Description
This cmdlet creates a Windows scheduled tasks by writing binary task structures directly into the `TaskCache` registry hive, bypassing the Task Scheduler COM API entirely.
Overview
This cmdlet creates a Windows scheduled tasks by writing binary task structures directly into the TaskCache registry hive, bypassing the Task Scheduler COM API entirely. This avoids the telemetry, ETW events, and security log entries that the standard schtasks.exe and ITaskService interfaces produce.
The task definition is written to three registry locations under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\:
| Key | Purpose |
|---|---|
Tree\<TaskName> |
Task index, GUID reference, and security descriptor |
Tasks\<GUID> |
Author, path, URI, date, Actions blob, DynamicInfo blob, and Triggers blob |
Plain\<GUID> |
Trigger class marker (empty key) |
The Schedule service must be restarted on the target for the task engine to load the new definition. Deletion follows the reverse path — all three keys are removed, and the service must be restarted to offload the task.
Both cmdlets support three authentication modes, selected by parameter set:
| Mode | Parameter Set | Mechanism |
|---|---|---|
| Current context | CurrentUser (default) |
Uses the calling thread’s token. Local operations require SYSTEM. |
| Explicit credentials | Credential |
CredentialUser is parsed by Username.Parse (UPN, NetBIOS, or bare). Remote targets authenticate via WNetAddConnection2 to \\host\IPC$. Local targets use LogonUser + ImpersonateLoggedOnUser. |
| Token impersonation | Token |
Impersonates the provided handle via ImpersonateLoggedOnUser. The caller retains handle ownership. |
Authentication resources (IPC$ sessions, logon tokens, impersonation state) are cleaned up automatically when the cmdlet completes, even on error paths.
Legacy Server 2016 targets are detected automatically via the ProductName registry value — the Actions blob version is downgraded from 0x03 to 0x02 when "2016" appears in the product name string.
New-GhostTask
Creates or modifies a scheduled task via direct registry writes.
Parameters
Authentication
| Parameter | Type | Required | Parameter Set | Description |
|---|---|---|---|---|
-CredentialUser |
String |
Yes | Credential | Username for explicit authentication. Accepts [email protected], DOMAIN\user, or user. |
-CredentialPassword |
SecureString |
Yes | Credential | Password for explicit authentication. |
-TokenHandle |
IntPtr |
Yes | Token | Existing Windows token handle to impersonate. |
Target
| Parameter | Type | Required | Description |
|---|---|---|---|
-ComputerName |
String |
No | Remote hostname. Omit for local operations. |
Task Definition
| Parameter | Type | Required | Description |
|---|---|---|---|
-TaskName |
String |
Yes | Name of the scheduled task. |
-Program |
String |
Yes | Executable path to run. |
-Argument |
String |
Yes | Command-line arguments. Use "" for none. |
-UserName |
String |
Yes | Account the task executes under on the target. |
Schedule
| Parameter | Type | Required | Valid Values | Description |
|---|---|---|---|---|
-ScheduleType |
ScheduleType |
Yes | Second, Daily, Weekly, Logon |
Trigger type. |
-Hour |
Int |
Conditional | 0–23 |
Hour for Daily/Weekly triggers. |
-Minute |
Int |
Conditional | 0–59 |
Minute for Daily/Weekly triggers. |
-Interval |
Int |
Conditional | 1–2147483647 |
Repetition interval in seconds for Second trigger. |
-DayOfWeek |
GhostTaskDayOfWeek |
Conditional | Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday |
Days for Weekly trigger. Accepts flag combinations. |
Common
Supports -Verbose, -WhatIf, and -Confirm.
Conditional Parameter Requirements
| ScheduleType | Required Parameters |
|---|---|
Second |
-Interval |
Daily |
-Hour, -Minute |
Weekly |
-Hour, -Minute, -DayOfWeek |
Logon |
None |
Examples
Create a daily task at 22:30
New-GhostTask -TaskName "Updater" `
-Program "cmd.exe" `
-Argument "/c echo hello" `
-UserName "Administrator" `
-ScheduleType Daily `
-Hour 22 -Minute 30 `
-Verbose