How to Prevent Stealthily Scheduled Tasks?

Rizar · 10. Aug 2011, 11:39 PM

After Vista and Windows 7 came out with an annoying User Account Controller (UAC), many programs that run automatically at startup started getting blocked by the UAC and required user interaction to allow them to run automatically.

So if CCleaner was set to run at every startup, you would have to grant it special permission to run every startup -- very annoying. But you can schedule CCleaner to run at startup from the Task Scheduler (in the control panel) to bypass the UAC prompts (is this a hole in UAC's armor?).

It was probably overkill for the UAC to block programs from autorunning to begin with. It was annoying to users, who were more apt to figure out what this UAC thing was and more importantly how to turn it off.

To avoid this problem with the UAC prompts many good programs are bypassing the UAC by automatically scheduling themselves in the Task Scheduler. I've noticed two program do this so far and I'm sure many others do as well. From personal experience Secunia PSI and Backup Maker both use this technique.

Startup managers are behind the times in this post-UAC world. They rarely emphasize scheduled tasks in the same way they do traditional automatic startups. You can't simply uncheck a scheduled task in CCleaner, Glary, WinPatrol, and Revo Uninstaller. A rare one that does is Autoruns, but it's more for advanced users.

Oddly enough Windows Defender is ahead of the competition by being the only one to proactively block automatically scheduled tasks in real-time. Take that lite little WinPatrol! Since most simple startup managers are behind the times and are turning into dinosaurs, the main way to disable a scheduled task is in the Windows Task Scheduler.

However, if this stealthily scheduled tasks irks you a bit, as it does me, you can pull out the big guns and use the Local Group Policy Editor in Windows XP, Server 2000, or Server 2003 only.

1. Click "run" from the start menu and type gpedit.msc

2. Under 'Computer Configuration' click down through 'Administrative Templates' > 'Windows Components' > 'Task Scheduler' and double click on 'Prohibit New Task Creation'

I verified that it doesn't work in Vista, and it would require you to change the setting every time you want to create a new task.

Since the Group Policy let me down, I'm still looking for a solution to this without changing over from WinPatrol to the mammoth windows defender...

eyeb · 11. Aug 2011, 01:26 AM

This is kind of an odd round about way, but I use process hacker and have it notify me of all new/started/end processes and services.

To avoid popups from daily use, I can set exceptions to have it ignore what I use. I do this by having it log my computer use for a while, few days and then I manually add them to exceptions. Would be nice if I could do it more automatically but this works too. And then I update as I install new software/etc. Anyways it won't notify me if a virus takes over these exceptions, except I've set those files to be protected a bit more by sandboxie/avira/locked protection. So I'm fairly confident that those files are safe.

This isn't same as hips but it's my version of hips without running a real hips

Since it's a user recognition (brain power) I like it more than software protection

J_L · 11. Aug 2011, 02:13 AM

Windows Defender in 7 isn't ahead. It's only an anti-spyware application, with none of the extras offered before with Advanced Membership.

WinPatrol does work at monitoring Scheduled Tasks, but only on XP ones.

Personally, I've done this: http://www.howtogeek.com/howto/windo...strators-only/
It actually keep UAC enabled, except for the prompts.

Rizar · 11. Aug 2011, 04:52 PM

Yeah, it looks like Windows Defender is not a solution either. The last time I checked it detected changes to the task scheduler, but it doesn't anymore. It still detects autostart programs like CCleaner, but Secunia is easily able to stealthily set itself to autorun (by the task scheduler) without permission.

I wish WinPatrol had this ability to detect scheduled tasks in Vista and above. It seems like a major hole in its armor.

Why worry about detecting autostart programs at all when many programs are using the Task Scheduler to become an autostart program?

It seems like some sort of prehistoric fetish against autostart programs. If you check for autostart programs, you ought to check for autostart tasks. Otherwise you ignore the post-UAC landscape.

Even for us who reduce the UAC, we still get affected by users who don't. Program makers can use the task scheduler to autostart their programs and thus completely avoid the checks in programs like WinPatrol and, the newly castrated, Windows Defender.

To be consistent, resident startup managers might as well ignore autostart programs.

10. Aug 2011, 11:39 PM	#1 (permalink)
Rizar Editor Join Date: Dec 2008 Location: Space Posts: 368	How to Prevent Stealthily Scheduled Tasks? After Vista and Windows 7 came out with an annoying User Account Controller (UAC), many programs that run automatically at startup started getting blocked by the UAC and required user interaction to allow them to run automatically. So if CCleaner was set to run at every startup, you would have to grant it special permission to run every startup -- very annoying. But you can schedule CCleaner to run at startup from the Task Scheduler (in the control panel) to bypass the UAC prompts (is this a hole in UAC's armor?). It was probably overkill for the UAC to block programs from autorunning to begin with. It was annoying to users, who were more apt to figure out what this UAC thing was and more importantly how to turn it off. To avoid this problem with the UAC prompts many good programs are bypassing the UAC by automatically scheduling themselves in the Task Scheduler. I've noticed two program do this so far and I'm sure many others do as well. From personal experience Secunia PSI and Backup Maker both use this technique. Startup managers are behind the times in this post-UAC world. They rarely emphasize scheduled tasks in the same way they do traditional automatic startups. You can't simply uncheck a scheduled task in CCleaner, Glary, WinPatrol, and Revo Uninstaller. A rare one that does is Autoruns, but it's more for advanced users. Oddly enough Windows Defender is ahead of the competition by being the only one to proactively block automatically scheduled tasks in real-time. Take that lite little WinPatrol! Since most simple startup managers are behind the times and are turning into dinosaurs, the main way to disable a scheduled task is in the Windows Task Scheduler. However, if this stealthily scheduled tasks irks you a bit, as it does me, you can pull out the big guns and use the Local Group Policy Editor in Windows XP, Server 2000, or Server 2003 only. 1. Click "run" from the start menu and type gpedit.msc 2. Under 'Computer Configuration' click down through 'Administrative Templates' > 'Windows Components' > 'Task Scheduler' and double click on 'Prohibit New Task Creation' I verified that it doesn't work in Vista, and it would require you to change the setting every time you want to create a new task. Since the Group Policy let me down, I'm still looking for a solution to this without changing over from WinPatrol to the mammoth windows defender... __________________ Live long and prosper. Last edited by Rizar; 10. Aug 2011 at 11:45 PM.

11. Aug 2011, 04:52 PM	#4 (permalink)
Rizar Editor Join Date: Dec 2008 Location: Space Posts: 368	Yeah, it looks like Windows Defender is not a solution either. The last time I checked it detected changes to the task scheduler, but it doesn't anymore. It still detects autostart programs like CCleaner, but Secunia is easily able to stealthily set itself to autorun (by the task scheduler) without permission. I wish WinPatrol had this ability to detect scheduled tasks in Vista and above. It seems like a major hole in its armor. Why worry about detecting autostart programs at all when many programs are using the Task Scheduler to become an autostart program? It seems like some sort of prehistoric fetish against autostart programs. If you check for autostart programs, you ought to check for autostart tasks. Otherwise you ignore the post-UAC landscape. Even for us who reduce the UAC, we still get affected by users who don't. Program makers can use the task scheduler to autostart their programs and thus completely avoid the checks in programs like WinPatrol and, the newly castrated, Windows Defender. To be consistent, resident startup managers might as well ignore autostart programs. __________________ Live long and prosper. Last edited by Rizar; 11. Aug 2011 at 05:04 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

11. Aug 2011, 01:26 AM	#2 (permalink)
eyeb Senior Member Join Date: Sep 2010 Location: Planet X Posts: 487	This is kind of an odd round about way, but I use process hacker and have it notify me of all new/started/end processes and services. To avoid popups from daily use, I can set exceptions to have it ignore what I use. I do this by having it log my computer use for a while, few days and then I manually add them to exceptions. Would be nice if I could do it more automatically but this works too. And then I update as I install new software/etc. Anyways it won't notify me if a virus takes over these exceptions, except I've set those files to be protected a bit more by sandboxie/avira/locked protection. So I'm fairly confident that those files are safe. This isn't same as hips but it's my version of hips without running a real hips Since it's a user recognition (brain power) I like it more than software protection

11. Aug 2011, 02:13 AM	#3 (permalink)
J_L Co-Author, Best Free Security List Join Date: Dec 2008 Posts: 1,475	Windows Defender in 7 isn't ahead. It's only an anti-spyware application, with none of the extras offered before with Advanced Membership. WinPatrol does work at monitoring Scheduled Tasks, but only on XP ones. Personally, I've done this: http://www.howtogeek.com/howto/windo...strators-only/ It actually keep UAC enabled, except for the prompts.