From ea5b88c056248b796bdefbb2f3f443483d60359e Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Wed, 20 Nov 2024 09:47:50 -0500
Subject: [PATCH] minor spelling and trailing space update

---
 .../library/windows/task_scheduler_service.md | 238 +++++++++---------
 1 file changed, 119 insertions(+), 119 deletions(-)

diff --git a/docs/library/windows/task_scheduler_service.md b/docs/library/windows/task_scheduler_service.md
index e8a9df4f..74895302 100644
--- a/docs/library/windows/task_scheduler_service.md
+++ b/docs/library/windows/task_scheduler_service.md
@@ -27,16 +27,16 @@ Offset                : 510656
 ServiceName           : Schedule
 ServiceDisplayName    : Task Scheduler
 IsServiceRunning      : True
-Endpoints             : {[86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[LRPC-4803de23b17986468a], [86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[ubpmtaskhostchannel], 
+Endpoints             : {[86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[LRPC-4803de23b17986468a], [86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[ubpmtaskhostchannel],
                         [86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[LRPC-83a142d94b8e74a91a]}
 EndpointCount         : 3
-Client                : False 
+Client                : False
 ```
 
 ### RPC Clients
 * taskcomp.dll
 * taskschd.dll
-* wmicmiplugin.dll 
+* wmicmiplugin.dll
 
 ### RPC Methods
 
@@ -65,8 +65,8 @@ ComplexTypes          : {Struct_0, Struct_1, Struct_2}
 FilePath              : C:\Windows\System32\taskcomp.dll
 Name                  : taskcomp.dll
 Offset                : 322256
-ServiceName           : 
-ServiceDisplayName    : 
+ServiceName           :
+ServiceDisplayName    :
 IsServiceRunning      : False
 Endpoints             : {[1ff70682-0a51-30e8-076d-740be8cee98b, 1.0] ncalrpc:[LRPC-b858137bbb082a0e8d]}
 EndpointCount         : 1
@@ -104,7 +104,7 @@ Client                : False
 
 ## Interact with Task Scheduler Remotely
 
-### Powershell - Schedule.Service COM Object 
+### Powershell - Schedule.Service COM Object
 ```Powershell
 # connect to Task Scheduler:
 $service = New-Object -ComObject Schedule.Service
@@ -145,43 +145,43 @@ $NewTask.stop(0)
 * EventID 4702 (Target): A Scheduled Task Was updated
 
 ```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
-    - <System> 
-        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
-        <EventID>4702</EventID> 
-        <Version>1</Version> 
-        <Level>0</Level> 
-        <Task>12804</Task> 
-        <Opcode>0</Opcode> 
-        <Keywords>0x8020000000000000</Keywords> 
-        <TimeCreated SystemTime="2020-12-16T17:12:22.000309100Z" /> 
-        <EventRecordID>2292968</EventRecordID> 
-        <Correlation ActivityID="{262c1204-cb81-0000-0dbf-29867cced601}" /> 
-        <Execution ProcessID="740" ThreadID="1560" /> 
-        <Channel>Security</Channel> 
-        <Computer>WORKSTATION6.theshire.local</Computer> 
-        <Security /> 
-    </System> 
-    - <EventData> 
-        <Data Name="SubjectUserSid">S-1-5-21-3786818125-2382361537-3207726629-1104</Data> 
-        <Data Name="SubjectUserName">pgustavo</Data> 
-        <Data Name="SubjectDomainName">THESHIRE</Data> 
-        <Data Name="SubjectLogonId">0x9ac216f</Data> 
-        <Data Name="TaskName">\Ward0g</Data> 
-        <Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2020-12-16T08:09:21.4521839</Date> <Author>THESHIRE\sbeavers</Author> <Description>Que pasa</Description> <URI>\Ward0g</URI> </RegistrationInfo> <Triggers> <RegistrationTrigger> <Enabled>true</Enabled> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>S-1-5-21-3786818125-2382361537-3207726629-1106</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>powershell</Command> <Arguments>-noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBwAt.....</Data> 
-        <Data Name="ClientProcessStartKey">0</Data> 
-        <Data Name="ClientProcessId">0</Data> 
-        <Data Name="ParentProcessId">0</Data> 
-        <Data Name="RpcCallClientLocality">0</Data> 
-        <Data Name="FQDN">WORKSTATION6.theshire.local</Data> 
-    </EventData> 
+- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+    - <System>
+        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
+        <EventID>4702</EventID>
+        <Version>1</Version>
+        <Level>0</Level>
+        <Task>12804</Task>
+        <Opcode>0</Opcode>
+        <Keywords>0x8020000000000000</Keywords>
+        <TimeCreated SystemTime="2020-12-16T17:12:22.000309100Z" />
+        <EventRecordID>2292968</EventRecordID>
+        <Correlation ActivityID="{262c1204-cb81-0000-0dbf-29867cced601}" />
+        <Execution ProcessID="740" ThreadID="1560" />
+        <Channel>Security</Channel>
+        <Computer>WORKSTATION6.theshire.local</Computer>
+        <Security />
+    </System>
+    - <EventData>
+        <Data Name="SubjectUserSid">S-1-5-21-3786818125-2382361537-3207726629-1104</Data>
+        <Data Name="SubjectUserName">pgustavo</Data>
+        <Data Name="SubjectDomainName">THESHIRE</Data>
+        <Data Name="SubjectLogonId">0x9ac216f</Data>
+        <Data Name="TaskName">\Ward0g</Data>
+        <Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2020-12-16T08:09:21.4521839</Date> <Author>THESHIRE\sbeavers</Author> <Description>Que pasa</Description> <URI>\Ward0g</URI> </RegistrationInfo> <Triggers> <RegistrationTrigger> <Enabled>true</Enabled> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>S-1-5-21-3786818125-2382361537-3207726629-1106</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>powershell</Command> <Arguments>-noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBwAt.....</Data>
+        <Data Name="ClientProcessStartKey">0</Data>
+        <Data Name="ClientProcessId">0</Data>
+        <Data Name="ParentProcessId">0</Data>
+        <Data Name="RpcCallClientLocality">0</Data>
+        <Data Name="FQDN">WORKSTATION6.theshire.local</Data>
+    </EventData>
 </Event>
 ```
 
 * EventID 4688 (Target): A New Process Has been created
 
 ### Microsoft-Windows-TaskScheduler/Operational Logs
-* EventID 140: Task Rergistration Updated
+* EventID 140: Task Registration Updated
 * EventID 100: Task Started
 * EventID 201: Action Completed
 * EventID 201: Task Completed
@@ -193,94 +193,94 @@ $NewTask.stop(0)
 * EventID 1: ProcessCreate (When Task is stopped)
 
 ```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
-    - <System> 
-        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
-        <EventID>1</EventID> 
-        <Version>5</Version> 
-        <Level>4</Level> 
-        <Task>1</Task> 
-        <Opcode>0</Opcode> 
-        <Keywords>0x8000000000000000</Keywords> 
-        <TimeCreated SystemTime="2020-12-16T17:23:48.196270400Z" /> 
-        <EventRecordID>9090341</EventRecordID> 
-        <Correlation /> 
-        <Execution ProcessID="3256" ThreadID="4036" /> 
-        <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-        <Computer>WORKSTATION6.theshire.local</Computer> 
-        <Security UserID="S-1-5-18" /> 
-    </System> 
-    - <EventData> 
-        <Data Name="RuleName">-</Data> 
-        <Data Name="UtcTime">2020-12-16 17:23:48.185</Data> 
-        <Data Name="ProcessGuid">{649442b8-42a4-5fda-af62-000000000600}</Data> 
-        <Data Name="ProcessId">2836</Data> 
-        <Data Name="Image">C:\Windows\System32\taskhostw.exe</Data> 
-        <Data Name="FileVersion">10.0.18362.1237 (WinBuild.160101.0800)</Data> 
-        <Data Name="Description">Host Process for Windows Tasks</Data> 
-        <Data Name="Product">Microsoft® Windows® Operating System</Data> 
-        <Data Name="Company">Microsoft Corporation</Data> 
-        <Data Name="OriginalFileName">taskhostw.exe</Data> 
-        <Data Name="CommandLine">taskhostw.exe C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwApAHsAJAA4...</Data> 
-        <Data Name="CurrentDirectory">C:\windows\system32\</Data> 
-        <Data Name="User">THESHIRE\sbeavers</Data> 
-        <Data Name="LogonGuid">{649442b8-783d-5fd2-c316-e00000000000}</Data> 
-        <Data Name="LogonId">0xe016c3</Data> 
-        <Data Name="TerminalSessionId">2</Data> 
-        <Data Name="IntegrityLevel">Medium</Data> 
-        <Data Name="Hashes">SHA1=6630F5E1A1ACC1C8E95A7958542DD87D0735D99B,MD5=52071D9553A92A12F22DDDF6DB6F9643,SHA256=ABCA3394728697205DEAD7C9B7B9076CDD28BEE84E7A3C84514478BC033E531A,IMPHASH=9CB27CAED52CB0AFFB32788922A0D083</Data> 
-        <Data Name="ParentProcessGuid">{649442b8-52dc-5fd1-3600-000000000600}</Data> 
-        <Data Name="ParentProcessId">2220</Data> 
-        <Data Name="ParentImage">C:\Windows\System32\svchost.exe</Data> 
-        <Data Name="ParentCommandLine">C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data> 
-    </EventData> 
+- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+    - <System>
+        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
+        <EventID>1</EventID>
+        <Version>5</Version>
+        <Level>4</Level>
+        <Task>1</Task>
+        <Opcode>0</Opcode>
+        <Keywords>0x8000000000000000</Keywords>
+        <TimeCreated SystemTime="2020-12-16T17:23:48.196270400Z" />
+        <EventRecordID>9090341</EventRecordID>
+        <Correlation />
+        <Execution ProcessID="3256" ThreadID="4036" />
+        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+        <Computer>WORKSTATION6.theshire.local</Computer>
+        <Security UserID="S-1-5-18" />
+    </System>
+    - <EventData>
+        <Data Name="RuleName">-</Data>
+        <Data Name="UtcTime">2020-12-16 17:23:48.185</Data>
+        <Data Name="ProcessGuid">{649442b8-42a4-5fda-af62-000000000600}</Data>
+        <Data Name="ProcessId">2836</Data>
+        <Data Name="Image">C:\Windows\System32\taskhostw.exe</Data>
+        <Data Name="FileVersion">10.0.18362.1237 (WinBuild.160101.0800)</Data>
+        <Data Name="Description">Host Process for Windows Tasks</Data>
+        <Data Name="Product">Microsoft® Windows® Operating System</Data>
+        <Data Name="Company">Microsoft Corporation</Data>
+        <Data Name="OriginalFileName">taskhostw.exe</Data>
+        <Data Name="CommandLine">taskhostw.exe C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwApAHsAJAA4...</Data>
+        <Data Name="CurrentDirectory">C:\windows\system32\</Data>
+        <Data Name="User">THESHIRE\sbeavers</Data>
+        <Data Name="LogonGuid">{649442b8-783d-5fd2-c316-e00000000000}</Data>
+        <Data Name="LogonId">0xe016c3</Data>
+        <Data Name="TerminalSessionId">2</Data>
+        <Data Name="IntegrityLevel">Medium</Data>
+        <Data Name="Hashes">SHA1=6630F5E1A1ACC1C8E95A7958542DD87D0735D99B,MD5=52071D9553A92A12F22DDDF6DB6F9643,SHA256=ABCA3394728697205DEAD7C9B7B9076CDD28BEE84E7A3C84514478BC033E531A,IMPHASH=9CB27CAED52CB0AFFB32788922A0D083</Data>
+        <Data Name="ParentProcessGuid">{649442b8-52dc-5fd1-3600-000000000600}</Data>
+        <Data Name="ParentProcessId">2220</Data>
+        <Data Name="ParentImage">C:\Windows\System32\svchost.exe</Data>
+        <Data Name="ParentCommandLine">C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
+    </EventData>
 </Event>
 ```
 
 * EventID 1: ProcessCreate (Execution when task is forced to execute or task is updated)
 
 ```xml
-- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
-    - <System> 
-        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
-        <EventID>1</EventID> 
-        <Version>5</Version> 
-        <Level>4</Level> 
-        <Task>1</Task> 
-        <Opcode>0</Opcode> 
-        <Keywords>0x8000000000000000</Keywords> 
-        <TimeCreated SystemTime="2020-12-16T17:40:06.014964400Z" /> 
-        <EventRecordID>9103725</EventRecordID> 
-        <Correlation /> 
-        <Execution ProcessID="3256" ThreadID="4036" /> 
-        <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
-        <Computer>WORKSTATION6.theshire.local</Computer> 
-        <Security UserID="S-1-5-18" /> 
-        </System> 
-    - <EventData> 
-        <Data Name="RuleName">-</Data> 
-        <Data Name="UtcTime">2020-12-16 17:40:05.997</Data> 
-        <Data Name="ProcessGuid">{649442b8-4675-5fda-d962-000000000600}</Data> 
-        <Data Name="ProcessId">6840</Data> 
-        <Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data> 
-        <Data Name="FileVersion">10.0.18362.1 (WinBuild.160101.0800)</Data> 
-        <Data Name="Description">Windows PowerShell</Data> 
-        <Data Name="Product">Microsoft® Windows® Operating System</Data> 
-        <Data Name="Company">Microsoft Corporation</Data> 
-        <Data Name="OriginalFileName">PowerShell.EXE</Data> 
-        <Data Name="CommandLine">C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwAp...</Data> 
-        <Data Name="CurrentDirectory">C:\windows\system32\</Data> 
-        <Data Name="User">THESHIRE\sbeavers</Data> 
-        <Data Name="LogonGuid">{649442b8-783d-5fd2-c316-e00000000000}</Data> 
-        <Data Name="LogonId">0xe016c3</Data> 
-        <Data Name="TerminalSessionId">2</Data> 
-        <Data Name="IntegrityLevel">Medium</Data> 
-        <Data Name="Hashes">SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481</Data> 
-        <Data Name="ParentProcessGuid">{649442b8-52dc-5fd1-3600-000000000600}</Data> 
-        <Data Name="ParentProcessId">2220</Data> 
-        <Data Name="ParentImage">C:\Windows\System32\svchost.exe</Data> 
-        <Data Name="ParentCommandLine">C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data> 
-    </EventData> 
+- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+    - <System>
+        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
+        <EventID>1</EventID>
+        <Version>5</Version>
+        <Level>4</Level>
+        <Task>1</Task>
+        <Opcode>0</Opcode>
+        <Keywords>0x8000000000000000</Keywords>
+        <TimeCreated SystemTime="2020-12-16T17:40:06.014964400Z" />
+        <EventRecordID>9103725</EventRecordID>
+        <Correlation />
+        <Execution ProcessID="3256" ThreadID="4036" />
+        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+        <Computer>WORKSTATION6.theshire.local</Computer>
+        <Security UserID="S-1-5-18" />
+        </System>
+    - <EventData>
+        <Data Name="RuleName">-</Data>
+        <Data Name="UtcTime">2020-12-16 17:40:05.997</Data>
+        <Data Name="ProcessGuid">{649442b8-4675-5fda-d962-000000000600}</Data>
+        <Data Name="ProcessId">6840</Data>
+        <Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+        <Data Name="FileVersion">10.0.18362.1 (WinBuild.160101.0800)</Data>
+        <Data Name="Description">Windows PowerShell</Data>
+        <Data Name="Product">Microsoft® Windows® Operating System</Data>
+        <Data Name="Company">Microsoft Corporation</Data>
+        <Data Name="OriginalFileName">PowerShell.EXE</Data>
+        <Data Name="CommandLine">C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwAp...</Data>
+        <Data Name="CurrentDirectory">C:\windows\system32\</Data>
+        <Data Name="User">THESHIRE\sbeavers</Data>
+        <Data Name="LogonGuid">{649442b8-783d-5fd2-c316-e00000000000}</Data>
+        <Data Name="LogonId">0xe016c3</Data>
+        <Data Name="TerminalSessionId">2</Data>
+        <Data Name="IntegrityLevel">Medium</Data>
+        <Data Name="Hashes">SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481</Data>
+        <Data Name="ParentProcessGuid">{649442b8-52dc-5fd1-3600-000000000600}</Data>
+        <Data Name="ParentProcessId">2220</Data>
+        <Data Name="ParentImage">C:\Windows\System32\svchost.exe</Data>
+        <Data Name="ParentCommandLine">C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
+    </EventData>
 </Event>
 ```