Scheduled Tasks Job file format.
The format of the job file is found at http://msdn.microsoft.com/en-us/library/cc248286.aspx Scheduled Tasks are contained in a binary file with a fixed length and a variable length section. The fixed length section is 0x44 bytes in length. The format of the job file is detailed in the tables below with a sample job file parsed at the end.
You can download a PowerShell script to do this parsing here parse-jobfile.ps1
| Data | Offset | Length | Notes |
|---|---|---|---|
| Product Version | 0x00 | 0x2 | see Table 3 |
| File Version | 0x02 | 0x2 | |
| Job UUID: | 0x04 | 0x10 | |
| App Name Length Offset | 0x14 | 0x2 | Offset in file to App Name |
| Trigger Offset: | 0x16 | 0x2 | Offset in file to Trigger |
| Error Retry count | 0x18 | 0x2 | |
| Error Retry interval | 0x1a | 0x2 | Minutes |
| Idle Deadline | 0x1c | 0x2 | Minutes |
| Idle Wait | 0x1e | 0x2 | Minutes |
| Priority | 0x20 | 0x4 | see Table 4 |
| Maximum Run Time | 0x24 | 0x4 | Milliseconds |
| Exit Code | 0x28 | 0x4 | |
| Status | 0x2c | 0x4 | see Table 5 |
| Flags | 0x30 | 0x4 | see Table 6 |
| The Next 8 fields are the time the task Last Ran | |||
| Year | 0x34 | 0x2 | |
| Month | 0x36 | 0x2 | 1 – January, 2 – February, etc |
| WeekDay | 0x38 | 00x2 | 1 – Monday, 2 – Tuesday, etc |
| Day | 0x3a | 0x2 | |
| Hour | 0x3c | 0x2 | |
| Minute | 0x3e | 0x2 | |
| Second | 0x40 | 0x2 | |
| Milisecond | 0x42 | 0x2 | |
| Data | Type | Notes |
|---|---|---|
| Running Instance Count | 2 byte integer | |
| Application Name | Unicode String | |
| Parameters | Unicode String | |
| Working Directory | Unicode String | |
| Author | Unicode String | |
| Comment | Unicode String | |
| User Data | Unicode String | |
| Reserved | ||
| Trigger Count | 2 byte integer | Offset 0x16 in fixed length section gives offset to here |
| Trigger Size | 2 byte integer | |
| Reserved | 2 byte integer | 00 00 |
| Begin Year | 2 byte integer | |
| Begin Month | 2 byte integer | 1 – January, 2 – February, etc |
| Begin Day | 2 byte integer | |
| End Year | 2 byte integer | |
| End Month | 2 byte integer | |
| End Day | 2 byte integer | |
| Start Hour | 2 byte integer | |
| Start Minute | 2 byte integer | |
| Minutes Duration | 4 byte integer | |
| Minutes Interval | 4 byte integer | The time period between repeated trigger firings |
| Flags | 4 byte flag | see Table 7 |
| Trigger Type | 4 byte integer | see Table 8 |
| TriggerSpecific0 | 2 byte | |
| TriggerSpecific1 | 2 byte | |
| TriggerSpecific2 | 2 byte | |
| Padding | 2 byte | 00 00 |
| Reserved | ||
| Value | Meaning |
| 0x0400 | Windows NT 4.0 |
| 0x0500 | Windows 2000 |
| 0x0501 | Windows XP |
| 0x0600 | Windows Vista |
| 0x0601 | Windows 7 |
| 0x0602 | Windows 8 |
| 0x0603 | Windows 8.1 |
| Bit | Meaning |
|---|---|
| Bit 23 | If set to 1, the task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks. |
| Bit 24 | If set to 1, the task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes. |
| Bit 25 | If set to 1, the task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class. |
| Bit 26 | If set to 1, the task has no special scheduling requirements |
| Value | Meaning |
|---|---|
| 0x00041300 | Task is not running but is scheduled to run at some time in the future. |
| 0x00041301 | Task is currently running. |
| 0x00041305 | The task is not running and has no valid triggers. |
| Bit | Value | Description |
|---|---|---|
| 31 | TASK_FLAG_INTERACTIVE | If set to 1, specifies that the task can interact with the logged-on user. |
| 30 | TASK_FLAG_DELETE_WHEN_DONE | If set to 1, specifies that the task can be deleted when there are no more scheduled run times. |
| 29 | TASK_FLAG_DISABLED | If set to 1, specifies that the task is disabled. |
| 27 | TASK_FLAG_START_ONLY_IF_IDLE | If set to 1, specifies that the task begins only if the computer is not in use at the scheduled time. |
| 26 | TASK_FLAG_KILL_ON_IDLE_END | If set to 1, specifies that the task can be terminated if the computer makes an idle to non-idle transition while the task is running. The computer makes an idle to non-idle transition when user input is detected. |
| 25 | TASK_FLAG_DONT_START_IF_ON_BATTERIES | If set to 1, specifies that the task cannot start if its target computer is running on battery power. |
| 24 | TASK_FLAG_KILL_IF_GOING_ON_BATTERIES | If set to 1, specifies that the task can end, and the associated application quit if the task's target computer switches to battery power. |
| 23 | TASK_FLAG_RUN_ONLY_IF_DOCKED | Unused. MUST be set to zero when sent and MUST be ignored on receipt. |
| 22 | TASK_FLAG_HIDDEN | If set to 1, specifies that the task is hidden. |
| 21 | TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET | Unused. MUST be set to zero when sent and MUST be ignored on receipt. |
| 20 | TASK_FLAG_RESTART_ON_IDLE_RESUME | If set to 1, specifies that the task can start again if the computer makes a non-idle to idle transition before all the task's triggers elapse. |
| 19 | TASK_FLAG_SYSTEM_REQUIRED | If set to 1, specifies that the task can cause the system to resume, or awaken if the system is sleeping. |
| 18 | TASK_FLAG_RUN_ONLY_IF_LOGGED_ON | If set to 1, specifies that the task can only run if the user specified in the task is logged on interactively. |
| 7 | TASK_APPLICATION_NAME | If set to 1, specifies that the task has an application name defined. |
| Bit | Value | Description |
|---|---|---|
| 31 | TASK_TRIGGER_FLAG_HAS_END_DATE | If set to 1, specifies that the task can stop at some point in time. |
| 30 | TASK_TRIGGER_FLAG_KILL_AT_DURATION_END | If set to 1, specifies that the task can be stopped at the end of the repetition period. |
| 29 | TASK_TRIGGER_FLAG_DISABLED | If set to 1, specifies that the trigger is disabled. |
| Name | Value | Trigger-Specific Fields |
|---|---|---|
| ONCE | 0x00000000 | Not used |
| DAILY | 0x00000001 | see Table 9 |
| WEEKLY | 0x00000002 | see Table 10 |
| MONTHLYDATE | 0x00000003 | see Table 11 |
| MONTHLYDOW | 0x00000004 | see Table 12 |
| EVENT_ON_IDLE | 0x00000005 | Not used |
| EVENT_AT_SYSTEMSTART | 0x00000006 | Not used |
| EVENT_AT_LOGON | 0x00000007 | Not used |
| Trigger Specific | Length | Usage |
|---|---|---|
| TriggerSpecific0 | 2 | Daily Interval |
| TriggerSpecific1 | 2 | Unused |
| TriggerSpecific2 | 2 | Unused |
| Trigger Specific | Length | Usage |
|---|---|---|
| TriggerSpecific0 | 2 | Weekly Interval |
| TriggerSpecific1 | 2 | Days of the week (Bit flag) see Table 10a |
| TriggerSpecific2 | 2 | Unused |
| Bit | Value | Description |
|---|---|---|
| 15 | Sunday | If set to 1, specifies that the task can run on Sunday. |
| 14 | Monday | If set to 1, specifies that the task can run on Monday. |
| 13 | Tuesday | If set to 1, specifies that the task can run on Tuesday. |
| 12 | Wednesday | If set to 1, specifies that the task can run on Wednesday. |
| 11 | Thursday | If set to 1, specifies that the task can run on Thursday. |
| 10 | Friday | If set to 1, specifies that the task can run on Friday. |
| 9 | Saturday | If set to 1, specifies that the task can run on Saturday. |
| Trigger Specific | Length | Usage |
|---|---|---|
| TriggerSpecific0 | 4 | Days (bit flag) Bit 31 is day 1 |
| TriggerSpecific1 | 2 | Months (bit flag) see Table 11a |
| Bit | Value | Description |
|---|---|---|
| 15 | January | If set to 1, specifies that the task can run in January. |
| 14 | February | If set to 1, specifies that the task can run in February. |
| 13 | March | If set to 1, specifies that the task can run in March. |
| 12 | April | If set to 1, specifies that the task can run in April. |
| 11 | May | If set to 1, specifies that the task can run in May. |
| 10 | June | If set to 1, specifies that the task can run in June. |
| 9 | July | If set to 1, specifies that the task can run in July. |
| 8 | August | If set to 1, specifies that the task can run in August. |
| 7 | September | If set to 1, specifies that the task can run in September. |
| 6 | October | If set to 1, specifies that the task can run in October. |
| 5 | November | If set to 1, specifies that the task can run in November. |
| 4 | December | If set to 1, specifies that the task can run in December. |
| Trigger Specific | Length | Usage |
|---|---|---|
| TriggerSpecific0 | 2 | Which Week (Bit Flag) see Table 12a |
| TriggerSpecific1 | 2 | Days of Week (Bit Flag) |
| TriggerSpecific2 | 2 | Months (Bit Flag) |
| Name | Value |
|---|---|
| FIRST_WEEK | 0x0001 |
| SECOND_WEEK | 0x0002 |
| THIRD_WEEK | 0x0003 |
| FOURTH_WEEK | 0x0004 |
| LAST_WEEK | 0x0005 |
Example
The following example is a standard google update task taken from a Windows 7 machine: GoogleUpdateTaskUserS-1-5-21-421398934-2707301403-3096970431-1000UA.job.
Hex Dump
| Data | Offset | Value in hex (decimal) |
|---|---|---|
| Product Version | 0x00 | 01 06 (Windows 7) see Table 3 |
| File Version | 0x02 | 01 00 |
| Job UUID: | 0x04 | 75 07 BE 8C 27 F4 59 42 8A 81 C6 60 B2 8C F2 99 |
| App Name Length Offset | 0x14 | 46 00 Offset to App Name Length |
| Trigger Offset: | 0x16 | 76 03 Offset to Trigger Start |
| Error Retry count | 0x18 | 00 00 |
| Error Retry interval | 0x1a | 00 00 Minutes |
| Idle Deadline | 0x1c | 3c 00 (60) Minutes |
| Idle Wait | 0x1e | 0a 00 (10) Minutes |
| Priority | 0x20 | 20 00 00 00 Normal see Table 4 |
| Maximum Run Time | 0x24 | FE FF FF FF Milliseconds |
| Exit Code | 0x28 | 00 00 00 00 |
| Status | 0x2c | 00 13 04 00 Ready see Table 5 |
| Flags | 0x30 | 00 20 80 21 RUN_ONLY_IF_LOGGED_ON TASK_APPLICATION_NAME see Table 6 |
| The Next 8 fields are the time the task Last Ran | ||
| Year | 0x34 | DE 07 (2014) |
| Month | 0x36 | 0C 00 December |
| WeekDay | 0x38 | 03 00 Wednesday |
| Day | 0x3a | 0A 00 (10) |
| Hour | 0x3c | 13 00 (19) |
| Minute | 0x3e | 35 00 (53) |
| Second | 0x40 | 00 00 |
| Milisecond | 0x42 | 3D 01 (317) |
| Data | Offset | Value in hex (decimal) |
|---|---|---|
| Running Instance Count | 0x44 | 00 00 |
| Application Name Size | 0x46 | 43 00 |
| Application Name | 0x48 | C:\Users\Investigator\AppData\Local\Google\Update\GoogleUpdate.exe |
| Parameter Lngth | 0xCE | 1D 00 |
| Parameters | 0xD0 | /ua /installsource scheduler |
| Working Directory | 0x10A | 00 00 |
| Author Length | 0x10C | 0D 00 |
| Author | 0x10E | Investigator |
| Comment Length | 0x128 | 20 01 |
| Comment | 0x12A | Keeps your Google ... using it |
| User Data | 0x36A | 00 00 A zero length string here |
| Reserved | Trigger Count | 0x376 | 01 00 |
| Trigger Size | 0x378 | 30 00 (48) |
| Reserved | 0x37A | 00 00 |
| Begin Year | 0x37C | DE 07 (2014) |
| Begin Month | 0x37E | 0B 00 November |
| Begin Day | 0x380 | 0F 00 |
| End Year | 0x382 | 00 00 |
| End Month | 0x384 | 00 00 |
| End Day | 0x386 | 00 00 |
| Start Hour | 0x388 | 02 00 |
| Start Minute | 0x38A | 35 00 |
| Minutes Duration | 0x38C | A0 05 00 00 |
| Minutes Interval | 0x390 | 3C 00 00 00 The time period between repeated trigger firings |
| Flags | 0x394 | 00 00 00 00 see Table 7 |
| Trigger Type | 0x398 | 01 00 00 00 (Daily) see Table 8 |
| TriggerSpecific0 | 0x39C | 01 00 Days Interval see Table 9 |
| TriggerSpecific0 | 0x39E | 00 00 Every day of week |
| TriggerSpecific2 | 0x3A0 | 00 00 |
| Padding | 0x3A2 | 00 00 |
| Reserved | 0x3A4 | |