Troubleshoot Your Windows Task Scheduler Using Windows Server Log Files

+ Bonus tip: How you can do it in less than 5 minutes

Abstract 

If you are responsible for managing your organization’s Windows Servers, simply monitoring and managing your machines is a full-time job.

Tools such as Windows Task scheduler helps you to keep your servers up and running by automating tasks.

These tasks can be scheduled to run at set times, or when triggered by system events.

As much as you rely on the Scheduler, it can sometimes let you down, and often at the worst possible time.

Follow the next steps or download XpoLog7 free and troubleshoot your scheduled tasks automatically!

Let’s begin

When a single task, running on a local machine, fails, you can fix it without breaking a sweat.

In large organizations, tasks are far more complex and run across hundreds or thousands of remote hosts.

In the words of the Big Lebowski’sWalter Sobchak, “Smokey, my friend, you are entering a world of pain”.

The good news – 

Windows server gives you comprehensive logging tools to locate and fix issues.

Even with these tools – do you know which logs are available, and what are they telling you?

entering a world of pain if you don't have automation

In this article, you get a complete guide to troubleshooting Windows Server scheduled tasks with log files. The article explains: 

  • How events are scheduled.
  • What information is logged.
  • Where it is stored.
  • How to get through common troubleshooting scenarios.

You will get the answers you need and understand how to make sense of the data Windows event logging gives you.

We start by giving you a detailed overview of Scheduled Tasks. Next, we set out a practical step-by-step troubleshooting guide.

We will also show you how you can set it up in less than 5 minutes with automation. 

“Nice”, you probably think, and you are right, we are 🙂

Read about our Windows app here

Cutting to the chase: After reading this article, you will be able to proactively identify Windows Task Scheduler issues, as well as, use Windows events logs, and related data to resolve real-world issues.

You can skip sections – 

  1. Windows Tasks scheduler: Understanding Scheduled Tasks.
  2. Windows Task Scheduler – Troubleshooting Scheduled Events.
  3. Bonus Tip: How You Can Troubleshoot Tasks in 5 Minutes.

Windows Tasks scheduler: Understanding Scheduled Tasks

Windows Task is a group of actions, which automate system management and maintenance procedures; such as installing patches, auditing, backing up storage media, or dealing with security issues.

You create and schedule tasks using the Task Scheduler user interface or programmatically using PowerShell or the .Net framework.

Once you have created a task, you use the Task Scheduler Service to schedule the task’s execution.

The Task Scheduler Service is a Windows service that lets you manage, schedule, and monitor tasks.

Each task includes the following components:

  • General Information: Metadata that describes the task, such as the task’s name, description, and location.
  • Triggers: Conditions that schedule task execution at a specific time, or in response to specific criteria.
  • Actions: List of one or more actions to achieve the tasks desired outcome.
  • Security Principals: Defines security credentials, permitted access levels, and system privileges required for task execution.
  • Conditions: Determines when a task can run, i.e only running when the targeted host is idle, or connected to power.
  • Settings: Configures how the tasks run, including when to restart a failed action, and how long the task is permitted to run.
  • History: Logs task execution data.

Windows Task Scheduler – Troubleshooting Scheduled Events

Let’s look at what happens when a scheduled task fails to run and see how we can use event logs to locate and fix the problem.

Step 1: Understanding the Big Picture

To find the immediate reason why a task failed open the Event Viewer and locate the event.

  • Double-clicking the event opens a dialog box that tells us the immediate cause of the problem. It provides the event’s source, ID, level, and category.
  • The dialog also tells us when the event was recorded and on which machine it occurred.

Task Scheduler did not launch task -“\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents” because instance “{92e4bd81-96af-4a12-987f-3e83d80dd116}” of the same task is already running.
Log Name:      Microsoft-Windows-TaskScheduler/Operational
Source:        Microsoft-Windows-TaskScheduler
Date:          10/28/2018 1:21:28 PM
Event ID:      322
Task Category: Launch request ignored, instance already running
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      BILBO.mordor.local

Step 2: Diving Deeper

For detailed contextual information to help understand why an event occurred, you can use the related events logged by Windows, across multiple Windows Event Log (evtx) files.

The log’s System section presents a summary of this additional environmental data that helps you resolve the problem, such as the task’s Process ID, the thread on which it ran, and its Security ID.  

Guid=”{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}” />
322
0
3
322
0
0x8000000000000000

200241

Microsoft-Windows-TaskScheduler/Operational
BILBO.mordor.local

Step 3: Comprehending Event Context

To understand the actual nature of the event and to get contextual clues, you need to look at the log file’s EventData section.

Here, we can see that part of the reason that the task failed to run is related to a memory issue.
 

\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents
{92E4BD81-96AF-4A12-987F-3E83D80DD116}


Step 4: Get the Full Picture by Investigating Related Logs

In most cases, investigating a single log file by itself, is not enough to find and fix a specific problem.

Since many scheduling issues are security related, a good place to start is to examine security-related audit logs, such as the Windows Security Event log.

Privileges: SeTcbPrivilege
Audit Failure 10/28/2018 13:21:28 BILBO MORDOR Microsoft-Windows-Security-Auditing 13056 4673 A privileged service was called Privilege
Use Sensitive Privilege Use / Non-Sensitive Privilege Use 0x00000000000D10EB 
BILBO.mordor.local A privileged service was called.

In this case, the Windows Security Event shows us that the reason the task failed was related to a broader security issue, the log tells us that the event tried to perform an action which required  SeTcbPrivilege level privileges.

The action performed by the task was assigned a lower privilege level, therefore, the host on which the task was scheduled to run, prevented it from running.

In addition to showing that the task failed due to the tasks assigned privileges, it also shows information that indicates the root cause of the problem.

Process:
Process ID: 0x0000000000000EBC
Process Name: C:\Windows\System32\taskhostw.exe

Here we can see that the Security log indicates the problem was caused by an executable process called taskhostw.exe.

The log shows us the executable’s Process ID and the process’s full path.

In the final step, we will understand why this information is important, and how we can use it.

Step 5: Research the Problem

Now we know the origin of the problem, let’s use our available resources to find out more about it.

By searching the internet, we can see that logs that identify a problem with taskhostw.exe. Problems with this process are usually related to malware exploits, or a defective Windows component which controls folder access.

For more information on taskhostw.exe and related issues, see this article from Microsoft.

Conclusions: How to Get the Most from Windows Server Logging?

Windows Scheduler Tasks are a great way to get things done.

In this article, we showed you what tasks are, and how they work. We also took you through a five-step process according to the following steps:

  1. Understanding the big picture: How to use the Event Viewer to discover problems.
  2. Diving deeper: How to read an event log file to learn more.
  3. Comprehending event context: Using Event Data to understand the problem’s context.
  4. Getting the full picture: Using other log files to locate the root cause.
  5. Researching the problem: How to use the data you gathered to find a viable solution.

Now you can deal with complex situations involving multiple servers, large amounts of logged data to ensure that:

  • Your system continues to fulfill your organization’s mission
  • The user’s you support can do their work.

You can download XpoLog and get these insights, a few clicks from now:

Bonus Tip: How You Can Troubleshoot Tasks in 5 Minutes

Another way you can monitor and troubleshoot your Windows Task Scheduler operations (and find errors in Windows logs) is to use an out of the box solution, such as XpoLog.

Using XpoLog’s built-in Windows logs connector, you can stream Windows event logs in minutes.  

Once you stream the Windows event logs into XpoLog (all it takes is a few clicks), you start getting insights about what’s happening in your system, without lifting a finger.

Learn more about our Windows app 

What Do You Get with XpoLog Fully-Automated Tool?

XpoLog provides a dashboard that displays a general overview of Windows Task Scheduler related data it collected.

Here you can quickly find how many tasks failed to run and why, how many succeeded and details about the important events.

See for yourself – download now

Get automated insights about Windows task scheduler and troubleshoot in no time!

Drill down to each section to get more information.

task scheduler - types Distribution

The dashboard displays graphs of the collected Windows logs data.

task scheduler - view task start failed

To help you find exactly the log you need, it provides powerful search functionality.

Once you have found the relevant event or events, you can review the log data –

Windows log analyzer

Download XpoLog7 free

Not only does XpoLog show you what happened in the past, it also monitors system log files for common and obscure errors.

XpoLog’s proactive analytics engine is constantly analyzing log files. When it detects a problem, it sends notifications to alert system administrators immediately.

Bottom line: XpoLog also helps you deal with problems that you hadn’t thought of looking for, or never knew exists.

This means that you, your team and your organization, can fix a problem long before users notice, and start sending helpdesk requests.

You heard it here first! Less dealing with support, more focusing on your tasks. 

XpoLog also provides long-term retention by collecting all system logs from multiple servers across your organization.

XpoLog keeps all Windows related logs available, from one or more locations, for any period of time.

Moreover, XpoLog is not constrained by your organization’s storage policies and restrictions.

The added value: This means that XpoLog stores collected logging data indefinitely, and uses it to help you find and fix problems occurring over a longer time frame.

This approach allows you to initiate preventive action to avert potential problems, instead of constantly putting out fires.

Download now, sit back and relax – let XPLG do the work for you!  

XpoLog stores collected logging data indefinitely

Conclusions

XpoLog provides you an end to end solution for log data automation.

Once deployed, XpoLog enables you to monitor your system and gives you a complete solution which includes a comprehensive analytics application.

This Windows application contains dashboards and reports which include insights about:

  • user access (login/logouts).
  • the health of your Windows server.
  • trends.
  • anomalies.
  • errors.
  • problems and more.

Your gain: Windows log visibility and insights in minutes without having to write queries or build reports manually.

In addition, you will be able to easily control and monitor your Windows environment, view and compare hosts activity – without manual work at all!

How cool is that?