Using PowerShell to List Scheduled Tasks

Native Solution

Netwrix Auditor for Windows Server

Steps

Open the PowerShell ISE and create a new file with the following PowerShell script, being sure to input the computer name and output path:

$cred = Get-Credential
$comp = "PDC"
$session = New-PSSession -ComputerName $comp -Credential $cred
$script = {
"Services:"
Get-WmiObject win32_service -ErrorAction Stop| where {$_.StartMode -like 'Auto' -and $_.Startname -notlike '*local*' -and $_.Startname -notlike '*NT AU*'}| Select-Object Name, DisplayName, State, StartMode, StartName | Format-Table -Property * -AutoSize| Out-String -Width 4096
# To output to CSV, add this string to the previous command: | Export-Csv c:\Out\filename.csv - NoTypeInformation

"ScheduledTasks"
schtasks.exe /query /V /FO CSV | ConvertFrom-Csv | Where { $_.TaskName -ne "TaskName" -and $_.TaskName -like "*powershell*"}|Select-Object @{ label='Name'; expression={split-path $_.taskname -Leaf} }, Author ,'run as user','task to run'| Format-Table -Property * -AutoSize| Out-String -Width 4096
# To export to CSV, add this string to the previous command: | Export-Csv c:\Out\filename.csv - NoTypeInformation
}
Invoke-Command -Session $session -ScriptBlock $script

Run the script using the credentials for an account that has administrator rights on the local computer in question.
Review the resulting report:

Using PowerShell to List Scheduled Tasks on Windows Machines screen 1

Run Netwrix Auditor. Navigate to “Reports” -> Click “Predefined” -> Expand the “Windows Server” section -> Click “Windows Server – State-in-Time” -> Choose “Domain Accounts Running Scheduled Tasks and Services” -> Click “View”.
To limit the report to a particular server or workstation: Type the machine name in the “Server name” field in the filters -> Click “View Report”.

Using PowerShell to List Scheduled Tasks on Windows Machines screen 2

Using PowerShell to get scheduled tasks on remote machines can be tedious

One of the top root causes of Active Directory account lockouts is scheduled tasks and services that are set to use domain user credentials to perform actions. Trying to troubleshoot these issues using Task Manager can be very difficult, since services and scheduled tasks are stored and displayed separately. In fact, without better software, checking manually can take quite a while even on a single PC.

Therefore, using command-line tools and PowerShell to list scheduled tasks is a more attractive option. The Get-ScheduledTask cmdlet from the scheduledtasks module will list all task names and other general information if you use the -taskname, -taskpath and -state parameters. Combining it with Get-ScheduledTaskInfo cmdlet will provide more information, such as last and next run times. However, neither of these cmdlets shows you the username; to get that information, you need to use schtasks.exe in your script.

Using PowerShell script, you can even query remote computers; using the invoke-command cmdlet is required for your script to work on a remote Windows Server or workstation. You also must have PSRemoting enabled across your Active Directory (AD). However, that will add to your attack surface, reducing your overall security.

Netwrix Auditor eliminates the tedious scripting and all of the other drawbacks of this manual approach. In just a few clicks, you will have clear, comprehensive information on all domain accounts running scheduled tasks and services, including critical details such as the service or task name and the account name — across all your audited servers and workstations.

Previous How-to

Privilege Escalation Auditing in MS Teams and SharePoint Online

Next How-to

How to Find Illicit Applications in Microsoft Entra ID

Using PowerShell to List Scheduled Tasks on Windows Machines

Using PowerShell to get scheduled tasks on remote machines can be tedious