Exploring Task Scheduler

Introduction

The new Task Scheduler 2.0 included in Windows Vista and improved on in Windows 7 has the ability to send an email when a task is triggered. Also new is the ability to attach a task to an event from the Event system. You could for instance create a task that sent you an email if you received an event specifying an imminent hard drive failure. For simplicity in my test I attached a task to event 7036 in the System log, which is logged every time a service starts. The UI is actually very nice since you can create the task directly from the Event Viewer using the Attack Task To This Event action:

When you do this you can find that task in the Task Scheduler in the Event Viewer Tasks folder.

Notice also the nice History tab which shows you the history of this particular task. As you can see I have an error in the Task category Action Failed. Lets look at that.

There is no human readable explanation in the data telling us why the email wasn’t sent. But there is an error value. In this case 2147746321 (0x80040211). I had no idea what that value actually meant so I ran it through Microsoft’s Err.exe application which is able to resolve error values on Windows. The output of Err.exe looked like this:

C:UsersmorganDownloadsErrErr>err 2147746321
# for decimal -2147220975 / hex 0x80040211 :
CDO_E_SMTP_SEND_FAILED                                        cdosyserr.h
  IMAPI_E_DEVICE_NOPROPERTIES                                   imapierror.h
UPNP_E_TRANSPORT_ERROR                                        upnp.h
VFW_E_NOT_COMMITTED                                           vfwmsgs.h
# Cannot allocate a sample when the allocator is not
# active.%0
# for hex 0xffffffff / decimal -1 :
NO_TITLE                                                      ftsiface.h
USE_DEFAULT                                                   ftsiface.h
JET_wrnNyi                                                    esent98.h
# /* Function Not Yet Implemented */
LZERROR_BADINHANDLE                                           lzexpand.h
# /* invalid input handle */
MAPI_DIAG_NO_DIAGNOSTIC                                       mapidefs.h
MSIDBERROR_FUNCTIONERROR                                      msiquery.h
# function error
ERROR_UNHANDLED_ERROR                                         ntddchgr.h
# Unknown error condition
PDR_ERROR                                                     penwin.h
# parameter or unspecified error
ICERR_UNSUPPORTED                                             vfw.h
ERROR_UNHANDLED_ERROR                                         winioctl.h
# Unknown error condition
# 14 matches found for “2147746321”

As you can see Err looks at all the header files that has that error value specified in them so you are bound to get many false positives. Task Scheduler uses CDO to send mail so in this case it is the information in the cdosyserr.h file that will tell us what the error is; CDO_E_SMTP_SEND_FAILED. OK, so CDO failed to send an email, why? To find that out I did a network trace using Wireshark while the task executed. The trace uncovered this error from the SMTP server: 550 5.7.1 Client does not have permissions to send as this sender. Since this is Windows talking to an Exchange 2010 server it will automatically authenticate, and it will authenticate using the credentials of the account that is used to run the task in Task Scheduler. This particular task is set up to run as my account; SIMONSENMorgan. According to the security settings on the Exchange 2010 Receive connector I am not allowed to send using an email address I do not own. That is, that is not specified as belonging to my account in Active Directory. As a result we get the SMTP error from Exchange. To remedy this I can temporarily permit my account to send as any sender:

Get-ReceiveConnector default* | Add-ADPermission -User SIMONSENmorgan -ExtendedRights “ms-Exch-SMTP-Accept-Any-Sender”

And now I will get the message, so to speak:

The History tab in Task Scheduler now also indicates a success:

Task Scheduler successfully completed task “Event Viewer TasksSystem_Service Control Manager_7036” , instance “{3d755426-8e80-49aa-9bdf-3475b032c7dd}” , action “Task notification” with return code 0.

(Incidentally while setting this up I first specified my old SMTP server, which was no longer running the SMTP service. The error in the task history displayed another error in this situation 2147746323 (0x80040213). Translated with Err this is the error CDO_E_FAILED_TO_CONNECT.)

The ‘A service started!’ message in the email is not very helpful so I started to look for ways to include data from the event in the message. After a (very) long time I was able to do that with the help of these resources:

The short story is that you have to create a task attached to an event, and then export it and manually change what data is retrieved from the event. For reference I have included the XML export from my test here. You have to edit this task to supply your own sender, recipient and SMTP server values.

What happened to at.exe?

 

 

From Windows help:
The at.exe executable schedules commands and programs to run on a computer at a specified time and date similar to Task Scheduler. Task Scheduler and the schtasks.exe executable replace at.exe. All tasks created using the at.exe executable must run under the same account. By default this account is the local system account, but you can change this by configuring the AT service account information.

More information

2 thoughts on “Exploring Task Scheduler”

Leave a Reply

Your email address will not be published. Required fields are marked *