Task Scheduler: Learn how to Analyze and Troubleshoot!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] [Music] [Music] hello and my name is Lowell Vanderpool and this channel is dedicated to IT professionals IT students and anyone who's interested in technical subjects all right let's be brutally honest there's absolutely nothing exciting about task scheduler it's boring now if I could get Tom Cruise or a Harrison Ford to come in and do some phenomenal video stunts or somehow integrate some kind of great game in the middle of this training session Wow that'd be great task scheduler is just a such a critical tool for network administrators to run automated maintenance on their user accounts their computer accounts Active Directory automated maintenance throughout their network they can run these tasks on daily weekly schedules monthly schedules repetitive schedules when a computer boots up when a user logs on and on and on task scheduler is such an important tool in the hands of a network administrator IT pros must learn this tool task editor comes with a rich set of api's for developers also Microsoft provides set of Commandments for PowerShell as well as a command-line tool called SCH tasks about exe these are flexible tools for network administrators to create and set up their scheduled tasks so the quickest way to get task scheduler running it just hit the old windows windows are you'll run command and type in task SCH DM SC the old control panel extensions and hit enter now there's a couple of other ways but you can that's a quickest way to get it up task scheduler has a very nice little dashboard it's a good place to start as you're starting to learn scheduled tasks the top part is overview you can take a look at it the second pane is called task status in the task status it says the status of tasks that have started in the following time period well what time period if you'll notice on the right hand side it shows a drop down box right now it's showing you the last 24 hours but I can change that and seven days thirty days or one hour and notice it changes the test at us let's go back to 24 so in the last 24 hours in this virtual machine it's had the status of 77 tasks through you're running 73 succeeded zero stopped and one failed so that's a great place to start right there it's a great dashboard view of what's happening with your scheduled tasks so here's your schedule - dashboard we've talked about is your overview be is we've already looked at tasks status and see is your time period you can change that and then D and that the pane called D is called active tasks and that is how many predefined tasks are enabled and then there's a refresh button that can refresh your entire dashboard the task scheduler is basically version 2.0 it was introduced in Vista and Server 2008 it hasn't changed at all here this is the latest version of Windows 10 Enterprise and it's same same ole task scheduler so this was built on the old MMC concept Microsoft management console and if you've been around in Windows any time you're very comfortable with this GUI interface in my dashboard view let's look at active tasks and you'll see I've got about 79 active tasks in here this is a clean install of Windows 10 enterprise this lets me know that during the installation of Windows Microsoft predefined about 79 tasks into a scheduler when I that's a baseline value so when I go to a user and I'm troubleshooting problems and I see they've got 210 scheduled tasks I know right away they've got some serious software installed that has modified and add additional tasks and any one of those could be a problem that's impacting task scheduler so this kind of baseline information can be very helpful to the tech if he's troubleshooting task scheduler also gives you those nice features that we enjoy an MMC and that I could take the task scheduler and connect to another computer so if you have domain rights or local admin rights you can go across the network connect to that machine on the ninth floor to schedule that task and you're good to go never have to leave your seat okay mr. Andrew Paul how do I find out what tasks were installed by the user as they added software after the installation the default scheduled tasks will you go up to your task scheduler and you choose task scheduler library and everything you see in this pane is after Windows installation so it could be very long it could be very small so here you see only about five tasks that were added after Windows install installation so here's an example of my video editor you can see it's much more involved so you see BitDefender Correll Google Microsoft edge Norton and Vidya here I've got many many more tasks that have been added to task scheduler after the Windows and was installed let's go back to task scheduler and look at how Microsoft has organized tasks and task scheduler and then we're going to go back and compare that to the hard drive how it organizes those task task files on the hard drive and then when we pull up the registry and we compare all three they make perfect sense so remember when we open up task manager and we open up the task scheduler library here we see five tasks remember this is a clean copy of Windows Enterprise 10 and those are the few things that were added after installation if I go below and I go to the Microsoft tab then I actually began to get one core that was added in version 1903 of Windows and they added some DirectX tasks in there there's some Xbox games stuff but the one I'm most interested is the Windows if we open up Windows here you can see all the structure of typical components that are found in Windows all most of you are comfortable with what you see and if you open up each of these folders like dotnet frameworks inside are actually the tasks themselves now let's go to the hard drive and compare that same thing if I open up my hard drive in here I'm out see let me pull this over see windows system32 tasks we can see that the five tasks that were added after Windows install are right here in the root of tasks there is a subdirectory called Microsoft and I open it up and notice the similarity between what we just saw on task scheduler is followed that same structure is follow on the harddrive so there's one core and then here's Windows and again we see that same structure that we saw in task scheduler in the actual hard drive now let's go look at the registry so I'm gonna get regedit and to make this easier I'm just going to copy and paste the path into the path structure on the registry editor so I'm gonna pop this in copy and paste and I'm just pasting these the path the registry path and I'm going to hit enter that's the easiest way to if you've got the path in a document you can always paste it right there in the registry and it takes you right to that area now we see there were an HG local machine software Microsoft Windows NT current version and then there's the first subkey schedule and the additional subkeys that are under that and then we have task cache subkey and if we scroll down we'll see the tree sub key and this is where we start seeing the tasks themselves and notice that familiar structure under Microsoft we see the one core then we see the windows sub key and then we see if I pull this back up you'll see the Xbox so we see that same structure that we saw in task scheduler on the hard drive and now we're seeing that same thing here in the registry now once I'm in the registry and I drill down to these various sub Keys I'm going to open up the dotnet and I'm and you can see the different these are the this is the actual subkey for the.net framework scheduled tasks these are the actual tasks themselves [Music] first the xml-based files that are added to the hard drive every time you create a task then there's a task scheduler service the service was really the heart and soul of this whole system the task scheduler or console or the MMC it's just a pretty front-end to the service the service is doing most of this work and then the registry subkeys that is actually where your task is executed from and officially saved so we're gonna look at a couple sub keys that are very important to understand troubleshooting tasks all scheduled tasks have files that are stored on your hard drive in there typically in the C windows system32 tasks folder whenever you create a task it actually is put in the registry you when you run a task it's run from the registry so what is this XML file it basically is a mirror image of what is inserted into the registry to run your task and it is saved as a file XML file on your hard drive it is very handy to use to troubleshoot or recreate a task that gets corrupted in the registry you could use that XML file to import and get that task back up it's human readable it does conform to the task scheduler schema so don't just open it up with notepad and start changing things in the hard drive where your tasks are saved the route of tasks is where all your post install tasks are put now sometimes software applications will create their own folder in the root of tasks but everything that's put in your task scheduler after installation is going to be found in the root of tasks Microsoft kind of locks down an TF per NTFS permission on the Microsoft folder and everything below it so normally you have to be an administrator to get any into any of the tasks files that are under Microsoft the scheduler service is a heart and soul of task scheduler period I've got process Explorer up here in the graphic you can see I've got svchost.exe which is actually Ronnie it's the process of running not only task scheduler service but many other services this is common in Windows here's another view with process Explorer I've actually highlighted that SVC host and looked at the properties and you can see all the services that's being hosted by that one process this task scheduler service runs under system credentials this is also known as the super user because of that an administrator cannot restart or stop the service without rebooting the server or rebooting Windows 10 there are eight services that fundamentally hold up the task scheduler service this adds complexity as I will explain here I'm showing the properties of task scheduler service and you can see the dependencies they're quite extensive this makes troubleshooting and working with this service more complexed let's go ahead and launch services on my virtual machine and I'm going to run it as an administrator and even with those rights I'm going to scroll down here to task service test scheduler so here I've launched services and I've got task scheduler service and you can see when I right mouse click I can't start stop and I'm logged on in as administrator I'm going to show you how to log on with super user and circumvent this problem this is frustrating because and as an administrator of a server I don't want to restart the server just to restart a service this is the task scheduler console the MMC and you can see I've got process Explorer open and I've highlighted the process MMC Exe that's actually running the test scheduler console it has about 50 dll's that run underneath it but basically it's a pretty front-end to the service now before I get started on critical registry subkeys let me halt right here I am going to speak a lot about registry subkeys to help that individual that IT Pro that administrator who's working on tasks that have failed or some kind of issue but make sure you have used every other method to try to resolve your problem before you ever go into the registry to solve a problem the registry is a last resort now the purpose of teaching these registry subkeys is so that if and only if in a last resort you need to get in here you can do it intelligently the first critical sub key is called the tree sub key in the tree sub key you see a readable version of your task that matches the task scheduler this is the only place you have a readable version of your task that matches the task scheduler perfectly this is a very important sub T because it's going to have your gooood tree sub key shows you all your tasks just like they appear in your console so it's a great way to find the tasks in the registry the tree sub key only basically gives you your good for that task everywhere else in the registry your task is identified by the GUI and that's it so if you don't know the good for your task you're pretty well out of love so in my graphic here I've got local admin group membership tasks highlighted on the left hand side and then you see the one showing you the the key value name call ID and then you see the data which is the gooood the global unique identifier that global unique identifier is what you need to find your task and the rest of the registry sub keys here's what I'm showing you here is your tree sub key and you can see it matches perfectly to what you see in the console you need this tree sub key to find the good for the task so when I create and I put all this critical information about my task into the registry where does it go it doesn't go into the tree sub key it goes into the task sub key all that information about trigger and path and your schema and your security de scriptures in your actions that you want to run and all that critical information about your task is going to be found in the tasks sub key and it's all listed by gooood so when your task is executed its executed from this registry sub key so here you can see in this graphic I've got if you'll notice at the top I've got the task highlighted in red so I'm in the task sub key you'll notice on the left hand side I've got highlighted in red the good for that task and over on the right hand side in I've got highlighted in green I've got all the information that you put in that particular task and save to the registry this is the one this is the information that actually runs your task now notice everything I've talked about so far is about tasks and the task cache sub key is the boot sub key the log on sub key maintenance and plane if you have a task that is going to be run upon boot it will have its good in the boot directory in the boot sub key if you have a task that it's going to be run on log on its good will be in the log on sub key all the other tasks will be split between the maintenance sub key and the plain sub key another helpful tip for troubleshooting is make sure that you enable the displaying of all task history it's right here you can enable it and disable it and notice you can watch this history tab either appear or disappear so make sure you enable it I'm sorry enable it that way if you're troubleshooting specific tasks you can come down to the history tab and it will display how it is operated what kind of errors etc have happened to that task over time you can also double click under the event column and it actually will pull up the event for that particular instant of that task while I was learning task scheduler and really trying to understand all of its components and features I ran into nerfs offs portable app that was just delightful if you're working with task scheduler and you're pulling your hair out you need this portable app make sure you get it from nerfs off and make sure you verify it against his MD 5 he's got sha-256 hashes that can verify that the utility is genuine and has not been tampered with task scheduler Viewer is a delightful tool for the network administrator 1 it shows you all your tasks in a spreadsheet view all of your information is in columns and is sorta belong to look all my tasks that run on boot I can sort that column and scroll down and find all the tasks that meet the criteria of yes runs on boots this is super super handy I can also use the tool to right mouse click if I've launched it under administrative rights I can disable enable run the task stop the task from running it's just a delightful tool if you're working with a scheduler task scheduler viewer allows me to look at executable files that are running the task it also allows me to see the executable arguments and switches I can see the credentials that are running that task a lot of times that helps me troubleshoot credential issues if you're doing any extensive work with task scheduler you want this utility [Music] mr. Vanderberg you have not taught us how to create it to ask a scheduler that's correct there are so many great videos at YouTube that there is no reason for me to reinvent the wheel there's already a huge library of task scheduler videos in YouTube that walk you through creating a task there's also many good websites that give you step-by-step guidance and explain all the options and they walk you through creating a task and task scheduler I've also included in our notes you can download free from the video description also we've created a guide that walks you step-by-step and explains all the options in creating a task there was no sense of creating another video on how to create a task and test scheduler so let's take a look at troubleshooting tasks task scheduler service or the console itself troubleshooting tasks errors and task failures is a common feature in troubleshooting tasks scheduling most cases it's going to be credentials appropriate credentials across the network where where the scripts are at to where the scripts are going so look at credentials because those are a big problem with tasks errors or failures NTFS permissions share level permissions both on the folder that hold your scripts to where you're sending them to this is the most common failure for task errors and failures make sure you test your batch file thoroughly and vbscript in PowerShell before you put it in a task look at your path common failures your path and then look at your Event Viewer dent viewers can be helpful in many cases troubleshooting your task now if you've done everything that I've suggested up to this point you're still having problems then stop make sure if you've got Windows 10 you've been a restore point you're on server make sure you do a backup and include your system state don't go any further you do this point to repair task scheduler service or test kit or a console there's really only one good way to begin doing that use the disome command I've got the switches and arguments below launch a administrative command prompt and run these run this after you run disome you then want to run SFC and scan now and your system file checker will verify that all of your files are their correct versions and genuine and the correct Microsoft version 99% of your scheduled service and task console problems will be solved with this step if your problem persist with task scheduler and task scheduler service and you've done the dissing and your system file checker you're probably faced with a couple scenarios with Windows 10 try a good restore point if you have Windows 10 try a good backup I personally use Windows 7 backup on every Windows 10 box I have you can use PC reset and keep your personal files that's a last resort on server your back to a good backup with system state so not a lot of options here if restoring of a clean operating system file does not fix your problem so I'm going to begin to walk you through how to run utilities and tools under the super user account what we could known is system account we're going to go to system internals which are Microsoft tools we're going to go to download and we're going to scroll down to PS except we're going to come down here and we're going to use this tool right here now you can download the system internal suite which I recommend you start learning if your IT professional or right.you student if you're an IT pro you're probably already using all these PS exec you can just download it here and bring it down to your machine so I've downloaded that tool down to my C user's John download system internals folder I want to launch command prompt and I'm going to launch an administrative shell so I'm going to launch it with administrative rights now what I want to do is the path of my shell is C windows system32 and I want to change that so it reflects this path so I'm going to copy and I'm gonna come over to my shell and change directory and I'm just gonna paste that directory in and now my shell which is running under administrative rights is right where I wanted it's where my tools are at now I'm going to launch PS exact - I - s and then I'm going to go ahead and launch another command line show now this command line shell is being run under system this is my super user account I can close the other one out everything that I run under the shell runs under system account so if I run regedit this registry editor is now run under system account it is extremely dangerous and very very powerful there's nothing I can't do in this registry if I run services the service app this service app is now running under system account and it is very powerful let's go ahead and go to test scheduler service so here is my task scheduler service and you can see right now I have the right to restart I did not have that right under administrator so I have all rights to do anything I want to any service so anytime I want to run a tool or a utility I run it in this command shell and anytime I launch anything such as Explorer now this Explorer is all-powerful it is being run under system account be very careful when you run tools and utilities under system now when I walk you through troubleshooting I'm going to refer back to my system shell and I'll tell you to launch this tool or that tool just be aware it's now running under system credentials it can do the things you need to do so at the end of this video we're going to do is some real interesting things we're going to do process monitor we're going to analyze the creation of a task I'm going to create a simple PowerShell task and we're going to watch that as process monitor captures that creation of that task the second thing we're going to do is we're going to capture the running of a task and then I'm gonna debunk a number of false information out there on the internet about task scheduler and I'll just show you they're just it's not true so you'll know when you see these forums and these suggestions there not going to work for you so what I'm going to do is I'm going to create a PowerShell script in task scheduler and while I'm doing that I'm going to be running process monitor that's going to capture all this taking place in the registry and the file system as a process and threads capture all that information we'll go back and we'll analyze what took place when we created a task so to begin with I'm going to go ahead and kick off the capturing of my trace and so now it's capturing all the information so I'm going to go back to my notepad and this particular is a PowerShell no exit that way the shell stays up I'm using the command let get local group member and the group that I'm looking at is the administrator group and it will just display who is a member of my local administrator group and if that's changed I get to see it every time I log on so with that I'm gonna go create a task I'm gonna come up to my library and create new tasks and I'm going to call this and I could put a description in here in this case I want to run this only when John is logged on I'm the administrator I'm the only one that needs to see this I'm going to go to triggers and this will be a key that you'll a key value that you'll see in your sub keys in this case this is what ticks off the task and yet this will be a pawn logon now I don't want it for any user I want it for John since he's the administrator and I'm gonna click OK and then I'm gonna go to action this will be another key value that you'll see in your sub Keys we're gonna start a program and it will be PowerShell and I'm going to go ahead and get my notepad back out and copy all of this right here I like to run from notepad avoids a lot of typos and I'm going to say okay now I've done trigger action general conditions I really don't need any conditions because I wanted to run always the settings I'm going to allow the test to be run on demand and some of the defaults stuff like stop the task if it runs more than three days obviously that's probably a good idea now I'm gonna hit okay now that was all captured in my trace one thing I should now have a file and it should be display local admin membership file so there's my XML file under windows system32 tasks and so that's there and so let's go take a look at what took place so I'm going to stop that stop the capture and I'm going to open this up so you can watch what I'm doing and the first thing I'm going to do is launch the process view and I'm going to find the process that is actually running these tasks the task scheduler service a quick way to identify the SVC host that's running your task scheduler is it runs a sub a child process called s I host exe so your SVC host it's running that s I host ID exe as a child process that's your guy so this is one service that I want to filter so I'm going to add it to our my filter and I'm going to slide down here to MMC this is the task scheduler console and I might add that to my filter and I'm just gonna stop right there so right now in my trace I have the task scheduler service and remember that SBC hosts hosts a lot of other services so we know we captured probably more than what we need but we've got the task scheduler console the MMC we've got the service captured the only thing that probably I don't need to display I'm gonna come over here and turn off network activity now what I'm going to do is I'm going to search for my readable name so I'm going to come to edit and I'm gonna go to find and I'm going to type in my readable name that will be a text string in a lot of these events that's been captured so I'm looking for a text string that says display local and I'm going to say look down from here and I can see right away I see a registry key that's opened under the schedule task cache tree remember tree is very important because that's where we actually see that readable tasks created so here under task cache tree we see another key value being created called the SD key and that is a binary data that is created for that task you have the ID and the SD key over here we see that we're creating a file in windows system32 task that all makes sense again we see more registry action here under tree display local admin both the SD key the ID key the index key down here for the first time we see the gooood so here is our good creation and notice here because this is a log on task if you notice under task cache logon it placed the gooood in the log on sub key so there it is now under the tree I'm sorry under task cache tasks sub key all this right here this is we're actually building all the information for the task here's our author source security date version data package triggers action this is the actual task itself and notice it's listed under the gooood and it's found in the task subkey here under the file creation we see tasks and we see the creation of the file display local admin membership so here we're creating the file here we're putting more information up concerning the task into the task sub key under that gooood you can see hash schema version URI package capabilities actions actions [Music] so this time I'm going to launch my capture and I'm going to come over to task scheduler and I'm going to right mouse click then go ahead and run that task and it should pop up PowerShell and display the membership of the local admin group which is correct and will stop my capture and will filter so I'm going to go show process tree roll down here to the task that runs which is this one right here it runs the SI host that exe sub trial process use that as my filter I'm going to use PowerShell as a filter and I'm going to come down MMC and we're good now this tray should hold everything that happened in the execution of that command and of course it has a lot more but it I'll turd out just about everything that's not super critical now I'm going to go back to edit and find that readable display local we'll just use that text string and we'll go to the first trace event just a tip if I'm looking for something like a text string in a trace and I filtered I always stop start I highlight the top event and I search down so I'm going to go here and I'm gonna search down from this very topmost trace and I'm gonna go next and I'm gonna stop there so here you can see it's going to the readable sub key which is tree it's looking at that display local admin tasks it's reading the SD key value which is binary information we can see it comes down and reads the ID key the ID key value which is the do it and so from here on we can see the good here now I could copy that good out and search based on the good that would give me some interesting results but you can see it's reading now under tasks sub key or the actual executable component of the registry is another interesting note is you'll notice over here when we see the process that's doing everything 90% of what's going on here is the SVC host file very little activity under the task scheduler console which is the MMC Exe almost everything that's going on is a service we know as the task is going to be executed it's going to be running PowerShell so I'm going to scroll down in this and I can see a lot of things going on I'm looking for PowerShell so I'm going to keep scrolling because I know at some point this registry is going to have to launch some powershell information so here we go i see open a registry key powershell dot exe here is creating a file create file map for powershell dot exe yep we're getting close and down here here's a process start actually here's a process we're gonna create a process and we're going to run PowerShell dot exe and we're gonna start some threads and we are going to be running powershell right here so here we're loading the image and here we're opening registry keys here we can see a back-and-forth here we're looking at the tap and the task subkey under the gooood we're looking at all the elements of that task and we can see we're bouncing the powershell and then we bounced back to the registry where the task is at and then we're running to back to powershell so we're doing a lot of back and forth to get powershell ready to execute this script i'm gonna scroll down you can see powershell here is really active and just to see what it takes to get powershell running I'm gonna just scroll this down you can see there's a lot going on to get PowerShell up to where it can do anything so it's running dll's creating threads building the process this is all building the process all of this has to take place in order to run PowerShell [Music] as I study for this video I found a lot of misleading information one there was a lot of emphasis that you cannot mess with these files he's xml files under tasks if you mess with them then your task manager task will not work well here's the one we just created and I'm going to cut and I'm just gonna put it somewhere else and paste so it's no longer under tasks and I can go under my task scheduler sorry here's my refresh tab and I'm just going to go ahead and run that task and you can see it runs fine so the file is simply a backup is a mirror image in H and XML of what you put in the registry what's nice about that file is you can take it out of tasks and then import it back in if you have a task that goes let's say your register gets corrupted on a task you can delete the task use that file to then import and recreate the task without doing anything the XML just puts everything back in so that's primarily what that file is for many suggestions on the internet we're saying that if you were having a problem with a task you could take either the boot subkey if it was a task that ran on boot or a task that ran on log on and you could export this key and then delete it and it would clear it up it doesn't so I'm going to take this and I'm going to export it and I'm just gonna save it here in my red folder overwrite it and I'm gonna take it and I'm going to delete that key now I am not quite sure exactly what that key does but here we'll go back and run this and I can reboot this machine and that task will still work so if anyone is explaining to you that you need to mess with the boot or the maintenance or any of these sub Keys that they're going to fix your problem they're just not keep in mind the only person that can go in here and remove and add and delete is the system account so you have to have system rights in order to do this so those are the few misleading examples that I found and we've kind of debunked in this video [Music] [Music] [Music]

Info

Channel: TechsavvyProductions

Views: 3,044

Rating: 4.9652176 out of 5

Keywords: Task Scheduler, Registry, Troubleshooting

Id: GiUpvm23Y5M

Channel Id: undefined

Length: 37min 49sec (2269 seconds)

Published: Mon Jul 13 2020