@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Task Scheduler Registry key and "Last Run Time"

Note:I translated Japanese into English using Google Translate.
Thank you, Google.  

Summary:

  • "Last Run Time" is displayed in the GUI of Task Scheduler, this value is saved in the registry.
  • Several timestamps are stored in the "Dynamicinfo" value.
    1.Task File Created
    2."Last Run Time"
    3. Action completed or Task Completed ??

---

I received a question from my colleague while testing Amcahce.
『The Task Scheduler GUI displays "Last Run Time", but where is this timestamp stored?』

f:id:hideakii:20190112085642j:plain

"Last Run Time" will also be displayed in a state in which the task of history is disabled.
I guessed it saved in the registry and searched for registry keys related to Task.

Let's check the registry key of Task Scheduler.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser

f:id:hideakii:20190112090528j:plain

The ID of this task is {47C19566-4194-4C9F-BC70-C043803D80E0}.
Look for the key that matches the task ID under the Tasks key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47C19566-4194-4C9F-BC70-C043803D80E0}

f:id:hideakii:20190112090723j:plain

There are several values under the key. There is "Dynamicinfo" as a value that contains data in FILETIME format.

About this value, some information is provided with winreg-kb. However, there seems to be some unknown part.

03000000
08D12A59C5A9D401
8495AE0DDFA9D401
00000000
00000000
07654515DFA9D401

Decode the first time stamp.

08d12a59c5a9d401 -> 2019-01-11 15:50:17.0216712 (UTC)

The same value as this time stamp can not be found on the task screen. What is this time stamp?
I tried checking the time stamp of the Task file. It matched the created time of the Task file.

Created: 2019-01-11 15:50:17.021671200 (UTC)

f:id:hideakii:20190112091811j:plain

By the way, the Task Scheduler GUI also has a Creted column. This column displays the "RegistrationInfo" timestamp in the task file (XML). In the figure below, nothing is displayed because timestamp is not recorded in RegistrationInfo.

f:id:hideakii:20190112092020j:plain

Decode the second timestamp.
8495AE0DDFA9D401 -> 2019-01-11 18:54:17.2933508 (UTC)
This timestamp seems to match the "Last Run" Time. 1/11/2019 6:54:17 PM(UTC)

f:id:hideakii:20190112092527j:plain

Decode the third timestamp.

07654515DFA9D401 -> 2019-01-11 18:54:30.0257543(UTC)
Is this the timestamp the task completed or Action completed?
Task Completed of the history matches the date and time. 1/11/2019 6:54:30(UTC)

f:id:hideakii:20190112093107j:plain

I checked the event log, it seems that the time stamp of Action Completed is close. However, it does not match perfectly.

f:id:hideakii:20190112094406j:plain

f:id:hideakii:20190112094237j:plain

 

If the Task Scheduler event log is not enabled, registry information may be somehow clues. 

 

Verification environment: Windows 10 1809, Time zone UTC

Reference URL:

github.com

computerforensics.parsonage.co.uk

f:id:hideakii:20190112084504j:plain