" locking the computer trigger.
Event ID 125 — Task Scheduler launched "InstanceId" instance of task "TaskName" due to user "UserName" unlocking the computer trigger.
Event ID 126 — Task Scheduler failed to execute task "TaskName" .
Event ID 127 — Task Scheduler failed to execute task "TaskName" due to a shutdown race condition.
Event ID 128 — Task Scheduler did not launch task "TaskName" , because current time exceeds the configured task end time.
Event ID 129 — Task Scheduler launch task "Name" , instance "TaskName" with process ID Path.
#Description
Task Scheduler launch task "Name" , instance "TaskName" with process ID Path.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
Path UnicodeString | — |
ProcessID UInt32 | — |
Priority UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 129,
"version": 0,
"level": 4,
"task": 129,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:00:01.371079+00:00",
"event_record_id": 1051,
"correlation": {},
"execution": {
"process_id": 1392,
"thread_id": 18152
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "CreatedTaskProcess",
"TaskName": "\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator",
"Path": "%SystemRoot%\\System32\\wsqmcons.exe",
"ProcessID": 16312,
"Priority": 16384
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Scheduled Task Executed From A Suspicious Location source medium: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
- Scheduled Task Executed Uncommon LOLBIN source medium: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 130 — Task Scheduler failed to start task "TaskName" due to the service being busy.
Event ID 131 — Task Scheduler failed to start task "TaskName" because the number of tasks in the task queue exceeding the quota currently configured to CurrentQuota.
Event ID 132 — Task Scheduler task launching queue quota is approaching its preset limit of tasks currently configured to CurrentQuota.
Event ID 133 — Task Scheduler failed to start task TaskName" in TaskEngine "TaskEngineName" for user "UserName".
Event ID 134 — Task Engine "TaskEngineName" for user "UserName" is approaching its preset limit of tasks.
Event ID 135 — Task Scheduler could not start task "TaskName" because the machine was not idle.
Event ID 140 — User "TaskName" updated Task Scheduler task "Name".
#Description
User "TaskName" updated Task Scheduler task "Name".
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 140,
"version": 0,
"level": 4,
"task": 140,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:00:32.944571+00:00",
"event_record_id": 1057,
"correlation": {},
"execution": {
"process_id": 1392,
"thread_id": 16536
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskUpdated",
"TaskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Work",
"UserName": "WORKGROUP\\WINDEV2310EVAL$"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 141 — User "TaskName" deleted Task Scheduler task "Name".
#Description
User "TaskName" deleted Task Scheduler task "Name".
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 141,
"version": 0,
"level": 4,
"task": 141,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:01:44.133714+00:00",
"event_record_id": 911,
"correlation": {},
"execution": {
"process_id": 1392,
"thread_id": 13064
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskDeleted",
"TaskName": "\\TVInstallRestore",
"UserName": "WINDEV2310EVAL\\User"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Important Scheduled Task Deleted source high: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348535(v=ws.10)
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 142 — User "TaskName" disabled Task Scheduler task "Name".
Description
User "TaskName" disabled Task Scheduler task "Name".
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 142,
"version": 0,
"level": 4,
"task": 142,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T00:56:06.060816+00:00",
"event_record_id": 31710,
"correlation": {
"ActivityID": "973CC99D-202A-4A9A-A6DF-75F5CFD7D7B7"
},
"execution": {
"process_id": 1972,
"thread_id": 3956
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskDisabled",
"TaskName": "\\Microsoft\\Windows\\Workplace Join\\Automatic-Device-Join",
"UserName": "System"
},
"message": ""
}
Event ID 145 — Task Scheduler woke up the computer to run a task.
Description
Task Scheduler woke up the computer to run a task.
Message #
Event ID 146 — Task Scheduler failed to load task "TaskName" at service startup.
Event ID 147 — Task Scheduler recovered sucessfully the image of task "TaskName" after a corruption occured during OS upgrade.
Event ID 148 — Task Scheduler failed to recover the image of task "TaskName" after a corruption occured during OS upgrade.
Event ID 149 — Task "TaskName" is using a combination of properties that is incompatible with the scheduling engine.
Event ID 150 — Task Scheduler failed to subscribe for the event trigger for task "TaskName".
Event ID 151 — Task instantiation failed "TaskName".
Event ID 152 — Task "TaskName" was re-directed to legacy scheduling engine.
Event ID 153 — Task Scheduler did not launch task "Name" as it missed its schedule.
Description
Task Scheduler did not launch task "Name" as it missed its schedule. Consider using the configuration option to start the task when available, if schedule is missed.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 153,
"version": 0,
"level": 3,
"task": 153,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-08T23:13:40.561331+00:00",
"event_record_id": 30099,
"correlation": {},
"execution": {
"process_id": 2316,
"thread_id": 9952
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "MissedTaskRejected",
"TaskName": "\\Microsoft\\Windows\\Security\\Pwdless\\IntelligentPwdlessTask"
},
"message": ""
}
Event ID 155 — Task Scheduler is currently waiting on completion of task "TaskPath".
Event ID 200 — Task Scheduler launched action "TaskName" in instance "ActionName" of task "Name".
#Description
Task Scheduler launched action "TaskName" in instance "ActionName" of task "Name".
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
ActionName UnicodeString | — |
TaskInstanceId GUID | — |
EnginePID UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 200,
"version": 1,
"level": 4,
"task": 200,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:00:01.374228+00:00",
"event_record_id": 1053,
"correlation": {
"ActivityID": "99F1DF4D-A460-47A9-93D3-3FF029F93E31"
},
"execution": {
"process_id": 1392,
"thread_id": 18152
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "ActionStart",
"TaskName": "\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator",
"ActionName": "%SystemRoot%\\System32\\wsqmcons.exe",
"TaskInstanceId": "99F1DF4D-A460-47A9-93D3-3FF029F93E31",
"EnginePID": 16312
},
"message": ""
}
Detection Patterns #
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 201 — Task Scheduler successfully completed task "Name" , instance "TaskInstanceId" , action "TaskName" .
#Description
Task Scheduler successfully completed task "Name" , instance "TaskInstanceId" , action "TaskName" .
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
TaskInstanceId GUID | — |
ActionName UnicodeString | — |
ResultCode UInt32 | — |
EnginePID UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 201,
"version": 2,
"level": 4,
"task": 201,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:00:01.421064+00:00",
"event_record_id": 1054,
"correlation": {
"ActivityID": "99F1DF4D-A460-47A9-93D3-3FF029F93E31"
},
"execution": {
"process_id": 1392,
"thread_id": 18152
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "ActionSuccess",
"TaskName": "\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator",
"TaskInstanceId": "99F1DF4D-A460-47A9-93D3-3FF029F93E31",
"ActionName": "%SystemRoot%\\System32\\wsqmcons.exe",
"ResultCode": 0,
"EnginePID": 16312
},
"message": ""
}
Detection Patterns #
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 202 — Task Scheduler failed to complete task "Name" , instance "TaskName" , action "TaskInstanceId" .
#Description
Task Scheduler failed to complete task "Name" , instance "TaskName" , action "TaskInstanceId" . Additional Data: Error Value: ActionName.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
TaskInstanceId GUID | — |
ActionName UnicodeString | — |
ResultCode UInt32 | — |
EnginePID UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 202,
"version": 1,
"level": 2,
"task": 202,
"opcode": 102,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T17:15:16.721847+00:00",
"event_record_id": 604,
"correlation": {
"ActivityID": "B0ED2490-E028-43FD-88A4-97F63AB32B71"
},
"execution": {
"process_id": 1528,
"thread_id": 4560
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "ActionFailure",
"TaskName": "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v4.0.30319",
"TaskInstanceId": "B0ED2490-E028-43FD-88A4-97F63AB32B71",
"ActionName": "",
"ResultCode": 2147946720,
"EnginePID": 3796
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 203 — Task Scheduler failed to launch action "TaskInstanceId" in instance "TaskName" of task "Name".
#Description
Task Scheduler failed to launch action "TaskInstanceId" in instance "TaskName" of task "Name". Additional Data: Error Value: ActionName.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
TaskInstanceId GUID | — |
ActionName UnicodeString | — |
ResultCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 203,
"version": 0,
"level": 2,
"task": 203,
"opcode": 101,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:06:15.745198+00:00",
"event_record_id": 928,
"correlation": {
"ActivityID": "0EBFF706-5D1E-403C-8FEB-AA1502A28BF9"
},
"execution": {
"process_id": 1392,
"thread_id": 16668
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "ActionLaunchFailure",
"TaskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\USO_UxBroker",
"TaskInstanceId": "0EBFF706-5D1E-403C-8FEB-AA1502A28BF9",
"ActionName": "%systemroot%\\system32\\MusNotification.exe",
"ResultCode": 2147942402
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 204 — Task Scheduler failed to retrieve the event triggering values for task "TaskName" .
Event ID 205 — Task Scheduler failed to match the pattern of events for task "TaskName" .
Event ID 300 — Task Scheduler started Task Engine "TaskEngineName" with process ID ProcessID.
Event ID 301 — Task Scheduler is shutting down Task Engine "TaskEngineName".
Event ID 303 — Task Scheduler is shutting down Task Engine "TaskEngineName" due to an error in "ErrorDescription" .
Event ID 304 — Task Scheduler sent "TaskName" task to Task Engine "TaskEngineName" .
Event ID 305 — Task Scheduler did not send "TaskName" task to Task Engine "TaskEngineName" .
Event ID 306 — For Task Scheduler Task Engine "TaskEngineName" , the thread pool failed to process the message.
Event ID 307 — Task Scheduler service failed to connect to the Task Engine "TaskEngineName" process.
Event ID 308 — Task Scheduler connected to the Task Engine "TaskEngineName" process.
Event ID 309 — Task Scheduler TaskCount tasks orphaned during Task Engine "TaskEngineName" shutdown.
Event ID 310 — Task Scheduler started Task Engine "TaskEngineName" process.
Event ID 311 — Task Scheduler failed to start Task Engine "TaskEngineName" process due to an error occurring in "ErrorDescription" .
Description
Task Scheduler failed to start Task Engine "TaskEngineName" process due to an error occurring in "ErrorDescription" . Command="Command" . Additional Data: Error Value: ResultCode.
Message #
Fields #
| Name | Description |
|---|---|
TaskEngineName UnicodeString | — |
Command UnicodeString | — |
ErrorDescription UnicodeString | — |
ResultCode UInt32 | — |
Event ID 312 — Task Scheduler created the Win32 job object for Task Engine "TaskEngineName" .
Event ID 313 — Task Scheduler channel with Task Engine "TaskEngineName" is ready to send and receive messages.
Event ID 314 — Task Scheduler has no tasks running for Task Engine "TaskEngineName" , and the idle timer has started.
Event ID 315 — Task Engine "TaskEngineName" process failed to connect to the Task Scheduler service.
Event ID 316 — Task Engine "TaskEngineName" failed to send a message to the Task Scheduler service.
Event ID 317 — Task Scheduler started Task Engine "TaskEngineName" process.
Event ID 318 — Task Scheduler shutdown Task Engine "TaskEngineName" process.
Event ID 319 — Task Engine "TaskEngineName" received a message from Task Scheduler service requesting to launch task "TaskName" .
Event ID 320 — Task Engine "TaskEngineName" received a message from Task Scheduler service requesting to stop task instance "TaskInstanceId" .
Event ID 322 — Task Scheduler did not launch task "Name" because instance "TaskName" of the same task is already running.
#Description
Task Scheduler did not launch task "Name" because instance "TaskName" of the same task is already running.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
TaskInstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 322,
"version": 0,
"level": 3,
"task": 322,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:37:25.158852+00:00",
"event_record_id": 819,
"correlation": {
"ActivityID": "3428C28C-0C94-487C-AC7E-0E29218A38C7"
},
"execution": {
"process_id": 1392,
"thread_id": 13712
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "NewInstanceIgnored",
"TaskName": "\\Microsoft\\Windows\\UpdateOrchestrator\\Schedule Scan Static Task",
"TaskInstanceId": "3428C28C-0C94-487C-AC7E-0E29218A38C7"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 323 — Task Scheduler stopped instance "StoppedTaskInstanceId" of task "TaskName" in order to launch new instance "NewTaskInstanceId" .
Event ID 324 — Task Scheduler queued instance "TaskName" of task "Name" and will launch it as soon as instance "QueuedTaskInstanceId" completes.
#Description
Task Scheduler queued instance "TaskName" of task "Name" and will launch it as soon as instance "QueuedTaskInstanceId" completes.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
QueuedTaskInstanceId GUID | — |
RunningTaskInstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 324,
"version": 0,
"level": 3,
"task": 324,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:41:42.776465+00:00",
"event_record_id": 999,
"correlation": {
"ActivityID": "A0104592-5DBE-4AC7-B2A0-2CB2CC5B61A3"
},
"execution": {
"process_id": 1392,
"thread_id": 12756
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "NewInstanceQueued",
"TaskName": "\\microsoft\\windows\\applicationdata\\appuriverifierinstall",
"QueuedTaskInstanceId": "A0104592-5DBE-4AC7-B2A0-2CB2CC5B61A3",
"RunningTaskInstanceId": "B5155744-8897-4FDF-AC62-B9A099F510CF"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 325 — Task Scheduler queued instance "TaskName" of task "Name".
#Description
Task Scheduler queued instance "TaskName" of task "Name".
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
QueuedTaskInstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 325,
"version": 0,
"level": 3,
"task": 325,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:55:40.184688+00:00",
"event_record_id": 895,
"correlation": {
"ActivityID": "8C63C2B3-9A13-4121-9DF4-C0123018D079"
},
"execution": {
"process_id": 1392,
"thread_id": 12608
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TaskInstanceQueued",
"TaskName": "\\Avira_Security_Systray",
"QueuedTaskInstanceId": "8C63C2B3-9A13-4121-9DF4-C0123018D079"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 326 — Task Scheduler did not launch task "TaskName" because computer is running on batteries.
Event ID 327 — Task Scheduler stopped instance "TaskInstanceId" of task "TaskName" because the computer is switching to battery power.
Event ID 328 — Task Scheduler stopped instance "TaskName" of task "Name" because computer is no longer idle.
Description
Task Scheduler stopped instance "TaskName" of task "Name" because computer is no longer idle.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
TaskInstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 328,
"version": 0,
"level": 4,
"task": 328,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T00:55:21.200143+00:00",
"event_record_id": 31697,
"correlation": {
"ActivityID": "1D9CAE68-87E2-4B98-9413-7A44D523E01F"
},
"execution": {
"process_id": 1972,
"thread_id": 1088
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "StoppingOnIdleEnd",
"TaskName": "\\Microsoft\\Windows\\MemoryDiagnostic\\RunFullMemoryDiagnostic",
"TaskInstanceId": "1D9CAE68-87E2-4B98-9413-7A44D523E01F"
},
"message": ""
}
Event ID 329 — Task Scheduler terminated "TaskName" instance of the "Name" task due to exceeding the time allocated for execution, as configured in the task definition.
#Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
TaskInstanceId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 329,
"version": 0,
"level": 4,
"task": 329,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T00:39:49.792094+00:00",
"event_record_id": 825,
"correlation": {
"ActivityID": "83261A6E-4DC3-414F-BFB6-8B4046A8C7BC"
},
"execution": {
"process_id": 1392,
"thread_id": 12576
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "StoppedOnTimeout",
"TaskName": "\\Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache",
"TaskInstanceId": "83261A6E-4DC3-414F-BFB6-8B4046A8C7BC"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 330 — Task Scheduler stopped instance "TaskName" of task "Name" as request by user "TaskInstanceId" .
#Description
Task Scheduler stopped instance "TaskName" of task "Name" as request by user "TaskInstanceId" .
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
TaskInstanceId GUID | — |
UserContext UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 330,
"version": 0,
"level": 4,
"task": 330,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T17:04:28.074982+00:00",
"event_record_id": 581,
"correlation": {
"ActivityID": "F3FE9E7B-2EAA-4ADC-A87D-F751736AF46C"
},
"execution": {
"process_id": 1528,
"thread_id": 1832
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "StoppedOnRequest",
"TaskName": "\\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan",
"TaskInstanceId": "F3FE9E7B-2EAA-4ADC-A87D-F751736AF46C",
"UserContext": "NT AUTHORITY\\SYSTEM"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 331 — Task Scheduler will continue to execute Instance "TaskInstanceId" of task "TaskName" even after the designated timeout, due to a failure to create the timeout mechan...
Description
Task Scheduler will continue to execute Instance "TaskInstanceId" of task "TaskName" even after the designated timeout, due to a failure to create the timeout mechanism. Additional Data: Error Value: ResultCode.
Message #
Fields #
| Name | Description |
|---|---|
TaskName UnicodeString | — |
TaskInstanceId GUID | — |
ResultCode UInt32 | — |
Event ID 332 — Task Scheduler did not launch task "Name" because user "TaskName" was not logged on when the launching conditions were met.
#Message #
Fields #
| Name | Description |
|---|---|
Name | — |
TaskName UnicodeString | — |
UserName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 332,
"version": 0,
"level": 3,
"task": 332,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:13:11.824978+00:00",
"event_record_id": 956,
"correlation": {},
"execution": {
"process_id": 1392,
"thread_id": 14508
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "NoStartUserNotLogged",
"TaskName": "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload",
"UserName": "WINDEV2310EVAL\\Administrator"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 333 — Task Scheduler did not launch task "TaskName" because target session is RemoteApp session.
Event ID 334 — Task Scheduler did not launch task "TaskName" because target session is a WORKER session.
Event ID 400 — Task Scheduler service has started.
#Description
Task Scheduler service has started.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 400,
"version": 0,
"level": 4,
"task": 400,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T16:53:13.896426+00:00",
"event_record_id": 407,
"correlation": {},
"execution": {
"process_id": 1528,
"thread_id": 1544
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "ServiceStartEvent"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 401 — Task Scheduler service failed to start due to an error in "ErrorDescription" .
Event ID 402 — Task Scheduler service is shutting down.
#Description
Task Scheduler service is shutting down.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 402,
"version": 0,
"level": 4,
"task": 402,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T08:38:25.808031+00:00",
"event_record_id": 405,
"correlation": {},
"execution": {
"process_id": 1536,
"thread_id": 1644
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "ServiceStopEvent"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 403 — Task Scheduler service has encountered an error in "ErrorDescription" .
Event ID 404 — Task Scheduler service has encountered RPC initialization error in "ErrorDescription".
Event ID 405 — Task Scheduler service has failed to initialize COM.
Event ID 406 — Task Scheduler service failed to initialize credentials store.
Event ID 407 — Task Scheduler service failed to initialize LSA.
Event ID 408 — Task Scheduler service failed to initialize idle state detection module.
Event ID 409 — Task Scheduler service failed to initialize time change notification.
Event ID 410 — Task Scheduler service failed to set a wakeup timer.
Event ID 411 — Task Scheduler service received a time system change notification.
Description
Task Scheduler service received a time system change notification.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 411,
"version": 0,
"level": 4,
"task": 411,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-08T23:13:40.513605+00:00",
"event_record_id": 30045,
"correlation": {},
"execution": {
"process_id": 2316,
"thread_id": 2468
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "TimeChangeSignaled"
},
"message": ""
}
Event ID 412 — Task Scheduler service failed to launch tasks triggered by computer startup.
Event ID 413 — Task Scheduler service failed to load tasks at service startup.
Event ID 414 — Task Scheduler service found a misconfiguration in the TaskName definition.
Event ID 500 — Process ID ProcessId has registered idle task ID IdleTaskId.
Event ID 501 — Process ID ProcessId has completed idle task ID IdleTaskId.
Event ID 502 — Execution of idle task ID IdleTaskId has started.
Event ID 503 — Execution of idle task ID IdleTaskId has ended.
Event ID 504 — Idle task ID IdleTaskId has been notified that explicit processing has been requested.
Event ID 505 — Idle task ID IdleTaskId has returned from its explicit processing notification.
Event ID 506 — Explicit execution of all idle tasks has been requested.
Description
Explicit execution of all idle tasks has been requested.
Message #
Event ID 507 — Explicit execution of all idle tasks has completed.
Description
Explicit execution of all idle tasks has completed.
Message #
Event ID 508 — Explicit execution of all idle tasks is in progress.
Description
Explicit execution of all idle tasks is in progress.
Message #
Event ID 509 — Idle Task Power Notification Received: NotificationType (State).
Event ID 510 —
Fields #
| Name | Description |
|---|---|
NoIdleReason UInt32 | — |
DATA1 UInt32 | — |
DATA2 UInt32 | — |
Event ID 511 —
Fields #
| Name | Description |
|---|---|
TimeSinceUserNotPresent UInt32 | — |
DATA UInt32 | — |
Event ID 512 — Idle check point: State DetectionResult, Reason Reason.
Event ID 700 — Task Scheduler service started Task Compatibility module.
#Description
Task Scheduler service started Task Compatibility module.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 700,
"version": 0,
"level": 4,
"task": 700,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T16:53:13.090470+00:00",
"event_record_id": 406,
"correlation": {},
"execution": {
"process_id": 1528,
"thread_id": 1544
},
"channel": "Microsoft-Windows-TaskScheduler/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "CompatibilityAdapterLaunch"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 701 — Task Scheduler service failed to start Task Compatibility module.
Event ID 702 — Task Scheduler failed to initialize the RPC server for starting the Task Compatibility module.
Event ID 703 — Task Scheduler failed to initialize Net Schedule API for starting the Task Compatibility module.
Event ID 704 — Task Scheduler failed to initialize LSA for starting the Task Compatibility module.
Event ID 705 — Task Scheduler failed to start directory monitoring for the Task Compatibility module.
Event ID 706 — Task Compatibility module failed to update task "TaskName" to the required status TaskStatus.
Event ID 707 — Task Compatibility module failed to delete task "TaskName" .
Event ID 708 — Task Compatibility module failed to set security descriptor "SecurityDescriptor" for task "TaskName" .
Event ID 709 — Task Compatibility module failed to update task "TaskName" .
Event ID 710 — Task Compatibility module failed to upgrade existing tasks.
Event ID 711 — Task Compatibility module failed to upgrade NetSchedule account "Account" .
Event ID 712 — Task Compatibility module failed to read existing store to upgrade tasks.
Event ID 713 — Task Compatibility module failed to load task "TaskName" for upgrade.
Event ID 714 — Task Compatibility module failed to register task "TaskName" for upgrade.
Event ID 715 — Task Compatibility module failed to delete LSA store for upgrade.
Event ID 716 — Task Compatibility module failed to upgrade existing scheduled tasks.
Event ID 717 — Task Compatibility module failed to determine if upgrade is needed.
Event ID 718 — Task scheduler was unable to upgrade the credential store from the Beta 2 version.
Event ID 719 — To help optimize for performance, Task Scheduler has automatically disabled logging.
Description
To help optimize for performance, Task Scheduler has automatically disabled logging. To re-enable logging, please use Event Viewer.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 719,
"version": 0,
"level": 4,
"task": 719,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-09T00:56:48.593820+00:00",
"event_record_id": 2099,
"correlation": {},
"execution": {
"process_id": 1780,
"thread_id": 2060
},
"channel": "System",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "OpChannelDisabled"
},
"message": ""
}
Event ID 800 — Maintenance state changed to Name (Last Run: hc_stateid).
#Description
Maintenance state changed to Name (Last Run: hc_stateid).
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
hc_stateid UInt32 | — |
LastRunDateTime UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 800,
"version": 0,
"level": 4,
"task": 800,
"opcode": 0,
"keywords": 576460752303423488,
"time_created": "2023-11-05T22:27:35.111632+00:00",
"event_record_id": 20,
"correlation": {},
"execution": {
"process_id": 1880,
"thread_id": 1568
},
"channel": "Microsoft-Windows-TaskScheduler/Maintenance",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "MaintenanceStateChanged",
"hc_stateid": 1,
"LastRunDateTime": "11/5/2023 2:27 PM"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 801 — Maintenance launch operation failed.
Event ID 802 — Maintenance re-configuration failed.
Event ID 803 — Maintenance Scheduler engine task "Task" cannot be accessed.
Event ID 804 — Maintenance Scheduler has detected cyclic dependency for the following maintenance tasks: Task.
Event ID 805 — Maintenance Task "Task" is behind deadline.
Event ID 806 — Maintenance task "Task" processing error.
Event ID 807 — Maintenance complete (launch type LauncherId).
Event ID 808 — Maintenance Task "Name" requests computer wakeup during next regular maintenance run.
#Description
Maintenance Task "Name" requests computer wakeup during next regular maintenance run.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
Task UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TaskScheduler",
"guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017",
"event_source_name": "",
"event_id": 808,
"version": 0,
"level": 3,
"task": 808,
"opcode": 0,
"keywords": 576460752303423488,
"time_created": "2023-10-26T04:22:01.225790+00:00",
"event_record_id": 5,
"correlation": {},
"execution": {
"process_id": 1860,
"thread_id": 2172
},
"channel": "Microsoft-Windows-TaskScheduler/Maintenance",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "MaintenanceTaskWakeupRequested",
"Task": "NT TASK\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v4.0.30319 Critical"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 809 — Maintenance Scheduler Group Policy Settings are not properly specified for "FailureReason".
Description
Maintenance Scheduler Group Policy Settings are not properly specified for "FailureReason". Default settings are being used.
Message #
Fields #
| Name | Description |
|---|---|
FailureReason UnicodeString | — Known values
|