4701 A scheduled task was disabled
Written when a scheduled task is disabled. It can catch disabling of defensive or monitoring tasks (defense evasion), or temporarily hiding a malicious task.
Overview
The subcategory is Audit Other Object Access Events. It is generated when an existing task is switched to disabled. Paired with enabling 4700, it tracks changes in a task’s run state.
How it is triggered
- When a task is switched to disabled (GUI /
schtasks /change /disable/ API).
Security review points
- If a legitimate monitoring, backup, or security-related task is disabled, it can mean defenses are being weakened. Check the target task and subject.
- There is also a pattern where an attacker disables a malicious task after it runs to avoid detection (re-enabling it later with 4700).
Notes for log review
- It also occurs during legitimate operation and maintenance. Alerting narrowed to disabling of important defensive tasks is effective.
- Tie it to the creation-time content (4698) to evaluate what was disabled.
Key fields
| Field | Meaning |
|---|---|
Task Name | The disabled task name |
Subject\Account Name | The account that performed the operation |