{"id":859,"date":"2019-11-11T10:00:00","date_gmt":"2019-11-11T10:00:00","guid":{"rendered":"http:\/\/172.23.1.43\/?p=859"},"modified":"2022-06-07T22:25:59","modified_gmt":"2022-06-07T22:25:59","slug":"wnf-and-task-scheduler","status":"publish","type":"post","link":"https:\/\/blog.n-dol.org\/2019\/11\/11\/wnf-and-task-scheduler\/","title":{"rendered":"WNF and Task Scheduler"},"content":{"rendered":"\n<p>As I was investing another subject, I came across a scheduled task with a custom trigger and when I looked at the XML, we can see <code>WnfStateChangeTrigger<\/code> as the trigger type. I began to look for documentation but nothing valuable.<\/p>\n\n\n\n<p>Until I came across a blackhat conference by <a rel=\"noreferrer noopener\" aria-label=\"Alex Ionescu (opens in a new tab)\" href=\"http:\/\/www.alex-ionescu.com\/\" target=\"_blank\">Alex Ionescu<\/a> and <a rel=\"noreferrer noopener\" aria-label=\"Gabrielle Viala (opens in a new tab)\" href=\"https:\/\/blog.quarkslab.com\/author\/gwaby.html\" target=\"_blank\">Gabrielle Viala<\/a> where they explain what WNF is.<\/p>\n\n\n\n<p>The interesting thing here is that WNF stand for Windows Notification Facility and is the notification system within the Windows OS. So it seems that the Task Scheduler is capable of subscribing to event and launch task against it. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How WNF works ?<\/h2>\n\n\n\n<p>In a nutshell and as 20k feet view: it&#8217;s notification system where processes can subscribe and publish without the need to wait for the other processes to be there. For example, if you want to be notified that wifi is connected then you subscribe to the event and the system will notify you that it did start and also can gives you more information like SSID name etc. The system or a process can also publish information to it.<\/p>\n\n\n\n<p>For (wayyyy) more information, watch the conference and read these: <\/p>\n\n\n\n<ul><li>Conference: <a rel=\"noreferrer noopener\" aria-label=\"https:\/\/www.youtube.com\/watch?v=MybmgE95weo (opens in a new tab)\" href=\"https:\/\/www.youtube.com\/watch?v=MybmgE95weo\" target=\"_blank\">https:\/\/www.youtube.com\/watch?v=MybmgE95weo<\/a><\/li><li>Slides: <a rel=\"noreferrer noopener\" aria-label=\"http:\/\/alex-ionescu.com\/publications\/BlackHat\/blackhat2018.pdf (opens in a new tab)\" href=\"http:\/\/alex-ionescu.com\/publications\/BlackHat\/blackhat2018.pdf\" target=\"_blank\">http:\/\/alex-ionescu.com\/publications\/BlackHat\/blackhat2018.pdf<\/a><\/li><li>Gabrielle&#8217;s blog post: <a rel=\"noreferrer noopener\" aria-label=\"https:\/\/blog.quarkslab.com\/playing-with-the-windows-notification-facility-wnf.html (opens in a new tab)\" href=\"https:\/\/blog.quarkslab.com\/playing-with-the-windows-notification-facility-wnf.html\" target=\"_blank\">https:\/\/blog.quarkslab.com\/playing-with-the-windows-notification-facility-wnf.html<\/a><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">WnfStateChangeTrigger<\/h2>\n\n\n\n<p>When you look at this attribute, it&#8217;s the same length as a WNF state name which is a 64 Bit int but doesn&#8217;t correspond to any WNF state names either well-known, permanent or volatile, when you used directly. When trying to <code>XOR<\/code> it with the magic constant <code>WNF_STATE_KEY<\/code>, it doesn&#8217;t output anything meaningful, so it&#8217;s definitely not a usual WNF number.<\/p>\n\n\n\n<p>After having a quick look in the PDB of taskschd.dll, I could find information  about <code>WnfStateChangeTriggerImpl<\/code> but nothing with regards to the state number conversion. So, I let that go (Frozen style).<\/p>\n\n\n\n<p>Finally, after staring for hours at the Task Scheduler state name and usual WNF numbers, I noticed something interesting, the task scheduler state name, I was looking at, end with 41 and start with 75 and WNF ones start with 41 and end with 75 for a lot of them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Light bulb Moment<\/h2>\n\n\n\n<p>It appears that the <code>StateName<\/code> attribute is indeed a correct WNF number but in the wrong order. Each 8 bits or 2 characters are backward. I understood after, that this change is due to <a rel=\"noreferrer noopener\" aria-label=\"Endianess (opens in a new tab)\" href=\"https:\/\/en.wikipedia.org\/wiki\/Endianness\" target=\"_blank\">Endianess<\/a>, one is using Big Endian the other Little Endian.<\/p>\n\n\n\n<p>So 7550bea33e06830d = 0d83063ea3be5075<\/p>\n\n\n\n<p>I&#8217;ve created 2 powershell functions to translate the name, it works in both direction, from and to. The first one is using the string and switching around the characters while the second one is doing it at the byte level.<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-powershell\">function Translate-StateName {\n    param (\n        [ValidateLength(16,16)] [String] $StateName\n    )\n    \n    process {\n        $CharArray = (&amp;{for ($i = 0;$i -lt $StateName.length;$i += 2) { $StateName.substring($i,2) }})\n        $TranslatedStateName = (&amp;{for ( $i = 7; $i -ge 0; $i-- ) { $CharArray[$i] }}) -join &#039;&#039;\n        return $TranslatedStateName\n    }\n}\n<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-powershell\">function Convert-StateNameEndianness {\n    param (\n        [ValidateLength(16,16)] [String] $StateName\n    )\n    process {\n        [byte[]] $ByteArray = [System.BitConverter]::GetBytes([Convert]::ToInt64($StateName,16))\n        if ([System.BitConverter]::IsLittleEndian -eq $false) { [System.Array]::Reverse($ByteArray) }\n        return ([System.BitConverter]::ToString($ByteArray)).Replace(&#039;-&#039;,&#039;&#039;)\n    }\n}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Testing<\/h2>\n\n\n\n<p>So now that we have the key to unlock, let&#8217;s test it.<br>I\u2019ve used <code>WNF_SHEL_DESKTOP_APPLICATION_STARTED<\/code> same as what <a rel=\"noreferrer noopener\" aria-label=\"Gabrielle used in her blog post (opens in a new tab)\" href=\"https:\/\/blog.quarkslab.com\/playing-with-the-windows-notification-facility-wnf.html\" target=\"_blank\">Gabrielle used in her blog post<\/a> as I knew this would work (superstition sometimes\u2026)<br>Here&#8217;s the scheduled task that I&#8217;ve used<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markup\">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;\n&lt;Task version=&quot;1.6&quot; xmlns=&quot;http:\/\/schemas.microsoft.com\/windows\/2004\/02\/mit\/task&quot;&gt;\n  &lt;RegistrationInfo&gt;\n    &lt;Author&gt;Camille Debay&lt;\/Author&gt;\n    &lt;Description&gt;Test WNF Subscription to Start Desktop Application&lt;\/Description&gt;\n    &lt;URI&gt;\\TEST\\WNFSub&lt;\/URI&gt;\n  &lt;\/RegistrationInfo&gt;\n  &lt;Principals&gt;\n    &lt;Principal id=&quot;LocalSystem&quot;&gt;\n      &lt;UserId&gt;S-1-5-18&lt;\/UserId&gt;\n    &lt;\/Principal&gt;\n  &lt;\/Principals&gt;\n  &lt;Settings&gt;\n    &lt;DisallowStartIfOnBatteries&gt;false&lt;\/DisallowStartIfOnBatteries&gt;\n    &lt;StopIfGoingOnBatteries&gt;false&lt;\/StopIfGoingOnBatteries&gt;\n    &lt;MultipleInstancesPolicy&gt;Queue&lt;\/MultipleInstancesPolicy&gt;\n    &lt;StartWhenAvailable&gt;true&lt;\/StartWhenAvailable&gt;\n    &lt;IdleSettings&gt;\n      &lt;StopOnIdleEnd&gt;true&lt;\/StopOnIdleEnd&gt;\n      &lt;RestartOnIdle&gt;false&lt;\/RestartOnIdle&gt;\n    &lt;\/IdleSettings&gt;\n    &lt;UseUnifiedSchedulingEngine&gt;true&lt;\/UseUnifiedSchedulingEngine&gt;\n  &lt;\/Settings&gt;\n  &lt;Triggers&gt;\n    &lt;WnfStateChangeTrigger&gt;\n      &lt;StateName&gt;7550BEA33E06830D&lt;\/StateName&gt;\n    &lt;\/WnfStateChangeTrigger&gt;\n  &lt;\/Triggers&gt;\n  &lt;Actions Context=&quot;LocalSystem&quot;&gt;\n    &lt;Exec&gt;\n      &lt;Command&gt;powershell&lt;\/Command&gt;\n      &lt;Arguments&gt;-ExecutionPolicy Bypass -WindowStyle hidden -NonInteractive -NoLogo -file &quot;C:\\temp\\test.ps1&quot;&lt;\/Arguments&gt;\n    &lt;\/Exec&gt;\n  &lt;\/Actions&gt;\n&lt;\/Task&gt;<\/code><\/pre>\n\n\n\n<p>The task is running a powershell script which create a new line with the time of execution.<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-powershell\">Get-date | out-file C:\\temp\\test.txt -NoClobber -Append<\/code><\/pre>\n\n\n\n<p>To import the task as we need to be admin and to use powershell, won\u2019t work in the GUI, with the following command:<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-powershell\">Register-ScheduledTask -Xml (Get-Content -Path C:\\temp\\WNFTaskTrigger.xml | Out-String) -TaskName TestWNFStartDesktopApp -TaskPath &#039;\\TEST\\&#039; -force<\/code><\/pre>\n\n\n\n<p>Next step is to open any desktop app.<\/p>\n\n\n\n<p>Bingo! it&#8217;s works!!<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide size-large\"><a href=\"http:\/\/172.23.1.43\/wp-content\/uploads\/2019\/11\/WNF-TaskScheduler-Result.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" width=\"1368\" height=\"583\" src=\"https:\/\/i1.wp.com\/debay.blog\/wp-content\/uploads\/2019\/11\/WNF-TaskScheduler-Result.jpg?fit=688%2C293&amp;ssl=1\" alt=\"\" class=\"wp-image-874\" srcset=\"https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/11\/WNF-TaskScheduler-Result.jpg 1368w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/11\/WNF-TaskScheduler-Result-300x128.jpg 300w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/11\/WNF-TaskScheduler-Result-768x327.jpg 768w, https:\/\/blog.n-dol.org\/wp-content\/uploads\/2019\/11\/WNF-TaskScheduler-Result-1024x436.jpg 1024w\" sizes=\"(max-width: 1368px) 100vw, 1368px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Wrap up<\/h2>\n\n\n\n<p>So the Windows Task Scheduler is capable of subscribing to WNF events and trigger tasks, the event I&#8217;ve used is a system wide event but there is WNF in user mode which could be reused for other purposes.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-medium-font-size\">References:<\/p>\n\n\n\n<ul><li><a href=\"https:\/\/blog.quarkslab.com\/playing-with-the-windows-notification-facility-wnf.html\">https:\/\/blog.quarkslab.com\/playing-with-the-windows-notification-facility-wnf.html<\/a><\/li><li><a href=\"https:\/\/github.com\/ionescu007\/wnfun\">https:\/\/github.com\/ionescu007\/wnfun<\/a><\/li><li><a href=\"http:\/\/alex-ionescu.com\/publications\/BlackHat\/blackhat2018.pdf\">http:\/\/alex-ionescu.com\/publications\/BlackHat\/blackhat2018.pdf<\/a><\/li><li><a href=\"http:\/\/redplait.blogspot.com\/2012\/09\/wnf-notifiers.html\">http:\/\/redplait.blogspot.com\/2012\/09\/wnf-notifiers.html<\/a><\/li><li><a href=\"http:\/\/redplait.blogspot.com\/2017\/08\/wnf-ids-from-perfntcdll.html\">http:\/\/redplait.blogspot.com\/2017\/08\/wnf-ids-from-perfntcdll.html<\/a><\/li><li><a href=\"https:\/\/gracefulbits.com\/2018\/08\/13\/find-which-process-is-using-the-microphone-from-a-kernel-mode-driver\/\">https:\/\/gracefulbits.com\/2018\/08\/13\/find-which-process-is-using-the-microphone-from-a-kernel-mode-driver\/<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>As I was investing another subject, I came across a scheduled task with a custom trigger and when I looked&hellip;<\/p>\n","protected":false},"author":5614970,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[637,800],"tags":[672890868,672890869,672890867],"_links":{"self":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/859"}],"collection":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/users\/5614970"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/comments?post=859"}],"version-history":[{"count":27,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/859\/revisions"}],"predecessor-version":[{"id":1409,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/859\/revisions\/1409"}],"wp:attachment":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/media?parent=859"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/categories?post=859"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/tags?post=859"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}