Windows Security Log Event ID 602
602: Scheduled Task created
On this page
This event actually gets logged for both scheduled task creations as well as changes to exisiting tasks. This event does not get logged when a task is deleted.
If you enable Object Auditing for successes, you will also see file level access events corresponding the *.job file in %SystemRoot%\Tasks\ including delete events. See events 560, 564, 567, and 562.
File name identifies the *.job file where the task definition is stored. Command documents the operating system command that will be executed when the task starts. Triggers specifies how often or what event will trigger the task to start. Time specifies the next time the task will run. Target User is the account the task will run under. By User and Domain identify the user who created or modified the task. Logon ID enables you to connect this event back with the user's initial logon. See event 528 and 540.
Free Security Log Resources by Randy
- File Name: (file name and location of task)
- Command: (command that the task runs)
- Triggers: (times when the task will run)
- Time: (time this task will run next)
- Flags:
- Target User:(User that the task runs under)
- User: (User that created or modified the task)
- Domain:
- Logon ID: (correlates with logon of user that created or modified task)
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.
Scheduled Task created:
File Name:C:\WINDOWS\Tasks\Backup.job
Command:C:\WINDOWS\system32\ntbackup.exe
Triggers:At 9:46 AM every Mon, Tue, Wed, Thu, Fri of every week, starting 8/8/2004.
Time:8/9/2004 9:46:00 AM
Flags:0x18000C0
Target User:ELM\administrator
By:
User:administrator
Domain:ELM
Logon ID:(0x0,0x158EB7)
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection