Security Implications of the AT Command

I read the security post provided by Roger Grimes with interest this morning because I’ve always felt that the Task Scheduler is just another entry point for viruses and the like on any system. As he mentions, it’s an avenue that many administrators fail to check because they don’t really think about it. As Roger points out, there are three ways to add new entries, but this post focuses on the oldest of the three, the AT command.

Before you can interact with the Task Scheduler, you must have its service started. This is a given on Vista and Windows 7, where Windows relies heavily on the Task Scheduler. However, you’ll want to read my Interacting with the Task Scheduler Service for details about this service. It’s important to have the service setup correctly in order to work with it error free.

The AT command is the oldest way of working with the Task Scheduler. At one time you could access it from the command prompt even if you weren’t an administrator. This meant that any virus or other piece of nasty software could cause woe without notice on your part. However, if you try to use the AT command at a normal command prompt in Windows 7, you’ll receive an Access Denied error message, which is at least a start in the right direction.

To use the AT command to create a new entry, you must provide a time and command as a minimum. For example, if you type AT 15:00 “Dir C:\” and press Enter, you’ll create a new task that starts at 3:00 pm on the current day. You’ll receive a numeric identifier for the task. The entry also shows up in the Task Scheduler console (found in the Administrative Tools folder of the Control Panel) as At plus the identifier, such as At1 as shown here.

TaskSchedulerEntries01

If you want to list the jobs created by the AT command, you type AT and press Enter. The AT command only lists those jobs that it creates—you won’t see any jobs created using other Task Scheduler techniques.

Likewise, to delete jobs using the AT command, you provide the identifier you received when you created the job along with the /Delete command line switch. For example, if the identifier for the task you created earlier in this post is 1, then you’d type AT 1 /Delete and press Enter. In this case, the AT command doesn’t provide any output. In order to verify that the job is actually gone, you must type AT and press Enter. Here’s what the command output from this session looks like.

TaskSchedulerEntries02

The true power of AT lies in remote access. For example, if you have an Administrator command line open, have a server named WinServer on your network, and possess administrator privileges on that server, you can type AT \\WinServer 15:00 “Dir C:\” and press Enter to create a command that starts at 3:00 p.m. (local time) on WinServer. It’s important to realize that the command will execute when it’s 3:00 p.m. on the server, not 3:00 p.m. on your system. You can likewise list and delete remote entries using the same commands you’d use for local entries. Again, the Task Scheduler console will display these entries, but only on the host machine (so you’d need to access that system remotely to see it from your local computer).

Windows 7 does make it harder to use the AT command, but not impossible. If an outsider should gain access to an account with administrator privileges, it wouldn’t take long for a virus to add all sorts of nasty commands to every machine on the network. As Roger comments in his post, administrators need to exercise vigilance in order to catch potential security issues such as this one. Let me know if you have any questions at [email protected].

 

Interacting with the Task Scheduler Service

The Task Scheduler service has become an essential part of Windows. With that in mind, Microsoft has made a change in the way this service works. You can no longer stop it and the service automatically starts when you start Windows. The idea is to ensure that the service is available to meet Windows needs. The change quietly occurred during a Vista update and is automatically part of Windows 7. Consequently, when you try to interact with the service, you get an error message of [SC] OpenService FAILED 5: Access is denied. To see this for yourself, try typing SC Config Schedule Start= Demand and pressing Enter on an update Vista or any Windows 7 system.

The reason I mention this particular issue is that on page 43 of Windows Command-Line Administration Instant Reference, you see instructions for interacting with the Task Scheduler service. You can still query the service and perform some other tasks with it, but you can’t stop it or configure the method used to start it. When you look at this service using the Services console of the Administrative Tools folder, you see that you can’t even change how the service starts as shown here (everything is grayed out).

TaskScheduler01

There are a number of other services that fall into this same category. You can’t stop, start, or reconfigure them. Here is a list of the most common services that you can’t control using the SC utility (you can still query all of them):

  • DCOM Server Process Launcher
  • Group Policy Client
  • Plug and Play
  • Remote Procedure Call (RPC)
  • RPC Endpoint Mapper

Microsoft hasn’t documented the reason why you can’t configure any of these services. However, the reason that Microsoft has made it impossible to change the Task Scheduler service is that Windows 7 uses it extensively. For example, a number of applications rely on the Task Scheduler:

  • System Restore
  • Reliability History
  • Windows Update
  • Other Program Updates

In addition, Windows 7 uses Task Scheduler to perform a number of checks. These checks affect system reliability and stability:

  • TCP/IP Conflicts
  • Disk Diagnosis
  • Network Information
  • System Sound Service
  • Power Controls
  • WinSAT

Even so, you may find that you need to stop the service for some reason. The common technique that you’ll find for overcoming this problem is to perform the task from the registry. Open RegEdit and locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule key. The Start value controls how the Task Scheduler starts. Double click this value and change the entry to 4 as shown here to disable the service, or 3 to set it to manual.

TaskScheduler02

Reboot the system. You still won’t be able to make any changes using the SC utility or the GUI, but the status of the service will change to either disabled or manual as you requested. When the service is in manual mode, you can start it manually. Change the Start value back to 2 to re-enable the service. The problem with changing these services is that you don’t know how the change will affect system stability. This is a change at your own risk scenario. Please let me know if you have any questions at [email protected].