# PCS Toolkit - Scheduled Tasks Audit # Full audit of all scheduled tasks $timestamp = Get-Date -Format "yyyy-MM-dd_HH-mm-ss" $outputFile = "$env:USERPROFILE\Desktop\ScheduledTasks_$timestamp.txt" $csvFile = "$env:USERPROFILE\Desktop\ScheduledTasks_$timestamp.csv" function Log($msg) { Write-Host $msg Add-Content $outputFile $msg } Log "========================================" Log " PCS Toolkit - Scheduled Tasks Audit" Log "========================================" Log "Generated: $(Get-Date)" Log "Computer: $env:COMPUTERNAME" Log "" $tasks = Get-ScheduledTask | ForEach-Object { $task = $_ $info = Get-ScheduledTaskInfo $task -EA SilentlyContinue [PSCustomObject]@{ TaskPath = $task.TaskPath TaskName = $task.TaskName State = $task.State Author = $task.Author RunAsUser = $task.Principal.UserId Triggers = ($task.Triggers | ForEach-Object { $_.CimClass.CimClassName -replace 'MSFT_Task', '' }) -join '; ' Actions = ($task.Actions | ForEach-Object { if ($_.Execute) { "$($_.Execute) $($_.Arguments)" } elseif ($_.ClassId) { "COM: $($_.ClassId)" } }) -join '; ' LastRun = $info.LastRunTime LastResult = $info.LastTaskResult NextRun = $info.NextRunTime } } # Export to CSV $tasks | Export-Csv $csvFile -NoTypeInformation Log "Total Tasks: $($tasks.Count)" Log " Running: $(($tasks | Where-Object { $_.State -eq 'Running' }).Count)" Log " Ready: $(($tasks | Where-Object { $_.State -eq 'Ready' }).Count)" Log " Disabled: $(($tasks | Where-Object { $_.State -eq 'Disabled' }).Count)" Log "" Log "=== NON-MICROSOFT TASKS ===" $nonMs = $tasks | Where-Object { $_.Author -notlike '*Microsoft*' -and $_.TaskPath -notlike '\Microsoft\*' -and $_.State -ne 'Disabled' } foreach ($t in $nonMs) { Log "" Log "Task: $($t.TaskPath)$($t.TaskName)" Log " Author: $($t.Author)" Log " Run As: $($t.RunAsUser)" Log " Triggers: $($t.Triggers)" Log " Action: $($t.Actions)" Log " Last Run: $($t.LastRun) (Result: $($t.LastResult))" } Log "" Log "=== TASKS WITH FAILED LAST RUN ===" $failed = $tasks | Where-Object { $_.LastResult -ne 0 -and $_.LastResult -ne $null -and $_.State -eq 'Ready' } foreach ($t in $failed | Select-Object -First 20) { Log " $($t.TaskName) - Result: $($t.LastResult)" } Log "" Log "=== BOOT/LOGON TRIGGERED TASKS ===" $bootLogon = $tasks | Where-Object { $_.Triggers -match 'Boot|Logon' -and $_.State -ne 'Disabled' } foreach ($t in $bootLogon) { Log " [$($t.Triggers)] $($t.TaskName)" Log " Action: $($t.Actions)" } Log "" Log "========================================" Log "AUDIT COMPLETE" Log "========================================" Log "CSV Export: $csvFile" explorer.exe "/select,$csvFile" Read-Host "Press Enter to exit"