Skip to content
I discovered that some of my task scheduler tasks are failing on the server and wanted to configure email notifications if that happens
I found an article how to send task scheduler notifications
I wanted to configure a trigger for multiple Event IDs and found how to do this here
The only question left if the list of Event IDs and I could not find a list of all possible values so I extracted them from EventLog myself and putting them here
| Event ID | Task Category |
|---|---|
| 100 | Task Started |
| 101 | Task Start Failed |
| 102 | Task completed |
| 103 | Action start failed |
| 106 | Task registered |
| 107 | Task triggered on scheduler |
| 108 | Task triggered on event |
| 110 | Task triggered by user |
| 111 | Task terminated |
| 118 | Task triggered by computer startup |
| 119 | Task triggered on logon |
| 129 | Created Task Process |
| 135 | Launch condition not met, machine not idle |
| 140 | Task registration updated |
| 141 | Task registration deleted |
| 142 | Task disabled |
| 200 | Action started |
| 201 | Action completed |
| 203 | Action failed to start |
| 301 | Task engine properly shut down |
| 310 | Task Engine started |
| 311 | Task Engine failed to start |
| 314 | Task Engine idle |
| 317 | Task Engine started |
| 318 | Task engine properly shut down |
| 319 | Task Engine received message to start task |
| 322 | Launch request ignored, instance already running |
| 329 | Task stopping due to timeout reached |
| 332 | Launch condition not met, user not logged-on |
| 400 | Service started |
| 411 | Service signaled time change |
| 700 | Compatibility module started |
Going to create an alert for ids 101,103,111,311,329
Here is a list of the most common Event IDs in the History tab for Windows Scheduled Tasks.
| Event ID | Description |
| 100 | Task Started |
| 101 | Task Start Failed |
| 102 | Task completed |
| 103 | Action start failed |
| 106 | Task registered |
| 107 | Task triggered on scheduler |
| 108 | Task triggered on event |
| 110 | Task triggered by user |
| 111 | Task terminated |
| 118 | Task triggered by computer startup |
| 119 | Task triggered on logon |
| 129 | Created Task Process |
| 135 | Launch condition not met, machine not idle |
| 140 | Task registration updated |
| 141 | Task registration deleted |
| 142 | Task disabled |
| 200 | Action started |
| 201 | Action completed |
| 203 | Action failed to start |
| 301 | Task engine properly shut down |
| 310 | Task Engine started |
| 311 | Task Engine failed to start |
| 314 | Task Engine idle |
| 317 | Task Engine started |
| 318 | Task engine properly shut down |
| 319 | Task Engine received message to start task |
| 322 | Launch request ignored, instance already running |
| 329 | Task stopping due to timeout reached |
| 332 | Launch condition not met, user not logged-on |
| 400 | Service started |
| 411 | Service signaled time change |
| 700 | Compatibility module started |
Windows Event Logs mindmap provides a simplified view of Windows Event logs and their capacities that enables defenders to enhance visibility for different purposes:
- Log collection (eg: into a SIEM)
- Threat hunting
- Forensic / DFIR
- Troubleshooting
Scheduled tasks:
- Event ID 4697 , This event generates when new service was installed in the system.
- Event ID 106, This event is logged when the user registered the Task Scheduler task.
- Event ID 4702, This event generates when scheduled task was updated.
- Event ID 140,This event is logged when the time service has stopped advertising as a time source because the local machine is not an Active Directory Domain Controller.
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
- Event ID 4699, A scheduled task was deleted.
- Event ID 141, The time service has stopped advertising as a time source because there are no providers running.
- Event ID 201, This event is logged when the task scheduler successfully completed the task.
Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST
Services:
- Event ID 4697,A service was installed in the system.
- Event ID 7045,Created when new services are created on the local Windows machine.
- Event ID 7034,The service terminated unexpectedly.
- Event ID 7036,The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state or , The Print Spooler service entered the running state.
- Event ID 7040, The start type of the IPSEC services was chnaged from disabled to auto start.
Event Log Manipulation:
- Event ID 1102, Whenever Windows Security audit log is cleared, event ID 1102 is logged.
- Event ID 104 , This event is logged when the log file was cleared.
Authentication:
- Event ID 4776, The domain controller attempted to validate the credentials for an account.
- Event ID 4771,This event is logged on domain controllers only and only failure instances of this event are logged ( Kerberos pre-authentication failed ).
- Event ID 4768, This event is logged on domain controllers only and both success and failure instances of this event are logged ( A Kerberos authentication ticket TGT ) was requested.
- Event ID 4769,Windows uses this event ID for both successful and failed service ticket requests ( A Kerberos service ticket was requested ).
Also Read: Directory Services Restore Mode Password Reset – Event IDs to Monitor
Sessions:
- Event ID 4624 ,An account was successfully logged on.
- Event ID 4625, An account failed to log on.
- Event ID 4634 + 4647 , User initiated logoff/An account was logged off
- Event ID 4648, A logon was attempted using explicit credentials
- Event ID 4672,Special privileges assigned to new logon
Account Management:
- Event ID 4720, A user account was created
- Event ID 4722, A user account was enabled
- Event ID 4724, An attempt was made to reset an accounts password
- Event ID 4728/4732/4756, group membership changes.
Network Shares:
- Event ID 5140,A network share object was accessed
- Event ID 5145, Network share object was checked to see whether client can be granted desired access.
Also Read: Threat Hunting with EventID 5145 – Object Access – Detailed File Share
Windows 7 / Getting Started
In Windows Server 2003 and earlier versions, scheduled tasks used a Schedlgu.txt log file to
track tasks and their status. Windows Vista implements all new event logs for applications,
and Task Scheduler now logs all operational information about scheduled tasks into its own
event log. The Scheduled Tasks event log Microsoft-Windows-TaskScheduler is located under
Application Logs. Important errors or warnings about task or service failures are logged to
the System log so that administrators can readily see them and take action.
Task Scheduler 2.0 will normally log an event on task registration (at creation), at task
launch, and when the task instance has been sent to the engine. Events will also be logged on
task failures and any task-related problems. This section provides examples of typical events
that are logged by the Scheduled Tasks service.
Task Registration
An Event ID 106 is logged when a task is created. This event is also referred to as task registration.
Task Launch
Tasks can be started by either a user request or a trigger. An Event ID 110 is normally logged
when a user manually starts a task. An Event ID 107 is normally logged when a task is started as the result of a trigger.
Task Execution
An Event ID 319 indicates that the Task Engine received a message from the Task Scheduler
service requesting task launch, and it is the best indicator of a task launch. In these events, the
Task Engine is identified by the user SID, and the task name is also logged.
Task Completion
An Event ID 102 is normally logged when a task completes successfully.
Provide feedback
Saved searches
Use saved searches to filter your results more quickly
Sign up
Appearance settings