This article explains how to query the scheduled tasks on a remote machine over PsExec.
I recently needed to check the details of a scheduled task on a remote machine where:
- WinRM was not enabled
- RDP was not working
So… PsExec to the rescue!
I typically don’t have much luck with trying to launch a Powershell shell on a remote system over PsExec, so I typically default to using ‘cmd’. So how can we pull details on scheduled tasks using cmd? The schtasks utility.
#Open a new PsExec session on the remote system. This command is being executed in a Powershell window as a user with Local Admin permissions on the remote system.
.\PsExec.exe \\<Remote-Hostname> cmd.exe
#View schtasks options
C:\Windows\system32>schtasks /? SCHTASKS /parameter [arguments] Description: Enables an administrator to create, delete, query, change, run and end scheduled tasks on a local or remote system. Parameter List: /Create Creates a new scheduled task. /Delete Deletes the scheduled task(s). /Query Displays all scheduled tasks. /Change Changes the properties of scheduled task. /Run Runs the scheduled task on demand. /End Stops the currently running scheduled task. /ShowSid Shows the security identifier corresponding to a scheduled task name. /? Displays this help message. Examples: SCHTASKS SCHTASKS /? SCHTASKS /Run /? SCHTASKS /End /? SCHTASKS /Create /? SCHTASKS /Delete /? SCHTASKS /Query /? SCHTASKS /Change /? SCHTASKS /ShowSid /?
#Query all scheduled tasks on the system
#Query verbose details on a specific task
schtasks /query /TN "<Task Name>" /v
Note that verbose output returns unstructured data, but it includes all of the useful details of the scheduled task, including its schedule, triggers, actions, etc.