You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Job object is used by Scheduled Job Activity and Job Query. I'm afraid it is a long way from being able to adequately describe Windows scheduled jobs.
The biggest issue is that the current definition misses the fact that on Windows a scheduled job can have a sequence of multiple indendendent actions associated with it. The Job object however has just a singular cmd_line attribute so it is not possible to represent these actions.
Moreover, an individual action doesn't necessarily involve executing a command line. Windows supports three other actions types (COM action, email action, message action) whose information needs to be represented differently.
Next up, and I appreciate that this may blow minds, a Windows scheduled job doesn't even have to be executed on a schedule! Zero or more triggers can be associated with a job to control when it runs. A time-based schedule is certainly one trigger but multiple system events can also be used, and these are very important from a security perspective.
Lastly, Job has an ambiguously described file attribute ("The file that pertains to the job.") which is required. If this refers to the on-disk representation of the scheduled job then I would say that this should not be required. Yes, such a file exists on Windows but it is an internal implementation detail of the Scheduler and not documented by MS. If on the other hand the file attribute refers to a binary image or script file that gets executed by the scheduled job, then we fall into the same issue as the cmd_line attribute, i.e. unable to represent multiple actions.
The text was updated successfully, but these errors were encountered:
The
Jobobject is used byScheduled Job ActivityandJob Query. I'm afraid it is a long way from being able to adequately describe Windows scheduled jobs.The biggest issue is that the current definition misses the fact that on Windows a scheduled job can have a sequence of multiple indendendent actions associated with it. The
Jobobject however has just a singularcmd_lineattribute so it is not possible to represent these actions.Moreover, an individual action doesn't necessarily involve executing a command line. Windows supports three other actions types (COM action, email action, message action) whose information needs to be represented differently.
Next up, and I appreciate that this may blow minds, a Windows scheduled job doesn't even have to be executed on a schedule! Zero or more triggers can be associated with a job to control when it runs. A time-based schedule is certainly one trigger but multiple system events can also be used, and these are very important from a security perspective.
Lastly,
Jobhas an ambiguously describedfileattribute ("The file that pertains to the job.") which is required. If this refers to the on-disk representation of the scheduled job then I would say that this should not be required. Yes, such a file exists on Windows but it is an internal implementation detail of the Scheduler and not documented by MS. If on the other hand thefileattribute refers to a binary image or script file that gets executed by the scheduled job, then we fall into the same issue as thecmd_lineattribute, i.e. unable to represent multiple actions.The text was updated successfully, but these errors were encountered: