High RiskWindowsLegitimateCommonly Abused
taskeng.exeSYSTEM PROCESStaskeng.exe / taskhostw.exe - Task Scheduler Security Analysis
taskeng.exe (Vista/7) and taskhostw.exe (8+) execute scheduled tasks. **Scheduled tasks are a top persistence mechanism**. Monitor Event ID 4698 for task creation and unusual child processes.
Risk Summary
HIGH priority for persistence. Monitor Security Event ID 4698 (task created), unusual task binary paths, and encoded PowerShell in task actions.
Overview
What is taskeng.exe?
taskeng.exe (Vista/7) and taskhostw.exe (8+) execute scheduled tasks.
Security Significance
- Persistence: Tasks survive reboots
- Privilege Options: Can run as SYSTEM
- Remote Creation: Tasks can be created remotely
Normal Behavior
Normal Behavior
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\taskeng.exe |
| Path (8+) | C:\Windows\System32\taskhostw.exe |
| Parent | svchost.exe (Schedule service) |
Common Locations
C:\Windows\System32\taskeng.exeC:\Windows\System32\taskhostw.exeSuspicious Indicators
Suspicious Indicators
| Indicator | Risk |
|---|---|
| Task binary in Temp/Users | CRITICAL |
| Encoded PowerShell in task | CRITICAL |
| Hidden tasks (SD property) | HIGH |
| Recently created tasks | MEDIUM |
Abuse Techniques
Attack Techniques
Persistence via Scheduled Tasks
schtasks /create /tn "Updater" /tr "C:\Temp\malware.exe" /sc onlogon
Encoded Command Execution
schtasks /create /tn "Task" /tr "powershell -enc JAB..." /sc daily
Detection Guidance
Detection
Event ID 4698 - New task created
Event ID 106 (Task Scheduler) - Task registered
Key Detection Rules
Task ImagePath CONTAINS (Temp|Users|AppData) → ALERT
Task Command CONTAINS "-enc" → ALERT
Remediation Steps
- Review task definitions
- Check task binary signatures
- Remove malicious tasks
- Enable task creation auditing
Investigation Checklist
- Review Event ID 4698
- Check task binary paths
- Look for encoded commands
- Verify task signatures
- Hunt for hidden tasks
MITRE ATT&CK Techniques
Last verified: January 18, 2026