Hidden Task Revealer

Message Boxes

I am familiar with toast notifications.



I was responding to a comment of yours about interaction with users that required user decisions to be made. Toast notifications do not achieve that.
- By the way, Toast notifications do not necessarily necessitate additional installations. The module you discuss is a choice you have made not a necessity.
- Any additional 'system' installations or setting up complicate the tool significantly.

Use of built-in dialogs*** can be written into batch files to avoid complicating the user experience. But I still think that no user interaction is needed.
- I do not think that any in-process decisions are required because I think the user wants any detected Ghost task to be deleted and, possibly, the results recorded in a log.
- If a log is to be kept, the user will have to be asked which folder to put it in.
- Both these can be pre-prepared decisions entered manually in a text file beforehand and the batch file can read those lines.
- - The user can be given the template text file and can be told to keep it in the same folder as the tool itself.
- - I always name these text files *.ini merely as a marker of their nature.

*** If user interaction were to be required then customised title & text built-in dialogs can be called by the batch file without any installations being required.

- But the button labels are limited to

Use of Task scheduler by malware

This is a whole new ball game. I don't think you should get into this game.
- I do not think that malware can set up a task to run as the System user without having impersonated the System user in the first place.
- I do not think that malware can impersonate the System user without already having achieved elevated status
- WD and UAC attempt, amongst other things, to prevent malware achieving elevated status.
- If malware has achieved elevated status then all bets are off.
- By the way, there are always claims about malware being able to achieve elevated status without the user even knowing if that user is an Admin user and UAC is at its default level.
- - I protect myself from this by keeping UAC at its maximum setting. Despite an occasional claim to the contrary, I have not seen evidence of malware being able to counter this precaution.
- - I could protect myself from this by following MS's half-hearted advice not to routinely use an Admin account for day-to-day computing anyway.

SuppressGhostTasks Q1

I was referring to the TS task that we create in order to detect the Ghost Task.
- Since we create a task that runs at user login, TS does not prevent use of a user interface.
- The Ghost tasks do get prevented by the WpTasks tool without any elevation or System user impersonation being required.
- Any attempt to impersonate the System user for the SuppressGhostTasks task would require setting up and would probably require use of PSExec. But none of this is required to do the job we have been talking about.

About "Also worth exploring is the issue of what we allow ordinary users to do in regards to these tasks" and "Optimally I think the following should happen ..."
- "should we allow ordinary users to delete ... these tasks?" Yes, just as we already do with the existing batch file.
- "should we allow ordinary users to ... disable these tasks?" We have no control over GhostTasks so we cannot disable them if I have understood the WpTasks tool correctly.
- The task we create runs unelevated. We already know that that is sufficient to do the job.
- The SuppressGhostTasks task we create already runs for every user as that user is logged on. No further action is necessary.
- I do not believe there is any requirement to have these Ghost tasks {we still do not know whatt hey actually do so no requirement for them can possibly exist} so the only logical user action is to delete them [OK, delete the thing that creates the instances we see of them].

My assessment of where we are

I think the combination of the WpTasks.exe tool, the batch file & the TS task .xml file are already sufficient and require no more than tidying up other than the possible addition of an .ini file so a log file Y/N decision & a log file location can be specified by the user. A Help file would also be worthwhile

The text file you have referred to could usefully be in two parts, two files - Inital setting up, Discussion of the GhostTasks topic
- - I think pdf would be an appropriate format because it would allow formatting & illustrations
- - I think that splitting the Help into two files would be worthwhile because they are two hardly-related topics and putting them both together would risk creating a complicated whole that would distress users.

- The SuppressGhostTasks task we create needs no particular alteration.
- - We could put some thought into the best frequency for running the task.
- - We could usefully add a description but that's a minor thing.

- The SuppressGhostTasks batch file could be augmented with an .ini file in the same folder so the user can specifiy a log file Y/N decision & the location of any required log.
- - But I am still not convinced of the need for a log.
- - And I still do not see any need for the user of any dialog boxes / notifications

- We can tell the user to put the WpTasks.exe tool, the batch file & the .ini file in the folder C:\Tools\TS\GhostTaskSuppressor
- - We can tell users to create & set up permissions for C:\Tools using the procedure in the annex to Make Task scheduler run a batch file minimised and with a specific icon - TenForums
- - We can tell users to create the subfolders TS\GhostTaskSuppressor
- - We can provide the .xml file and tell users how to import it into Task scheduler.
- - We could, in the future, consider automating these 'setting up procedures' by providing an installation batch file but we would definitely need the assistance of somebody who knows how to use Icacls to set the permissions for C:\Tools

Denis

Andy,

I've been working on the batch file and have seen detections after short periods. The tool has in all cases managed to stop anything appearing in TS Task status pane but I had not been expecting such a frequency of detection. Are my records significant or in line with what you were expecting?

This is a picture of my log of dates-times that WpTasks was run and I have added -Detection to those in which a Ghost task was detected.



I've also attached a zip copy because the small text is likely to be unreadable within the post itself.
Detection log.zip

My task was set to run at logon and every 5:30 hours after that. My reboots complicate the pattern by adding tool use in between the 5:30 hours.

Denis

Matthew,

I used the download from
Download Microsoft Visual C++ 2015 Redistributable Update 3 RC - MSDownloads [the same link that Andy then posted in #24] - these are .exe files and they install so nothing needs to be "put" anywhere.
I installed it [well, them] and mine then worked correctly. Note that the version you need is the x86 one [but it is almost as easy to install both x86 & x64 versions if you have a x64 Windows in case any future component needs the x64 one].

Denis

Bree - Your link to post #24 went skiwiff / squiff / squiffy. Denis

1 The problem

Strangely-named and seemingly inexplicable entries have been seen in the Task scheduler, Task status pane and they do not even record a Triggered by entry that would allow them to be investigated.

I’ve taken to referring to these tasks as ‘ghost tasks’ merely as a convenience, a shorthand title.

No corresponding task definition can be found anywhere within Task scheduler or in any of its configuration folders -

C:\Windows\System32\Tasks,
C:\Windows\Tasks,
{not confirmed} %SystemRoot%\SysWOW64\Tasks

The only other place that refers to these Task status pane entries is the Event viewer, Task scheduler log which refers to them as JD_TaskSchedulerSchedule tasks.

The Task scheduler, Task status pane entry & the Event viewer entry both refer to this particular task as {429ce28d-4d24-48c8-914a-8605598c50c8}.
Further instances of the Task scheduler, Task status pane entry have different reference codes [GUIDs] - each of which is always matched by an Event viewer entry.

The TenForums member Andy Bruin has investigated these ‘ghost tasks’ and has identified
- the Windows mechanism that causes them to be shown in the Task scheduler, Task status pane, and
- a method of suppressing them.

Reassuringly, these ‘ghost tasks’ appear to be the result of Windows internal mechanisms [rather than malware] and do not appear to be doing anything at all.

The jury is still out about whether the existence of these ‘ghost tasks’ is inevitable or requires some particular originating trigger that remains unidentified. I believe that there is an unidentified trigger -

- Several users have observed the existence of these ‘ghost tasks’ but many others have never had them.
- A user who used to suffer from ‘ghost tasks’ has reinstalled Windows and no longer has them. This user knows what to look for in Task scheduler & Event viewer. If the existence of ‘ghost tasks’ was inevitable, they would have returned on that user’s computer after Windows’ reinstallation.

2 Purpose of the GhostTaskSuppressor

The purpose of the GhostTaskSuppressor is to scan for, detect & delete the immediately-preceding cog in the ‘ghost tasks’ mechanism so that they never start.

This GhostTaskSuppressor tool both includes and builds upon Andy’s suppression method.

- Andy has done all the clever work.
- All I’ve done is wrap it up into a package that can run in the background without bothering the user [unless, optionally, the user chooses a notification option].

3 Contents of the attached zip file
GhostTaskSuppressor v1.3.zip

GhostTaskSuppressor v1.3.pdf - This post as a pdf document.

GhostTaskSuppressor.xml - A Task scheduler task definition for initiating scan, detection & deletion. This task does not need any elevated privileges. This task runs StartGhostTaskSuppressor.vbs.

StartGhostTaskSuppressor.vbs - A script that starts the batch file and allows it to run minimised & with a specific icon {so a user can recognise its taskbar entry without being interrupted by it}.

GhostTaskSuppressor.ini - A text file in which the user sets preferences for use by the batch file. Using an ini file allows a user to change preferences without having to edit the batch file itself.

GhostTaskSuppressor.bat - This manages the scan, detection & deletion work and makes use of Andy’s WpTasks.exe tool. This batch file does not need any elevated privileges.

WpTasks.exe - This does the scan, detection & deletion. This file does not need any elevated privileges.

4 Setting up

4.1 Download then unzip the zip file into any convenient folder

I suggest extracting to something like
C:\Users\%UserName%\ToolsDevn\TS\GhostTaskSuppressor
but the location is not at all critical.

You can use this folder to browse & edit the files as you desire.

4.2 Copy the unzipped subfolder GhostTaskSuppressor to a chosen folder

I suggest
C:\Tools\TS\GhostTaskSuppressor

What is important, in my opinion, is having access permissions set so that Windows protects the chosen folder in the same way that it protects, for example, C:\Progam files. I describe a method of setting suitable access permissions for C:\Tools in section 1 of and the annex to Make Task scheduler run a batch file minimised and with a specific icon - TenForums You need not concern yourself with the rest of that article because it has all been done for you by the attached .xml, .vbs and .bat files.

You do not have to use the folder that I suggest. To accommodate a different location, all you need to change is a path recorded in the .xml file [see below].

4.3 Setting user preferences

4.3.1 GhostTaskSuppressor.xml

Changing the .xml file is only necessary if you have not copied the subfolder GhostTaskSuppressor to C:\Tools\TS\GhostTaskSuppressor as I suggested above.

If you have used my suggested folder then skip to step 4.3.2.

Open the .xml file in Notepad or similar and find the line
<Arguments>"C:\Tools\TS\GhostTaskSuppressor\StartGhostTaskSuppressor.vbs"</Arguments>

If you have not copied the subfolder GhostTaskSuppressor to my suggested folder then replace the path given in the <Arguments> line with your own chosen path.

Save the changed file.

No other changes are needed to specify the location of the GhostTaskSuppressor files.

4.3.2 GhostTaskSuppressor.ini

1 Open the .ini file in Notepad or similar.

2 Go to the line LogYN=Yes

If you want to keep a running log of GhostTaskSuppressor scans, detections & deletions then leave this entry as it is.
If you do not want to keep a running log of GhostTaskSuppressor scans, detections & deletions then change this entry to LogYN=No

3 Go to the line starting LogFolder=

If you have left LogYN=Yes as it is in order to keep a running log then change the suggested C:\Users\%UserName%\Documents path to the path that you want to keep the log in. The batch file has not been written to cope with any special characters except ampersand [&] so this might prove to be a limitation for paths that use foreign language characters.
If you have changed LogYN=Yes to LogYN=No, because you do not want to keep a running log, then this path entry is ignored so there’s no need to alter it.

4 Go to the line NotificationYN=Yes

If you want to be told when a ghost task has been detected then leave this line as it stands.

If, like me, you like having a tool that stays completely in the background without bothering you at all then change this line to NotificationYN=No

5 Now save the changed file and copy it into the folder used in 4.2 above. If that folder has been set up as I suggested then you will need to give Admin permission to copy into that folder.

4.4 Import the GhostTaskSuppressor.xml into Task scheduler

1 Open Task scheduler
2 In the right-hand ‘Actions’ pane, click on Import task
3 Browse to the folder containing GhostTaskSuppressor.xml, select it then click on Open
4 The task properties dialog opens. No changes are required.
5 Click on OK to save it.
6 You can now close Task scheduler.

4.5 That’s it

You can now let the task run to prevent ghost tasks from appearing.

While GhostTaskSuppressor is running, its icon will appear in the Taskbar.

GhostTaskSuppressor normally runs in the blink of an eye.

Denis

I cannot figure out how to use this:

CrowdResponse Release and new @Tasks modules >>

Any ideas anyone?