PsExec – Querying the scheduled tasks on a remote machine

This article explains how to query the scheduled tasks on a remote machine over PsExec.

Explanation

I recently needed to check the details of a scheduled task on a remote machine where:

  1. WinRM was not enabled
  2. RDP was not working

So… PsExec to the rescue!

Schtasks

I typically don’t have much luck with trying to launch a Powershell shell on a remote system over PsExec, so I typically default to using ‘cmd’. So how can we pull details on scheduled tasks using cmd? The schtasks utility.

#Open a new PsExec session on the remote system. This command is being executed in a Powershell window as a user with Local Admin permissions on the remote system.

.\PsExec.exe \\<Remote-Hostname> cmd.exe

#View schtasks options

C:\Windows\system32>schtasks /?

SCHTASKS /parameter [arguments]

Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system.

Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task on demand.
/End Stops the currently running scheduled task.
/ShowSid Shows the security identifier corresponding to a scheduled task name.
/? Displays this help message.

Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?
SCHTASKS /ShowSid /?

#Query all scheduled tasks on the system

schtasks /query

#Query verbose details on a specific task

schtasks /query /TN "<Task Name>" /v

Note that verbose output returns unstructured data, but it includes all of the useful details of the scheduled task, including its schedule, triggers, actions, etc.