ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with scheduled task creation events
Event ID 4698InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4698 – Microsoft-Windows-Security-Auditing: Scheduled Task Created

Event ID 4698 logs when a new scheduled task is created on Windows systems. This security audit event helps administrators track task creation for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4698Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4698 is generated by the Microsoft-Windows-Security-Auditing provider when the Windows Task Scheduler service creates a new scheduled task. This event is part of the security auditing framework introduced to provide comprehensive logging of system changes that could impact security posture.

The event contains rich metadata including the security identifier (SID) of the user who created the task, the task name, task path, and the complete task definition in XML format. This XML definition includes execution parameters, triggers, actions, and security context information. The event timestamp reflects when the task was registered with the Task Scheduler service, not when it will execute.

From a security perspective, this event is invaluable for detecting unauthorized task creation, which is a common persistence technique used by malware families and advanced persistent threats. Legitimate administrative tasks and system maintenance tasks also generate this event, making baseline understanding crucial for effective monitoring. The event helps organizations maintain audit trails for compliance frameworks like SOX, HIPAA, and PCI-DSS that require tracking of system configuration changes.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced the event to include additional context about the creation method (GUI, PowerShell, schtasks.exe) and improved XML formatting for better parsing by security information and event management (SIEM) systems.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator creating scheduled tasks through Task Scheduler MMC snap-in
  • PowerShell scripts using New-ScheduledTask, Register-ScheduledTask cmdlets
  • Command-line task creation using schtasks.exe utility
  • Software installations registering maintenance or update tasks
  • Windows system creating built-in maintenance tasks during updates
  • Malware establishing persistence through scheduled task creation
  • Group Policy deploying scheduled tasks across domain computers
  • Third-party applications registering background service tasks
  • System restore operations recreating previously deleted tasks
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand what task was created and by whom.

  1. Open Event Viewer by pressing Win+R, typing eventvwr.msc
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4698 by right-clicking Security log → Filter Current Log
  4. Enter 4698 in the Event IDs field and click OK
  5. Double-click on a 4698 event to view details
  6. Review the General tab for basic information including Subject (who created it) and Task Name
  7. Click the Details tab and select XML View to see the complete task definition
  8. Look for suspicious execution paths, unusual triggers, or tasks created by unexpected users
Pro tip: The XML data contains the complete task definition. Look for PowerShell execution, unusual file paths, or tasks running as SYSTEM that weren't created by administrators.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze scheduled task creation events across time ranges.

  1. Open PowerShell as Administrator
  2. Query recent task creation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4698} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific user or time range:
    $StartTime = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4698; StartTime=$StartTime}
$Events | ForEach-Object {
    $XML = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        TaskName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TaskName'} | Select-Object -ExpandProperty '#text'
        TaskContent = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TaskContent'} | Select-Object -ExpandProperty '#text'
    }
}
  4. Export results for analysis:
    $Events | Export-Csv -Path "C:\Temp\ScheduledTaskCreation.csv" -NoTypeInformation
Warning: Large environments may generate thousands of these events. Use time filters and consider performance impact when querying extended date ranges.
03

Analyze Task Content and Validate Legitimacy

Examine the actual scheduled task configuration to determine if it represents legitimate activity or potential security threat.

  1. Extract task XML content from the event and save to file:
    $Event = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4698} -MaxEvents 1
$XML = [xml]$Event.ToXml()
$TaskXML = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TaskContent'} | Select-Object -ExpandProperty '#text'
$TaskXML | Out-File -FilePath "C:\Temp\TaskDefinition.xml"
  2. Open the XML file and examine key elements:
    • Actions: Look for PowerShell, cmd.exe, or suspicious executables
    • Triggers: Check for unusual timing or system event triggers
    • Principal: Verify the security context (SYSTEM, specific users)
    • Settings: Review execution limits and failure handling
  3. Cross-reference with current scheduled tasks:
    Get-ScheduledTask | Where-Object {$_.TaskName -like "*SuspiciousName*"} | Get-ScheduledTaskInfo
  4. Check task execution history:
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TaskScheduler/Operational'; Id=200,201} | Where-Object {$_.Message -like "*TaskName*"}
  5. Validate file paths and digital signatures of executables referenced in task actions
04

Configure Advanced Monitoring and Alerting

Set up proactive monitoring to detect suspicious scheduled task creation in real-time.

  1. Enable detailed Task Scheduler logging:
    wevtutil sl Microsoft-Windows-TaskScheduler/Operational /e:true
wevtutil sl Microsoft-Windows-TaskScheduler/Maintenance /e:true
  2. Create a custom Event Viewer view for task creation monitoring:
    • In Event Viewer, right-click Custom ViewsCreate Custom View
    • Select By logWindows LogsSecurity
    • Add Event ID 4698 and optionally 4699 (task deleted) and 4700 (task enabled)
    • Save as "Scheduled Task Changes"
  3. Set up PowerShell-based monitoring script:
    # Save as ScheduledTaskMonitor.ps1
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4698" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    $Message = "New scheduled task created: " + $Event.Message
    Write-EventLog -LogName Application -Source "TaskMonitor" -EventId 1001 -Message $Message -EntryType Warning
    # Add email notification or SIEM integration here
}
  4. Configure Windows Event Forwarding (WEF) for centralized collection in enterprise environments
  5. Integrate with SIEM platforms using Windows Event Collector or agent-based forwarding
Pro tip: Create baseline profiles of normal task creation patterns in your environment. Focus alerts on tasks created outside business hours, by non-administrative users, or containing suspicious execution paths.
05

Forensic Analysis and Incident Response

Perform detailed forensic analysis when Event ID 4698 indicates potential security incidents.

  1. Correlate with other security events:
    # Look for related logon events around task creation time
$TaskEvent = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4698} -MaxEvents 1
$TimeWindow = $TaskEvent.TimeCreated
$StartTime = $TimeWindow.AddMinutes(-30)
$EndTime = $TimeWindow.AddMinutes(30)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4648; StartTime=$StartTime; EndTime=$EndTime} | Format-Table TimeCreated, Id, Message
  2. Extract and analyze task artifacts:
    # Export task definition for forensic analysis
$XML = [xml]$TaskEvent.ToXml()
$TaskContent = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TaskContent'} | Select-Object -ExpandProperty '#text'
$TaskContent | Out-File "C:\Forensics\Task_$(Get-Date -Format 'yyyyMMdd_HHmmss').xml"

# Check if task still exists
$TaskName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TaskName'} | Select-Object -ExpandProperty '#text'
Get-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue
  3. Examine file system artifacts:
    • Check task executable locations for suspicious files
    • Review file creation timestamps and digital signatures
    • Analyze parent process that created the task using Process Monitor or similar tools
  4. Document findings and create incident timeline:
    # Generate comprehensive report
$Report = @{
    EventTime = $TaskEvent.TimeCreated
    TaskName = $TaskName
    CreatedBy = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    TaskXML = $TaskContent
    RelatedEvents = $RelatedEvents
}
$Report | ConvertTo-Json -Depth 10 | Out-File "C:\Forensics\TaskCreationIncident.json"
  5. Implement containment measures if malicious activity is confirmed:
    • Disable or delete suspicious scheduled tasks
    • Block execution of identified malicious files
    • Reset compromised user credentials
    • Update security policies to prevent similar incidents
Warning: Preserve original event logs and task definitions before making changes. Use proper forensic procedures and maintain chain of custody for potential legal proceedings.

Overview

Event ID 4698 fires whenever a new scheduled task is created on a Windows system through Task Scheduler, PowerShell, or command-line tools. This security audit event appears in the Security log and provides detailed information about who created the task, when it was created, and the task's configuration details including execution paths and triggers.

The event is part of Windows Advanced Audit Policy Configuration under Object Access auditing. It requires the "Audit Other Object Access Events" policy to be enabled, which is typically configured in enterprise environments for security compliance and monitoring. The event captures both legitimate administrative task creation and potentially malicious scheduled task persistence techniques used by attackers.

This event is crucial for security teams monitoring for persistence mechanisms, as scheduled tasks are commonly used by malware and advanced persistent threats to maintain access to compromised systems. The event provides forensic value by logging the complete task definition in XML format within the event data.

Frequently Asked Questions

What does Event ID 4698 mean and why is it important for security?+
Event ID 4698 indicates that a new scheduled task has been created on the Windows system. This event is crucial for security monitoring because scheduled tasks are a common persistence mechanism used by malware and attackers to maintain access to compromised systems. The event logs who created the task, when it was created, and the complete task configuration, providing valuable forensic information for incident response and compliance auditing.
How can I distinguish between legitimate and malicious scheduled task creation events?+
Legitimate tasks typically have recognizable names, are created by administrative users during business hours, and execute known system utilities or applications. Malicious tasks often have random or generic names, execute PowerShell with encoded commands, run from unusual locations like temp directories, are created by non-administrative users, or are scheduled to run at suspicious times. Always examine the task XML content for execution paths, command-line arguments, and security context to make this determination.
Why am I not seeing Event ID 4698 in my Security log?+
Event ID 4698 requires the 'Audit Other Object Access Events' policy to be enabled in Windows Advanced Audit Policy Configuration. This setting is not enabled by default on workstations. To enable it, run 'auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable' as an administrator, or configure it through Group Policy under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access.
Can Event ID 4698 help me track changes made by Group Policy scheduled tasks?+
Yes, Event ID 4698 will log scheduled tasks deployed through Group Policy, but the creating user will typically show as 'SYSTEM' or the computer account. To distinguish GP-deployed tasks, look for task names that match your Group Policy preferences, creation times that align with Group Policy refresh intervals, and XML content that includes Group Policy-specific metadata. You can correlate these events with Group Policy operational logs (Event ID 5312-5314) for complete tracking.
How should I respond if I find suspicious scheduled task creation events?+
First, immediately examine the task content and execution history to assess the threat level. If the task appears malicious, disable it using 'Disable-ScheduledTask' or delete it with 'Unregister-ScheduledTask'. Check if the task has already executed by reviewing Task Scheduler operational logs (Event ID 200-201). Investigate the user account that created the task for compromise indicators, scan the system for malware, and review other security logs for related suspicious activity. Document all findings and consider isolating the system if active malware is confirmed.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4698 and audit policy configuration requirements.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies required for Event ID 4698 logging.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4698#scheduled-tasks#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...