Hidden Task Revealer

Page 1 of 6 123 ... LastLast

  1. Posts : 21
    Windows 10
       #1

    Hidden Task Revealer


    Background

    In Windows 10 "Task Scheduler" strangely named tasks of the form {c092b15a-a322-4688-630fe8d1a911} can be observed occasionally in the Task Status section which is a log of tasks executed (as shown in the screenshot below).

    Hidden Task Revealer-taskscheduler.jpg

    This was also observed at the following links

    Oddly named tasks in Task Scheduler?
    Random weird scheduled tasks - Windows 10 Support

    This task isn't revealed on any of the other task scheduler subitems.

    A search of the "Event Viewer" task scheduler xml logs for {c092b15a-a322-4688-630fe8d1a911} gives an ActionName of
    "JD_TaskSchedulerSchedule_{c092b15a-a322-4688-630fe8d1a911}".

    However the name "JD_TaskSchedulerSchedule" isn't found in any of the Windows 10 "Task Scheduler" items.

    This was observed at the first link above and also at the following link.

    What is "JD_TaskSchedulerSchedule"?

    Investigation

    Some of the previous web links suggest a program called Trillian (a chat program) could be responsible but as this has never been installed on my machine this eliminates this possibility.

    After some investigation I found that the task identified above originates from the OneSyncSvc service (formerly known as ActiveSync). This service uses the WpTaskScheduler.dll library module to add tasks to the Windows task scheduler and generates a random GUID, the {c092b15a-a322-4688-630fe8d1a911} part, for the task name of every task it creates.

    The actual schedule name is of the form SimpleActivityScheduleTimer_{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx} where xxxx...x is a random GUID.

    It is confirmed to exist by default on Windows 10 Home version 1803 and 1909 and probably exists on other versions of Windows 10 as well.

    This task executes every 12 hours after a reboot. Therefore you will have to wait 12 hours after a reboot to see it in the
    Task Scheduler Task Status section.

    I actually don't know what this task does but I'm guessing it probably is used to clean up OneSync/ActiveSync.

    Some further info about my investigations is provided at the following link.

    https://answers.microsoft.com/en-us/...e-5815f2a2604e

    It was an answer to the first post above which was cross posted to the following link.

    https://answers.microsoft.com/en-us/windows/forum/all/oddly-named-tasks-in-task-scheduler/11dcde4f-ca47-4dc6-8267-4884b3a1ed8c

    WpTasks

    After getting this far I decided to write a program to reveal these tasks. This is useful from a security point of view.

    The program I have created is called WpTasks.exe and is currently a Windows Console program (Cmd.exe).

    It displays all of these tasks and can also provide more info on each of these tasks.

    It also has the option to delete them.

    More info on this program is provided by the README at the following link.

    https://dl.dropbox.com/s/enlknen8wk0pe49/README.TXT

    A zip file containing the executable and the README can be downloaded from the following link.

    https://dl.dropbox.com/s/ykjjv9owrqb...Tasks.zip?dl=1

    The program is free to use.

    Source code isn't currently availiable.

    Feedback

    Please use this forum thread to provide feedback on this. If I'm working on something else I may be slow to reply so please be patient.

    I'm particularly interested in the following feedback on the program:

    1) What other versions of Windows 10 other than Windows 10 Home 1803 and 1909 use or do not use these tasks.
    2) If you observe schedule names other than SimpleActivityScheduleTimer_{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx}.

    I will post any notice of updates to this thread. The download link will probably remain the same for updates.

    NB For other websites if you provide a direct link on your site to the download please include a link to this thread to inform and encourage feedback from users.

    Hope you find this useful.

    Cheers
    Andy Bruin
      My Computer

  2. RickC's Avatar
    Posts : 528
    Windows 7 + 10
       #2

    Just to confirm... Windows 10 Pro 1809 shows the same behaviour:

    Hidden Task Revealer-wptasks.png

    Many thanks for the tool.

    Hope this helps...
      My Computer

  3. Try3's Avatar
    Posts : 4,589
    Windows 10 Home x64 Version 1909 Build 18363.900
       #3

    Andy,

    I raised a thread when I started getting this problem Unknown tasks running - e9e87558-3d46-49e9-bde6-f8b84dace1c6 - TenForums so I've added a cross-reference to here.
    - I have gone through long periods without the unknown task running [which might well be consistent with your findings about the 12 hour waiting time].
    - My 3 computers are all Windows 10 Home x64 Version 1909 Build 18363.778
    - They all have this problem.

    I have just run WpTasks.exe on one computer. It revealed a result. I then used it to delete what it had revealed. It now reports no results.
    SimpleActivityScheduleTimer_{C8A6392F-9E62-4830-9FFA-1A7CADD66B76}
    - That GUID does not appear anywhere else, including in the names of the unknown tasks

    But nothing seems to have changed.

    Q1 How can I stop the running instances of the unknown task? I thought that was what your utility would do but they are still running. I have not yet rebooted because I have been busy writing this post. That was all wrong. I had no running instances before using Wptasks.exe.

    Q2 Is there anything I can check, other than WpTasks.exe, that will tell me that something has changed?

    Q3 Where do you want me to look to find relevant "schedule names"? There is no reference to SimpleActivityScheduleTimer in my Task scheduler or anywhere else that I have been able to find.

    Q4 I do not know whether to expect a reoccurence i.e. new instances of the unknown task appearing. What do you think?

    Q5 Was it some malfunction of part of the services you mention / some combination of particular circumstances that caused the unknown task to start in the first place?
    Hidden Task Revealer-taskmgr-services-apparent-culprits.png
    Hidden Task Revealer-services-apparent-culprit.png

    Q6 I have never knowingly used any syncing. Have you discovered any indications that other applications use the guilty services [possibly improperly] and that they might therefore have been the trigger for the whole thing?
    - I had installed & run an Intel utility [Driver & Support Assistant] the day this started happening.
    - This might also explain why others found that their problem started with Trillian.
    - I often also wonder whether the Task Intel PTT EK Recertification might have something to do with it but only because I have found it impossible to delete this task for much longer than the blink of an eye.

    Q7 Given that I don't use any syncing, I might invesigate disabling OneSyncSvc_dc6c4 / Sync Host_dc6c4 in Services [I have never had to disable a service before]. But, given that you have done all this work, I would be quite happy to stick without any changes for now if future reoccurances might provide further data for you. What would be useful for you?

    A suggestion
    Given that Wptasks is a console application, you might usefully tell people that one way they can run it is by
    1 Creating a shortcut to the exe file, then
    2 Adding-cmd.exe /k-to the start of the Target field in the shortcut's properties - so they end up with something like
    cmd.exe /k D:\Desktop\WpTasks\WpTasks.exe
    [which Windows later changes to C:\Windows\System32\cmd.exe /k D:\Desktop\WpTasks\WpTasks.exe but that's not a problem].

    Denis
    Last edited by Try3; 27 May 2020 at 00:19.
      My Computer


  4. Posts : 21
    Windows 10
    Thread Starter
       #4

    To RickC. Thanks for the feedback and excellent screenshots! Is it ok to use them for reference points for other users?

    Cheers
    Andy Bruin
      My Computer

  5. Try3's Avatar
    Posts : 4,589
    Windows 10 Home x64 Version 1909 Build 18363.900
       #5

    Andy,

    I've deleted my Q1 above. I had no running instances before using Wptasks.exe. I must have mis-read something but have now read through each instance for the last 30 days again and the last one stopped yesterday.

    Denis
      My Computer


  6. Posts : 21
    Windows 10
    Thread Starter
       #6

    To TryC,

    Thanks for your great feedback and excellent screen shots. I will try to answer every point but if I miss something please follow up.

    Please understand the following answer is also directed also to other users who will read this and don't have the understanding you do and hence is more detailed than you probably need.

    Firstly the details of the SimpleActivityScheduleTimer_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} task that you found are a bit involved. There's more info at the following link but I will summarise here.

    https://answers.microsoft.com/en-us/...e-5815f2a2604e

    The xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx part of SimpleActivityScheduleTimer_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} is a seemingly a random GUID that is generated for each instance so it will change for every reboot. The GUID is actually time based but to observers looks random.

    One point I should highlight to avoid confusion is that the "Task Status" section of the Task Scheduler is actually a log which may have been inappropriately named. It includes a log of all these tasks that have run in the selected time period. Therefore you may see multiple tasks of this naming type here depending on how many times you have rebooted in that time period as long as each reboot is 12 hours more than the last reboot. In fact my screenshot in my first post in this thread shows two such tasks both reporting as running. However in reality only one is scheduled to run and the other earlier one was from a previous reboot and no longer exists. For the record when I first saw this I was confused as you are with what is displayed in the "Task Status" section.

    The "Task Active" section of the "Task Scheduler" seems to include tasks that are actively running. Not task schedules that are enabled. For the record I have never seen any of these types of task in this section but this is probably because this process only executes every 12hrs for a short period of time.

    The SimpleActivityScheduleTimer schedule task is initiated by the Sync_Host Windows service (OneSyncSvc). It is a legit Windows task that has something to do with OneSyncSvc /ActiveSync which is probably a cleanup of this every 12 hours. However I haven't investigated this so I don't know for sure. Both you and RickC (above) have excellent screen shots of this service.

    I should be a little bit more explicit in my README.TXT that deleting the task only deletes the task schedule and doesn't stop another program reinstating it which will be case here after a reboot.

    The answers to each of your questions follows. Some parts are also repeated from above.

    Q1 How can I stop the running instances of the unknown task? I thought that was what your utility would do but they are still running. I have not yet rebooted because I have been busy writing this post.

    As you have found using the delete option of my program "WpTasks.exe /d GUID" does delete the task schedule. The task instances shown in the Task Scheduler "Task Status" section as explained above are really logs of these task instances and actually don't represent running instances although it appears this way. Running instances are actually shown in the "Active Tasks" section of the Task Scheduler.

    Q3 Where do you want me to look to find relevant "schedule names"? There is no reference to SimpleActivityScheduleTimer in my Task scheduler or anywhere else that I have been able to find.

    The "schedule names" are shown in the output of the default blank "WpTasks.exe" as shown in RickC screen shot above. However I realise you are talking about the logged tasks in the Task Scheduler "Task Status" section which actually no longer exist as explained in the last question.

    Q4 I do not know whether to expect a reoccurence i.e. new instances of the unknown task appearing. What do you think?

    The SimpleActivityScheduleTimer schedule task will appear again in the Task Scheduler "Task Status" section 12 hrs after a reboot with as a new random GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} . However you don't have to wait that long to confirm it exists as WpTasks.exe will show it straight away after a reboot.

    Q5 Was it some malfunction of part of the services you mention / some combination of particular circumstances that caused the unknown task to start in the first place?

    Initially me and Greg McCormack as well as yourself and others suspected that this may be the case. However on digging further I found the SimpleActivityScheduleTimer schedule task is enabled on initialisation and restarts of the Sync_Host (OneSyncSrv) service on all observed versions of the Windows 10 operating system regardless of whether anything is synced or not. It isn't a malfunction. I have confirmed this on a vanilla (new) laptop. You can somewhat confirm this by deleting the task schedule using "WpTasks.exe /d GUID" and restarting the Sync_Host service using the Services app (Services.exe) and rerunning WpTasks.exe to confirm.

    Q6 I have never used any syncing. Have you discovered any indications that other applications use the guilty services [possibly improperly] and that they might therefore have been the trigger for the whole thing?
    - I had installed & run an Intel utility [Driver & Support Assistant] the day this started happening.
    - This might also explain why others found that their problem started with Trillian.
    - I often also wonder whether the Task Intel PTT EK Recertification might have something to do with it but only because I have found it impossible to delete this task for much longer than the blink of an eye.


    As mentioned in the answer to Q5 the SimpleActivityScheduleTimer task schedule is enabled on every reboot. It just takes 12hrs to appear in the log. Hence the reason so many people including you and me suspected something else.

    OneSyncSvc/ActiveSync when in use may create other {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} tasks other than SimpleActivityScheduleTimer with the ActionName JD_TaskSchedulerSchedule_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} which is one of the things I'm asking users to report if revealed by WpTasks.exe.

    Q7 Given that I don't use any syncing, I might investigate disabling OneSyncSvc_dc6c4 / Sync Host_dc6c4 in Services [I have never had to disable a service before]. But, given that you have done all this work, I would be quite happy to stick without any changes for now if future reoccurances might provide further data for you. What would be useful for you?

    There is no need to disable this service unless you want to stop the following things from syncing. It doesn't cause any problems otherwise.

    1) Windows Phone
    2) Exchange Mail Servers if using Exchange ActiveSync
    3) Outlook Live
    4) Windows Instagram app
    5) Other apps that use ActiveSync to sync (None others so far confirmed other than above)

    Originally we (me and Greg McCormack) thought OneDrive was using it but this turned out to be not the case and was just confusion with an OneDrive app that was named OneSync.

    More info about this under the ActiveSync underlined heading in the sixth post in the link below.

    https://answers.microsoft.com/en-us/...e-5815f2a2604e

    A suggestion
    Given that Wptasks is a console application, you might usefully tell people that one way they can run it is by
    1 Creating a shortcut to the exe file, then
    2 Adding-cmd.exe /k-to the start of the Target field in the shortcut's properties - so they end up with something like
    cmd.exe /k D:\Desktop\WpTasks\WpTasks.exe
    [which Windows later changes to C:\Windows\System32\cmd.exe /k D:\Desktop\WpTasks\WpTasks.exe but that's not a problem].


    Excellent suggestion! I sometimes forget that most people on these forums have no idea of the good ol days when the ms-dos command line was the first thing to display after a reboot! I will add info to the README.TXT on how to simply invoke this program which will incorporate this.

    Thanks Denis for you excellent feedback. I will incorporate some of the info above into the README.TXT to make it easy to understand especially about the very confusing "Task Status" section in the Task Scheduler. Also I'm thinking of a little manual in html or pdf to include in the download zip with some of this info and maybe your screen shots. Is that ok with you?

    Cheers
    Andy Bruin

    - - - Updated - - -

    Try3 said:
    Andy,

    I've deleted my Q1 above. I had no running instances before using Wptasks.exe. I must have mis-read something but have now read through each instance for the last 30 days again and the last one stopped yesterday.

    Denis
    Hi Denis,

    I read this before my last reply. Despite your subsequent observances this was an excellent question as it highlighted the confusing "Task Status" section of the Windows Task Scheduler section so I was happy to answer it anyway.

    Cheers
    Andy Bruin

    PS Somehow this reply got deleted when I edited my last reply so I have reposted it.
      My Computer

  7. Try3's Avatar
    Posts : 4,589
    Windows 10 Home x64 Version 1909 Build 18363.900
       #7

    Andy,

    Thanks for those applications. [I had already seen your MSA forum posts]

    One question that occurs to me is why doesn't everybody have these sort-of-tasks in their Task status section? Does everybody else reboot every 11 hours?

    I might add a wptasks.exe section into an existing checker that runs on every reboot.
    1 Run wptasks with output sent to a text file
    2 Read the GUID from the text file
    4 If the GUID is found, re-run wptasks with the /d switch to delete that GUID
    I believe that I am not suffering any harm from these sort-of-tasks so this routine would not make any real difference.


    Denis
      My Computer

  8. Bree's Avatar
    Posts : 15,953
    10 Home x64 (2004) (10 Pro on 2nd pc)
       #8

    Same behaviour seen in 1909 (Pro) and 2004 (Home, release preview)

    Hidden Task Revealer-image.png
      My Computers


  9. Posts : 21
    Windows 10
    Thread Starter
       #9

    Try3 said:
    Andy,

    Thanks for those applications. [I had already seen your MSA forum posts]

    One question that occurs to me is why doesn't everybody have these sort-of-tasks in their Task status section? Does everybody else reboot every 11 hours?

    Hi Denis,

    Many people do shutdown their computer every time they stop using it. I think this is probably to make it last longer but power on is generally the most stressful time for components so turning on and off the computer often can reduce it's life!

    Also most switches are also designed to last a certain amount of presses before they go kaput so also don't press that power on/off button too many times :).

    My partner is one of these. The vanilla laptop is hers and it took me ages to convince her to leave it on 12 hours just to confirm that it wasn't something else initiating this scheduled task.

    One other reason is that not many people know the Task Scheduler exists so there isn't much info on the net.

    However the main reason is that you need to enable the log ("Enable All Task History" option on the right pane in the task Scheduler) to see the tasks in the "Task Status" section. Probably very few people have done this and this reminds me that I need to incorporate this into the readme/manual too.

    I might add a wptasks.exe section into an existing checker that runs on every reboot.
    1 Run wptasks with output sent to a text file
    2 Read the GUID from the text file
    4 If the GUID is found, re-run wptasks with the /d switch to delete that GUID
    I believe that I am not suffering any harm from these sort-of-tasks so this routine would not make any real difference.


    Denis
    One of the reasons I wrote a command line app first was so it could be incorporated into a script. The default basic output text can be easily filtered to get the appropriate variables which can be used to get more info on tasks which match. My basic idea wasn't to nuke the SimpleActivityScheduleTimer task schedule (which is a Microsoft task and hence is likely harmless) but other unknown tasks.

    One thing that you will need to do is to have a delay in your startup script to give time for originating programs to initialise and add such tasks to this scheduler. Maybe having it run periodically to check could also be a good idea.

    Finally since I don't know what the SimpleActivityScheduleTimer task schedule actually does I can't say whether nuking it will be trouble free but given that it never runs on most peoples computer who never have it on for more than 12 hours I think it probably wont cause a problem.

    Cheers
    Andy Bruin
      My Computer

  10. Cr00zng's Avatar
    Posts : 663
    Windows 10 64-bits
       #10

    Andy Bruin said:
    This task isn't revealed on any of the other task scheduler subitems.

    Cheers
    Andy Bruin
    I'll need to dig in to this deeper, but off the cuff question...

    Wait, a hidden task running periodically?

    Coupling this with hidden files looks scary, may even turn out to be an attack vector for malware, if it is not already.
      My Computer


 

Related Threads
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 01:06.
Find Us




Windows 10 Forums