volatilityfoundation
Windows: Adds scheduled tasks plugin
This adds a plugin 'ScheduledTasks' that can decode binary-encoded scheduled tasks from the Windows registry's SOFTWARE hive using a custom reader that extends the io.BytesIO class. Decoding operations are intended to be as fault tolerant as possible, swallowing exceptions and returning None to account for smear or missing data.
Because each task can have multiple triggers and multiple actions, a single entry is generated for each trigger + action pair. In the event that the either the actions or triggers could not be parsed due to missing or smeared data, an entry will still be generated using the available information from the other registry value, since trigger and action data is stored separately.
Much more information is decoded than is rendered, this was done intentionally to avoid overpopulating the TreeGrid with less pertinent data and to avoid an explosion of trigger/action-specific fields that may not apply to most other entries, while ensuring that the reader is at the correct offset.
Also documents the raised exceptions in the RegistryHive.get_key() docstring.
Example task:
{
"Action": "C:\\Program Files\\Windows Defender\\MpCmdRun.exe",
"Action Arguments": "Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob",
"Action Context": "LocalSystem",
"Action Type": "Exe",
"Creation Time": null,
"Display Name": null,
"Enabled": true,
"Key Name": "{07846B99-B7DC-4599-AEB1-D421B479570F}",
"Last Run Time": "2023-10-31T22:13:45+00:00",
"Last Successful Run Time": null,
"Principal ID": "LocalSystem",
"Task Name": "Windows Defender Scheduled Scan",
"Trigger Description": "Run at 2000-01-01T02:36:41+00:00 and repeat every 1 days",
"Trigger Type": "Time",
"Working Directory": null,
"__children": []
}
