LogsDBLogsDB
Windows logo

Windows Event ID 4698 - Scheduled Task Created

Records when a new scheduled task is created. Critical for detecting persistence mechanisms, as attackers frequently use scheduled tasks to maintain access or execute malicious code

View SamplesEdit

Quick Facts

Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)
Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)

Log Example

Default format: Windows Event Log Format

Example Log Entrylog
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/1/2026 16:30:00 PM
Event ID:      4698
Task Category: Other Object Access Events
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      WORKSTATION01.corp.local
Description:
A scheduled task was created.

Subject:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-1001
    Account Name:       jsmith
    Account Domain:     CORP
    Logon ID:           0x12345678

Task Information:
    Task Name:          \UpdateTask
    Task Content:       <?xml version="1.0"?>...

Structure:

XML-based binary format with embedded XML task definition

Paths by Platform

Available Formats

Windows Event Log Format

Default

Example:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/1/2026 16:30:00 PM
Event ID:      4698
Task Category: Other Object Access Events
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      WORKSTATION01.corp.local
Description:
A scheduled task was created.

Subject:
    Security ID:        S-1-5-21-1234567890-1234567890-1234567890-1001
    Account Name:       jsmith
    Account Domain:     CORP
    Logon ID:           0x12345678

Task Information:
    Task Name:          \UpdateTask
    Task Content:       <?xml version="1.0"?>...

Structure:

XML-based binary format with embedded XML task definition

XML Format

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4698</EventID>
    <TimeCreated SystemTime="2026-02-01T16:30:00.123456789Z"/>
    <Computer>WORKSTATION01.corp.local</Computer>
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1234567890-1234567890-1234567890-1001</Data>
    <Data Name="SubjectUserName">jsmith</Data>
    <Data Name="SubjectDomainName">CORP</Data>
    <Data Name="SubjectLogonId">0x12345678</Data>
    <Data Name="TaskName">\UpdateTask</Data>
    <Data Name="TaskContent">&lt;Task...&gt;</Data>
  </EventData>
</Event>

Structure:

Native XML representation with embedded task XML

JSON (Winlogbeat/NXLog)

Example:

{
  "event_id": 4698,
  "log_name": "Security",
  "computer_name": "WORKSTATION01.corp.local",
  "time_created": "2026-02-01T16:30:00.123Z",
  "event_data": {
    "SubjectUserName": "jsmith",
    "SubjectDomainName": "CORP",
    "TaskName": "\\UpdateTask",
    "TaskContent": "<?xml version='1.0'?>..."
  }
}

Structure:

Structured JSON from log forwarders

Fields Reference

FieldTypeDescriptionExample
EventID
integer
Event identifier (always 4698 for scheduled task created)4698
TimeCreated
datetime
Timestamp when the task was created2026-02-01T16:30:00.123Z
Computer
string
Computer where the task was createdWORKSTATION01.corp.local
SubjectUserName
string
Account that created the taskjsmith
TaskName
string
Full path name of the scheduled task\UpdateTask
TaskContent
string
XML definition of the task including triggers, actions, and settings<?xml version='1.0'?>...

Parsing Patterns

Grok Patterns

xml:

<Data Name="SubjectUserName">%{DATA:subject_user}</Data>.*<Data Name="TaskName">%{DATA:task_name}</Data>

Regular Expressions

xml:

SubjectUserName">(?P<subject_user>[^<]+)</Data>.*TaskName">(?P<task_name>[^<]+)</Data>

Collector Configurations

splunkyaml
1# All new scheduled tasks
2index=wineventlog EventCode=4698
3| table _time, Computer, SubjectUserName, TaskName
4
5# Tasks executing PowerShell or CMD
6index=wineventlog EventCode=4698 (TaskContent="*powershell*" OR TaskContent="*cmd.exe*")
7| table _time, Computer, SubjectUserName, TaskName, TaskContent

Configuration

Enable Logging

Enable scheduled task auditing

auditpol /set /subcategory:"Other Object Access Events" /success:enable

Log To Syslog

Forward via Windows Event Forwarding (WEF)

# Include in WEF subscription for scheduled task events

Use Cases

Track task creation

Monitor all new scheduled tasks

TaskName
SubjectUserName
TimeCreated
Computer

Troubleshooting

Tested On

vWindows Server 2022 on Windows Server 2022
admin - 2026-02-01
Last updated: 2026-02-01 by admin
1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

EditReport Issue