schtasks.exe

schtasks.exe manages scheduled tasks through the Task Scheduler service. A task pairs a trigger (a time, a schedule, logon, boot, idle, or an event) with an action (a program or script) and an account to run as. The main verbs are /create, /run, /query, /change, and /delete, and with /s <host> plus credentials it manages tasks on a remote machine. The genuine binary lives at C:\Windows\System32\schtasks.exe. The tasks it creates are carried out later by the Task Scheduler, often through taskhostw.exe for DLL-based tasks.

Legitimately, schtasks is run by administrators, installers, and management tooling to set up maintenance and automation. The task it creates, the program that task runs, the account it runs as, and the trigger that fires it, all on the command line, are what give an instance meaning.

schtasks.exe is one of the most common persistence mechanisms on Windows (T1053.005). A task bound to logon or boot, or set on a recurring schedule, re-runs the attacker's program every time the trigger fires and survives reboots, and /ru SYSTEM makes that program run with full privileges. A created task whose action is a script host, a LOLBIN, or a binary in a user-writable directory points to abuse rather than routine automation.

Pointed at a remote host, schtasks is also lateral movement (T1053.005). schtasks /create /s <target> /u <user> /p <pass> /tr ... followed by /run creates and triggers a task on another machine with supplied credentials, a well-worn remote-execution method. Remote task creation followed by an immediate run is the pattern.

Attackers also hide tasks, for example by stripping a task's security descriptor so it disappears from the Task Scheduler UI, and tuck them in obscure folders. Because schtasks is a normal administrative tool, the action, the account, the trigger, the parent, and any remote target are what separate automation from abuse. Where a created task runs DLL-based work, it surfaces at execution time under taskhostw.exe.