PowerShell: Script to Search Scheduled Tasks for a Service Account

#$jumpBox=$env:COMPUTERNAME
$servers="WEB01"
$runas="Network Service"

# Admin
$who = whoami
if ($who.substring($who.length-5, 5) -eq "-admin"){$username=$who;}
else {$username=$who+"-admin";}
#$password = Read-Host -Prompt "Input the password for account $username" -AsSecureString
$password=convertto-securestring "PASSWORD" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password

#$jumpBox=$env:COMPUTERNAME
$servers="WEB01"
$runas="KIMCONNECT\cowboy"

# Admin
$who = whoami
if ($who.substring($who.length-6, 6) -eq "-admin"){$username=$who;}
else {$username=$who+"-admin";}
#$password = Read-Host -Prompt "Input the password for account $username" -AsSecureString
$password=convertto-securestring "PASSWORD" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password
#$elevate = New-PSSession -ComputerName $jumpBox -Credential $cred

Function Search-ScheduledTasks{
Param(
[array]$ComputerNames = $servers, #Accepts input and cast it as an array
[string]$runasUser=$runas
)
Begin{
$Results = @() #Initializes an empty array
}
Process{
If ($_){ #Checks if this function is being called via pipe command. If so, use set $ComputerNames variable as pipe
$ComputerNames = $_
}
ForEach ($Computer in $ComputerNames){
If (Test-Connection $Computer -Quiet){ #Checks for connectivity before proceeding
# Use the legacy schtasks command from localhost to query remote machine and format an output int CSV format
$tasksAsCSV = schtasks.exe /query /s $Computer /V /FO CSV

# Process the CSV result into PowerShell. Filter entries that are not labeled as "TaskName" and by "Run as User" field
$result = $tasksAsCSV | ConvertFrom-Csv | Where { $_.TaskName -ne "TaskName" -and $_."Run As User" -eq $runasUser}

#Appends this result into array collection named results.
$Results += $result
}
} #end foreach
}
End{
if ($Results){
Return $Results
}
else {
"No Scheduled Events Results were found for user $runasUser.";
}
}
} #end Search function

$CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$WindowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($CurrentUser)

if($WindowsPrincipal.IsInRole("Domain Admins")){
#call the function
Search-ScheduledTasks;
}
else{
Start-process powershell.exe -credential $cred -NoNewWindow -ArgumentList '-executionpolicy bypass', "-File",('"{0}"' -f $MyInvocation.MyCommand.Path) -WorkingDirectory c:\windows\system32
}
pause;

Output Transcript:

HostName                             : WEB01
TaskName : \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
Next Run Time : 5/14/2019 3:33:16 PM
Status : Ready
Logon Mode : Interactive/Background
Last Run Time : 4/14/2019 3:29:08 PM
Last Result : 0
Author : Microsoft Corporation
Task To Run : sc.exe start sppsvc
Start In : N/A
Comment : This task restarts the Software Protection Platform service at the specified
time
Scheduled Task State : Enabled
Idle Time : Disabled
Power Management :
Run As User : NETWORK SERVICE
Delete Task If Not Rescheduled : Disabled
Stop Task If Runs X Hours and X Mins : Disabled
Schedule : Scheduling data is not available in this format.
Schedule Type : Daily
Start Time : 10:33:16 PM
Start Date : 5/14/2019
End Date : N/A
Days : Every 1 day(s)
Months : N/A
Repeat: Every : Disabled
Repeat: Until: Time : Disabled
Repeat: Until: Duration : Disabled
Repeat: Stop If Still Running : Disabled

Press Enter to continue...:

Leave a Reply

Your email address will not be published. Required fields are marked *