:py:mod:`dissect.target.plugins.os.windows.log.schedlgu`
========================================================

.. py:module:: dissect.target.plugins.os.windows.log.schedlgu


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.log.schedlgu.SchedLgU
   dissect.target.plugins.os.windows.log.schedlgu.SchedLgUPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.log.schedlgu.log
   dissect.target.plugins.os.windows.log.schedlgu.SchedLgURecord
   dissect.target.plugins.os.windows.log.schedlgu.JOB_REGEX_PATTERN
   dissect.target.plugins.os.windows.log.schedlgu.SCHEDLGU_REGEX_PATTERN


.. py:data:: log

   

.. py:data:: SchedLgURecord

   

.. py:data:: JOB_REGEX_PATTERN

   

.. py:data:: SCHEDLGU_REGEX_PATTERN

   

.. py:class:: SchedLgU


   .. py:attribute:: ts
      :type: datetime.datetime

      

   .. py:attribute:: job
      :type: str

      

   .. py:attribute:: status
      :type: str

      

   .. py:attribute:: command
      :type: str

      

   .. py:attribute:: exit_code
      :type: int

      

   .. py:attribute:: version
      :type: str

      

   .. py:method:: from_line(line: str) -> SchedLgU
      :classmethod:

      Parse a group of SchedLgU.txt lines.



.. py:class:: SchedLgUPlugin(target: dissect.target.Target)


   Bases: :py:obj:`dissect.target.plugin.Plugin`

   Plugin for parsing the Task Scheduler Service transaction log file (SchedLgU.txt).

   .. py:attribute:: PATHS

      

   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with
      the current target (``self.target``). For example, check if a certain
      file exists.
      Otherwise it should raise an ``UnsupportedPluginError``.

      :raises UnsupportedPluginError: If the plugin could not be loaded.


   .. py:method:: schedlgu() -> Iterator[SchedLgURecord]

      Return all events in the Task Scheduler Service transaction log file (SchedLgU.txt).

      Older Windows systems may log ``.job`` tasks that get started remotely in the SchedLgU.txt file.
      In addition, this log file records when the Task Scheduler service starts and stops.

      Adversaries may use malicious ``.job`` files to gain persistence on a system.

      :Yields: *ts (datetime)* -- The timestamp of the event.
               job (str): The name of the ``.job`` file.
               command (str): The command executed.
               status (str): The status of the event (finished, completed, exited, stopped).
               exit_code (int): The exit code of the event.
               version (str): The version of the Task Scheduler service.