New
#11
No, it is not a hidden task
Hi Cr00zng,
This is the reason I got involved initially and probably the reason others got involved too. A cryptic name with no info and no obvious link certainly looks suspicious. However conversely most malware writers these days try to make their stuff look unobtrusive as possible. In this case this was just a Windows background task.
The Windows task scheduler is now being monitored by a few antiviruses as it's a great place to host simple tasks that reintroduce deleted viruses from the net. The following link gives a few details.
Malware loves Windows Task Scheduler | CSO Online
Notably the Task Scheduler also used by Windows to make sure it's updates keep happening even though the corresponding services have been disabled.
I wrote this app to actually reveal exactly what these tasks are and added an option to delete them if necessary. This is to mitigate any such occurrence.
In regards to suspect tasks Try3's startup script is a great idea. My reply directly after adds to this.
Hidden Task Revealer
Clobbering a suspect task before it becomes a problem is a step forward. However shoot first ask questions later is sometimes a good idea but often it is overkill. A prompt for unknown tasks by such a script would be a good thing.
Cheers
Andy Bruin
Hi Try3,
It's not totally hidden as it shows in the task scheduler logs and event viewer logs but only if the options to log these items is enabled. Otherwise no trace except for what is shown by WpTasks.exe. Hence my initial heading.
PS Is it ok to maybe include your screenshots in a help file?
Cheers
Andy Bruin
Andy,
It's taken me an hour or more to finish writing this post. My 'it is not a hidden task' comment was a response to another user not to you.
- Task scheduler does not, by default, show hidden tasks [tasks that have a deliberate hidden property] but our problem items are not of that nature.
- If the problem items were merely records of a hidden task it would have taken approximately a miniute to resolve the issue.
- In other words, whilst we might think of the instigating thing being hidden, it is not a "hidden task" as such.
You can use anything in any of my responses in any way you see fit.
On one known-awkward computer, I am getting an error about VCRunTime140.dll being missing. I'm just checking for the most reliable explanation & source before downloading anything - it seems to be a component of Microsoft Visual C++ 2015 Redistributable Update 3 RC so, if that's correct, I can get it directly from MS.
In the meantime, my startup script is working well on 2 other computers. Here it is
UnknownTaskSuppressor.bat
It runs from a Task scheduler task that I have set to run at logon rather than startup.Code::: This procedure uses Andy Bruin WpTasks.exe to reveal the whatever-status-it-is Task giving rise to the entries in TS, Task status :: They are created at rebooting but not always - hence the decision to retain logs for the time being :: It is currently written in the expectation of only a single GUID being reported prompt $g Set ThisTitle=Checking, cleaning unknown task creation Title %ThisTitle% ::Set WorkingFolder=%Temp% :: Only use the Temp folder when I have removed log retention Set WorkingFolder=E:\UtilityHub\TS\UnknownTaskSuppressor Set TheToolFolder=C:\Tools\TS\UnknownTaskSuppressor\ Set TheToolName=WpTasks.exe Set ThisGUID= :: Examine the log %TheToolFolder%%TheToolName% >%WorkingFolder%\WpTasks.Log For /f "tokens=1" %%X in (%WorkingFolder%\WpTasks.Log) do Call :TaskProcessing "%%X" If Not "%ThisGUID%"=="" %TheToolFolder%%TheToolName% /d %ThisGUID% GoTo CloseTaskSuppressor :TaskProcessing :: Detect and retrieve the GUID, if any Set ThisLine=%~1 :: Detect GUID by detecting { as the first character of the passed parameter If "%ThisLine:~0,1%"=="{" (Set ThisGUID=%ThisLine%) Else (GoTo :eof) ::Remove the {} at start and end Set ThisGUID=%ThisGUID:~1% Set ThisGUID=%ThisGUID:~0,-1% GoTo :eof :CloseTaskSuppressor :: Later on, I will just delete the log file but for at least the first month of use I will keep it so I can review when the Unwanted tasks get created :: If I decide to keep doing this then I will streamline the procedure for that - e.g. reduce the number of variables :: Del %WorkingFolder%\WpTasks.Log Call "C:\Tools\Rename\RenameDLM.vbs" "%WorkingFolder%\WpTasks.Log" :EndTaskSuppressor ::Pause at end during testing
Note 1 - You'll need to set WorkingFolder, TheToolFolder, TheToolName to suit your own preferences.
Note 2 - I have particular attitudes to where to store scripts and how to manage their use in Task scheduler - see Make Task scheduler run a batch file minimised and with a specific icon - TenForums
Note 3 - I have decided to keep my WpTasks.exe responses as logs for the next month or so because I want to review them later on. So I have called another script of mine C:\Tools\Rename\RenameDLM.vbs that adds the DLM to the filename to allow multiple copies to be kept easily.- RenameDLM changes WpTasks.Log into 20200527 140441 WpTasks.Log so that's yyyymmdd hhnnss [hhmmss]
- The calling line illustrates the syntax needed for RenameDLM, just in case you decide to use it elsewhere.
- If you do not want to use RenameDLM you can just :: remark out or delete that line in the script and optionally un-remark the line about deleting the log file at the end.
- This script is one that I have earmarked for translation into PowerShell in the fullness of time so I have never bothered tidying up the code.
- You will need to revise the RenameDLM code to deal with the format of your date retrieval - see the line 'DLM format is 25/01/2014 02:39:59 and the variable extractions that follow.- For checks like this, I just add a MsgBox line in the vbs for the variable concerned
- So that would be MsgBox DLM
- Then I copy the format used in the response, paste it in the vbs file and alter the variable extractions as required
- I kill the vbs before accepting the MsgBox so I don't let it complete using unwanted date formats
- I do not for one moment think you need me to tell you how to modify the variable extractions but if you have any doubts just post a Snipping tool picture of the dialog box and I'll rewrite the code for you.
- I have given you this file as it exists on my computer. You can ignore the discussive lines about using the same structure for creating a backup copy instead of renaming a file.- If I stop wanting to review responses then I will delete the call to RenameDLM and tidy up the batch file use of variables. That will probably not be before the next blue moon.
I have attached a zip of the UnknownTaskSuppressor.bat script and associated files [see my note 2], the RenameDLM file and the TS Task definition. You should check ownership and permissions before using them because they come from a restricted access folder on my computer & I cannot remember what WinZip preserves of those properties. UnknownTaskSuppressor.zip
By the way, I have already seen new WpTasks responses showing that a new item [with a constant GUID] has been created at restart as well as responses showing no new item has been created at restart.
Additional - Whilst tinkering, I also discovered that WpTasks responses have identified a new item some 3 hours after my last restart [but, as expected, nothing is yet shown in the Task status pane]. This time the GUID is different.
- I think I will alter the TS Task to run at logon and then every NNN hours so that at no stage is the 12 hour period you mentioned ever reached.
- I'll start with 11 hours. I can't think of any reason to justify any particular frequency.
Denis
Last edited by Try3; 27 May 2020 at 11:22.
Andy,
About the Microsoft Visual C++ 2015 Redistributable I need to add to my awkward computer
The guidance I have found states that I need to use the x64 version of the C++ Redistributable because my Windows is x64 on the problem computer.
I am not convinced that this is correct.
Is there anything in your development records about external references that would confirm this one way or the other?
In other words, I suspect that WpTasks.exe references the x86 version of the C++ Redistributable even when running on x64 Windows.
Knowing this will save me having to try both and make several system images as I go along [just in case].
Denis
I installed the x86 version and the WpTools.exe task ran correctly.
I have now set the UnknownTaskSuppressor TS Task to run at user logon and then every 11 hours.UnknownTaskSuppressor-RevisedTask.zip
My masterplan is now not to fiddle with anything but to wait almost 30 days then check that no new instances have been started since this afternoon on all 3 computers.
Two of my three computers have previous instances still shown as running despite computer restarts since then.
Denis