public void ProcessTaskFolder(ITaskFolder taskFolder) { int idx; string name, path; _TASK_STATE state; DateTime lastRun; IRegisteredTaskCollection taskCol = taskFolder.GetTasks((int)_TASK_ENUM_FLAGS.TASK_ENUM_HIDDEN); // include hidden tasks, otherwise 0 for (idx = 1; idx <= taskCol.Count; idx++) // browse all tasks in folder { IRegisteredTask runTask = taskCol[idx]; // 1 based index name = runTask.Name; path = runTask.Path; state = runTask.State; lastRun = runTask.LastRunTime; Console.WriteLine(path); foreach (var wt in watchList.tasks) { if (wt == name) { string stateHtml = ""; stateHtml = (state.ToString() != "TASK_STATE_DISABLED") ? "<span style='color:green'>ENABLED</span>" : "<span style='color:red'>DISABLED</span>"; WriteContent("DateTime: " + DateTime.Now + " name: " + name + " status: " + state + " last run time " + lastRun.ToString() + " \n"); htmlBody.Append("<tr>"); htmlBody.AppendFormat("<td><b>{0}</b></td> <td>{1}</td> <td><span style='font-size:9pt'> {2} </span></td>", name, stateHtml, lastRun); htmlBody.Append("<tr>"); } } } ITaskFolderCollection taskFolderCol = taskFolder.GetFolders(0); // 0 = reserved for future use for (idx = 1; idx <= taskFolderCol.Count; idx++) // recursively browse subfolders { ProcessTaskFolder(taskFolderCol[idx]); // 1 based index } }
internal TaskFolderCollection(TaskFolder folder, ITaskFolderCollection iCollection) { _parent = folder; _v2FolderList = iCollection; }
/// ////////////////////////////////////////////////// /// ////////////////////////////////////////////////// /// //// Scheduled Tasks ///////////////////////// /// ////////////////////////////////////////////////// /// ////////////////////////////////////////////////// public static void ProcessTaskFoler(ITaskFolder taskFolder) { int idx; string name, path; string ePs, schXm, msTaskPath; _TASK_STATE state; IRegisteredTaskCollection taskCol = taskFolder.GetTasks((int)_TASK_ENUM_FLAGS.TASK_ENUM_HIDDEN); for (idx = 1; idx <= taskCol.Count; idx++) { IRegisteredTask runTask = taskCol[idx]; // Some lolbins..remove common ones if a lot of noise is created string[] interestingTasks = new string[] { "certutil.exe", "cmstp.exe", "control.exe", "csc.exe", "cscript.exe", "bitsadmin", "installutil.exe", "jsc.exe", "makecab.exe", "msbuild.exe", "dfsvc.exe", "diskshadow.exe", "dnscmd.exe", "esentutl.exe", "eventvwr.exe", "expand.exe", "extexport.exe", "extrac32.exe", "findstr.exe", "forfiles.exe", "ftp.exe", "ie4uinit.exe", "ieexec.exe", "infdefaultinstall.exe", "msconfig.exe", "msdt.exe", "mshta.exe", "msiexec.exe", "odbcconf.exe", "pcalua.exe", "pcwrun.exe", "presentationhost.exe", "print.exe", "regasm.exe", "regedit.exe", "reg.exe", "runonce.exe", "runscripthelper.exe", "schtasks.exe", "scriptrunner.exe", "syncappvpublishingserver.exe", "verclsid.exe", "wab.exe", "wmic.exe", "wscript.exe" }; name = runTask.Name; path = runTask.Path; state = runTask.State; schXm = runTask.Xml; string schXml = schXm.ToLower(); msTaskPath = "\\Microsoft\\"; ePs = "powershell.exe"; string sched_out = " Name: " + name + "\n" + " Path: " + path + "\n" + " State: " + state + "\n"; bool mspath = path.Contains(msTaskPath); bool bPs = schXml.Contains(ePs); ///////////////////// // Based off array // ///////////////////// foreach (string itasks in interestingTasks) { bool chkItasks = schXml.Contains(itasks); if (chkItasks == true) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(" [-] Detected interesting String in task: "); Console.ForegroundColor = ConsoleColor.DarkRed; Console.WriteLine(sched_out); //Console.WriteLine(schXm); Console.WriteLine("-----------------------"); } } //////////////// // Powershell // //////////////// if (bPs == true) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(" [-] PowerShell Detected - task info: "); Console.WriteLine("-----------------------"); Console.WriteLine(sched_out); //Console.WriteLine(schXm); Console.WriteLine("-----------------------"); } //////////////////////////// // Outside Microsoft folder //////////////////////////// if (mspath == false) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(" [-] Detected Task outside of Microsoft folder - task info: "); Console.ForegroundColor = ConsoleColor.DarkRed; Console.WriteLine(sched_out); } } ITaskFolderCollection taskFolderCol = taskFolder.GetFolders(0); for (idx = 1; idx <= taskFolderCol.Count; idx++) { ProcessTaskFoler(taskFolderCol[idx]); } }