What’s in your task scheduler?

Topic

New Reply

Youtube here This task for the weekend was inspired by Robtl’s post in the forum asking about black DOS boxes that would randomly pop up on his screen
[See the full post at: What’s in your task scheduler?]

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

CyGuy

Reply | Quote

Replies

Nothing special (Apple, Google, Kaspersky, Microsoft, Nvidia, ShadowCopy..)

Reply | Quote

Evidence of a controlled minimalistic ethos

Windows - commercial by definition and now function...

Reply | Quote

Good lord, is that your entire Autoruns output, Microfix? Or is it filtered somehow?

FWIW, on Win 10 I have pages upon pages of \Microsoft\Windows… entries. But not the several you show.

Just a general comment here – when I find things I don’t want having been added to the scheduler (or any of the other dozens of ways of getting something running) I use AutoRuns64.exe (from the SysInternal web site) to disable them, which I think is what Microfix is showing up above with the unchecked boxes also. Specifically disabling things – vs. deleting them – leaves you a record so that later you can say, “Aha! That has been re-added, but there’s also a disabled entry, so clearly I made the decision to exclude that from running at some time in the past”

-Noel

Reply | Quote

You are correct Noel, using sysinternals autoruns with the ‘Hide Windows Entries’ and ‘Hide Empty Locations’ filters displays the above screenshot. Having said that, there are many more unticked within the ‘Hide Windows Entries’ filter on that Windows 7 installation.
This is where Portable apps help in preventing autostarts from being injected, unless specifically created by the end-user.

Windows - commercial by definition and now function...

Reply | Quote

First stray found is npcapwatchdog (packet capture) running at system startup.

I do check startups occasionally and don’t recall seeing that before. I have no idea why it is there but its disabled while I try to work out how it found its way onto my Dell. I am experienced and doubt very much you’d be able to help beyond what I found personally but it may inspire other to start looking and questioning.

Plenty to go!

Reply | Quote

npcapwatchdog probably installed by Wireshark which installed Npcap

https://github.com/nmap/npcap/issues/274

Reply | Quote

Wireshark was never installed on my system but there is a possibility I tested an alternative. Whatever it was, its not there now. I am yet to do research in c:\users but expect to find a clue there in appdata.

Reply | Quote

Just finished searching using Alternativeto as a guide. Nothing there rung a bell and no leftovers from any located using Everything

Reply | Quote

This task for the weekend was inspired by Robtl’s post in the forum asking about black DOS boxes that would randomly pop up on his screen.

which post #2367643 or #2367687?

Windows - commercial by definition and now function...

Reply | Quote

About 10 tasks. Most are nVidia junk. I see a DOS black box flash at 12:30AM every day. It is is so fast a flash that I have no idea what it is. This has happened for many years through several Dell computers and OSes.

As for my browsers, I would NEVER allow them to update willy-nilly. I deliberately run Fx 60.9 ESR because versions after that are unrecognizable as being Fx. I update my other browsers manually and always have.

I’m going to get rid of the junk that updates at 12:30AM. Task Scheduler is just another way for Microsoft to try and own our computers. I will update on my own as it is my computer. I already update Windows Defender manually each day when I get on the computer each day. I keep Windows Update disabled via Winaero Tweaker so Defender cannot update until I deliberately lift the disabled status long enough enough to get the daily update.

Reply | Quote

The problem with taking on the task of de-scheduling the things Microsoft wants scheduled is that THEY wrote the setup into a program (e.g., that runs during an OS update) and you’re talking about selectively disabling entries (which – don’t get me wrong – can be a good idea for some things).

In the long term this requires you be on top of what every job does, and how the various entries interact – not to mention how various system components start. I know for example that if you disable that WaasMedic item it’ll get re-enabled. There is a tangled web of inter-dependency and I’ll wager none of us is up to the long term task of seeing to it that we retain full control of what our up-to-date Windows 10 systems are doing at various times.

Unless you can find a Microsoft-supplied setting (or policy) for averting e.g., “medic” activities, you’re probably going to be frustrated by things returning on their own.

-Noel

Reply | Quote

In a Home version, How do I disable \Microsoft\Windows\WaaSMedic

Reply | Quote

There’s a registry key you can adjust – but may I ask what is the process doing that you want to disable it? The goal is to ensure that windows update is able to function.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you. My reason is similar to the question on the linked page. I prefer to be in control of when update happens. If not disabled, Windows seems to update no matter what steps I’ve been taking to prevent it. Either I will flip the key value with reg files of update manually (which is my preference).

Risk? I’ve began manually updating since some time in the last century and never forgot to update yet.

Reply | Quote

Thanks for this.  I have a lot of NVIDIA tasks that are completed.  I also found that I had GoToMeeting installed and I cannot remember installing this app.  Maybe it was for some online meeting that I had back in April.

Reply | Quote

I have Adobe Flash Player NPAPI Notifier.  Seems like that should no longer be there.  How can I check to see if Flash Player has really been installed? TIA

Reply | Quote

Look in the Control Panel. It the Flash Player icon is still there, go to Adobe.com and download the remover.

1 user thanked author for this post.

CyGuy

Reply | Quote

The Flash uninstaller is not much better than Windows cleaning up after itself. For that matter, neither are most other software programs.

If you wish to clean leftover folders and files, AFTER YOU UNINSTALL, if you have Everything (file finder), search for ‘Flash Player’. Some of the entries will be safe to delete. Some won’t.

DO NOT DELETE anything in C:\Windows\WinSxS\… It is a ‘Danger Will Robinson’ folder.  More information if you want it. The main message to take out of that link is to use DISM if you need to clean up WinSxS and nothing else.

It should be safe to delete the empty (or near empty – I forget) Flash Player folder in program files directory.

It should be safe to delete anything found in C:\Users\{User name}\AppData\Roaming\Adobe\Flash Player

Other location I forget so do your research before deleting.

 

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

I don’t use OneDrive and I have  “OneDrdive standalone Update:
At 3:00 AM 5/1/1992  repeat every 1.00:00:00
Is that “every day”?

StartCN: at any login.  Some AMD thing

StartDVR: runs RSServCmd

but beyond those, nothing suspicious [win10/pro/20H2]

 

 

Reply | Quote

To completely uninstall Ondrive

Now to Task Scheduler in case the the task is missed by the uninstaller (not that it causes problems if left):

Open task scheduler

Find the task

On the RHS, you’ll see options to disable or delete. I would ‘delete’. You can always install again if you change your mind.

 

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

Hm, this is a good time to ask a question that’s been bugging me (okay, only a little)…

With the advent of the Chromium-based web browser, we got a Chromium-like update strategy, in which Microsoft has added two entries to the Task Scheduler:

MicrosoftEdgeUpdateTaskMachineCore
MircorosftEdgeUpdateTaskMachineUA

I absolutely don’t actually use Edge, nor do I intend to start. I use another Chromium based product called Brave that’s privacy-oriented. I’ll ask my question several ways…

• Do we NEED every day scheduled Edge updates, separate from Windows Updates?
• Do you have experience with having disabled these entries?
• Is this just for the browser, or are there embedded components like what IE was?

-Noel

Reply | Quote

Yes, Edge updates independently – and given that attackers go after zero days in browsers this is a good thing.  I don’t disable them and I also go into the Edge browser and tell it to bypass the metered connection setting.

Attackers could “call” a specific browser so it’s wise to keep them updated.

Never say never. This week’s bug not withstanding, it’s always wise to have multiple browsers.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Noel Carboni wrote:

Do we NEED every day scheduled Edge updates, separate from Windows Updates?
Do you have experience with having disabled these entries?
Is this just for the browser, or are there embedded components like what IE was?

Not if Chromium Edge tentacles are prevented at start, blocked with a firewall and severed first, then Edge can be removed and deprovisioned without SFC integrity violations and some DISM surgery, although for how long, is anyone’s guess..

Yes, on a 21H1 test installation (powershell commandlets as well as registry editing)

Not seeing that although I’d expect things will change to prevent isolation/ removal..

So on that test installation, as an experiment, I’ve manually disabled IE, had old Edge removed by MSFT and have manually removed Chromium Edge leaving Firefox to reside on the throne.

Windows - commercial by definition and now function...

Reply | Quote

I don’t know. However I use a third party uninstaller to get rid of Edge every month after this month’s resurrection am testing a tip to change the attributes of its now empty folder to prevent it being overwritten.

After uninstalling Edge, there are still 423 items when I search for ‘Microsoft Edge’ using Everything (after a Windows clean, manual prune and a DISM clean).

The device is a Home version laptop.

I know you know but others need the warning to be wary what files and folders they delete. Prior research and a lot of caution prevents tears.

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

Another angle on this is how to check all the built-in tasks.  When you just fire up Task Scheduler you’re looking at the “Task Scheduler Library”.  But if you look below that you find a lot of other tasks.  One I just found is “Agent Activation Runtime”  it is disabled and last run time is 11/30/1999 [!!]  It runs System32\AgentActivationRuntimeStarter.   I suppose I could delete it, since it hasn’t run in twenty years and I don’t see anything going awry /

And if you dive below Microsoft>Windows there are scores of tasks… I just skimmed them and they seem reasonable [and/or mysterious].

Reply | Quote

Mine:

 

Reply | Quote

I may have run AdwCleaner at some stage, being a Malwarebytes user, but a search of my C: drive doesn’t show it anywhere. Why would this be showing in Task Scheduler? Also, what is the first entry?

 

Reply | Quote

Welcome to “this software never cleans itself up well” and leaves behind tasks.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Dear Susan,

I would be extremely interested if someone on your staff would write a detailed article about Task Scheduler and how to use it. I’m particularly interested in the relationship between Task Scheduler and 3 other similar items in Windows 10:

1. Task Manager, which has a tab named Startup. Software Manufacturers add items to the Startup tab that launches when Windows 10 launches
2. In the Notification Area in the bottom right section of my screen, there is an upfacing triangle. When I hover over the triangle, there are many icons, and I know that each one of those was put there by a Software Manufacturer. Each of those icons starts up additional items when Win 10 launches.
3. There are 2 folders on my Win 10 computer. They are:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Software manufacturers put items in each of these folders that startup programs when Windows 10 launches.

As near as I can tell, that means that each of the 3 items above as well as Task Scheduler launch programs or mini-programs on my computer when my computer boots. I know there is no overlap among the 3 items I’ve listed above, but how does Task Scheduler fit into all of this? Is there overlap between what Task Scheduler launches and the 3 items listed above?

An article in your newsletter about this subject would be gratefully welcome.

Many thanks for your consideration.

Gary Cahn

Reply | Quote

1.Startup items have nothing to do with Task Scheduler. TS is for stuff that runs occasionally, but not all the time, e.g. maintenance tasks.
2.Things in the Tray are stuff you need to know about but not actively use (mostly). The program puts the item there when it starts (with Windows), e.g. Windows Security (aka Defender).

If you want a comprehensive (read scary) list of what starts, download MS Autoruns and fire it up.

cheers, Paul

Reply | Quote

If anyone takes up the suggestion to use Autoruns, make sure you switch on the option to check VirusTotal and run the check. It can’t do the check unless Autoruns sends data to VirusTotal for screening so you’ll be prompted to agree on a privacy pop-up the first time you do that.

Don’t panic about VirusTotal scores of 1 or 2 but if a few or more vendors are giving higher scores, it is time to do some malware investigation before deciding whether or not you need whatever it is in your PC that wants to run on a cycle or when something else happens.

Running VirusTotal regularly  with the VirusTotal check adds a layer of malware checking. You can run it from Task Scheduler so you don’t forget.

How to schedule a task

 

 

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote