4700 A scheduled task was enabled
Written when a disabled scheduled task is enabled. It can catch a technique of keeping a malicious task disabled and enabling it only at attack time.
Overview
The subcategory is Audit Other Object Access Events. It is generated when an existing task is enabled. Together with creation 4698, disabling 4701, and update 4702, it tracks a task’s state changes.
How it is triggered
- When a disabled task is switched to enabled (GUI /
schtasks /change /enable/ API).
Security review points
- An attacker may keep a task disabled to avoid detection and enable it only when they want it to run. Check which task was enabled, when, and by whom.
- Also confirm, in operational context, re-enabling of a defensive or monitoring task after it was disabled (4701).
Notes for log review
- It tends to be noise on its own. Tie it to the creation-time XML (4698) and evaluate what the enabled task runs.
- It also appears during legitimate operational toggling. Match against normal patterns of target task and subject.
Key fields
| Field | Meaning |
|---|---|
Task Name | The enabled task name |
Subject\Account Name | The account that performed the operation |