Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
scheduled_tasks
scheduled_tasks
The Windows Task Scheduler tracks and performs automated tasks on a Windows device. The scheduled_tasks table collects the data from the Windows Task Scheduler.
| Column | Type | Description |
|---|---|---|
| action | text | Actions executed by the scheduled task |
| enabled | integer | Whether or not the scheduled task is enabled |
| hidden | integer | Whether or not the task is visible in the UI |
| last_run_code | text | Exit status code of the last task run |
| last_run_message | text | Exit status message of the last task run |
| last_run_time | bigint | Timestamp the task last ran |
| name | text | Name of the scheduled task |
| next_run_time | bigint | Timestamp the task is scheduled to run next |
| path | text | Path to the executable to be run |
| state | text | State of the scheduled task |
Example
This query collects all tasks that are enabled but have not run:
SELECT * FROM scheduled_tasks WHERE enabled='1' AND last_run_message='The task has not yet run.';Notes
Many automated tasks are added to the Task Scheduler by Windows itself, however, administrators can also customize the Task Scheduler. Scheduled tasks are analogous to Launch Daemons and Launch Agents used on Linux or macOS. Because automation is a potential vector for malicious activity, monitoring the Windows Task Scheduler may be critical in an enterprise environment.
Questions?
SOC2 Type 2
