Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to monitor scheduled tasks in Windows Task Scheduler

Windows Task Scheduler has been the entry point for many hackers to infiltrate the system. Even Windows 10, which has a sandbox (a feature that runs untrustworthy applications in an independent environment so that the main installation is not affected), has been prone to hackers running malicious scripts and tasks via the Task Scheduler. These malicious scripts help the hacker to escalate privileges within your network.

Enabling auditing of the Task Scheduler to monitor suspicious tasks that have been created should definitely be part of your security plan. Follow the step below to monitor scheduled tasks in a Windows server. Alternatively on the Server Audit tab you'll find a simpler way to use ADAudit Plus' pre-configured reports to view and export scheduled tasks.

Download for FREE
Free, fully functional 30-day trial

  • With Native AD Auditing

  • With ADAudit Plus

  • How to monitor tasks scheduled in the Task Scheduler with ADAudit Plus

  • To track scheduled tasks, you will have to enable auditing of your Active Directory (AD).

  • In the ADAudit Plus console, go to 'Server Audit' tab and navigate to 'Process Tracking' on the left pane. This provides you a list of pre-configured reports on process activity within AD.

  • You can select the 'Scheduled Task Created' report to see any new tasks that were scheduled.

  • You can also create custom reports and export these reports in CSV, PDF, XSL, HTML formats.

    how-to-monitor-scheduled-tasks-in-windows-7
  • Step 1: Enable Group Policy Auditing

  • Logon to your domain controller with administrative privileges and launch the Group Policy Management Console.

  • Right-click the appropriate Group Policy Object linked to the Domain Controllers container and select Edit.

  • Expand the Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configurations → Audit Policies → Audit Policy node → Object Access → Audit Other Object Access Events

  • Configure the properties for both 'success' and 'failure'. Exit Group Policy Management Editor.

    how-to-monitor-scheduled-tasks-in-windows-1

  • In the Group Policy Management Console, choose the modified GPO, and click 'Add' in the 'Security' section on the right pane. Type 'Everyone' in the text box and click 'Check Names' to include the value. Exit the Group Policy Management Console.

  • To enforce these changes throughout the domain, run the command 'gpupdate /force', in the "Run" console.

  • Step 2: Allow AD Auditing through ADSI Edit

  • From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.

  • Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.

  • Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.

    how-to-monitor-scheduled-tasks-in-windows-2

  • Click 'OK' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right-click this subnode and click 'Properties'.

  • In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that, select 'Auditing' tab and click 'Add'.

    how-to-monitor-scheduled-tasks-in-windows-4

  • Click on ' Select a principal'. This will bring up a 'Select User, Computer or Group' window. Type 'Everyone' in the textbox and verify it with 'Check Names'.

  • The 'Principal' in the 'Auditing Entry' window now shows 'Everyone'. In the 'Type' drop-down select 'All' to audit for both 'success' and 'failure' events.

  • In the 'Select' drop-down choose 'This object and all descendant object's. This allows the auditing of the OU's descendant objects. Select 'Full Control' in the 'Permissions' section.

  • This selects all the checkboxes available. Unselect the following check boxes:

    1. Full Control

    2. List Contents

    3. Read all properties

    4. Read permissions

    how-to-monitor-scheduled-tasks-in-windows-5
  • Step 3: View Events in Event Viewer.

  • You can monitor scheduled tasks by accessing 'Security Logs' in the 'Event Viewer'. You can filter your log to look for the following event.

  • Event ID: 4698 describes a task that has been scheduled.

    how-to-monitor-scheduled-tasks-in-windows-6

Does native auditing become a little too much?

Simplify system event auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Active Directory Auditing just got easier!

ADAudit Plus comes bundled with more than 300 predefined reports that makes your AD auditing easier. The solution also sends real-time alerts for critical events and thereby help you to secure your network from threats and boost your IT security posture. Check out the capabilities of ADAudit Plus here.
Download ADAudit Plus

Related How-tos

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link