隐藏的计划任务运行,导致账户被锁的调查方法
查看失败的计划任务
Applications and Services Logs / Microsoft / Windows / TaskScheduler/Operational
104 Logon failure
311 Task Engine failed to start
101 Task Start Failed
查看隐藏的已保存用户名和密码:
From a command prompt run: psexec -i -s -d cmd.exe
From the new cmd window run: rundll32 keymgr.dll,KRShowKeyMgr
下载地址:
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
这种方式和直接查看Windows Credential Manager的区别:
此方法以SYSTEM为上下文。列表中会包括普通的Credential Manager中没有的内容。
查看是否有残留任务文件:
To troubleshoot the issue, we suggest deleting the task image. To do this: Go to C:\Windows\System32\Tasks and delete the task image in this folder.
查看残留的注册表项:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
找到相应任务后,记录其ID,去此处再删除相关项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
引用:
https://serverfault.com/questions/686393/event-4625-audit-failure-null-sid-failed-network-logons/727455#727455
https://answers.microsoft.com/en-us/windows/forum/all/cant-find-task-in-task-scheduler/f76d43fd-f73d-43a5-a1b1-d42489b839aa