taskhost.exe $(Arg0) & its other arguments

July 1, 2019 in threat hunting

While looking at Sysmon logs on Windows 7 I noticed a strange process entry that had the following properties:

  • service.exe – as a parent process
  • taskhost.exe – as an image
  • $(Arg0) – as a command line argument

Anytime you see a placeholder / reference like this you start wondering whether it is a bug or a feature.

After grepping all .exe and .dll files under Windows directory I couldn’t find any references to $(Arg0). Only after grepping all files I finally came across the following task entry:

  • c:\WINDOWS\System32\Tasks\Microsoft\Windows\RAC

After looking at other Task XML files I noticed there are other variants of such command line argument under the <data> field
– – as far as I know they are not reported anywhere on the dedicated Task Scheduler interface or in Autoruns:

Other entries found:

  • SYSTEM
    • Microsoft\Windows\CertificateServicesClient\SystemTask
    • Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
  • USER
    • Microsoft\Windows\CertificateServicesClient\UserTask
  • <![CDATA[KEYROAMING]]>
    • Microsoft\Windows\CertificateServicesClient\UserTask-Roam
  • <![CDATA[$(Arg0)]]>
    • Microsoft\Windows\SideShow\GadgetManager
  • ![CDATA[$(Arg1)]]
    • Microsoft\Windows\Media Center\MediaCenterRecoveryTask
    • Microsoft\Windows\Media Center\ObjectStoreRecoveryTask
    • Microsoft\Windows\Media Center\PvrRecoveryTask
    • Microsoft\Windows\Media Center\PvrScheduleTask
    • Microsoft\Windows\Media Center\SqlLiteRecoveryTask
  • PageNotZero
    • Microsoft\Windows\MemoryDiagnostic\CorruptionDetector
  • Decompression
    • Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector
  • <![CDATA[Logon]]>
    • Microsoft\Windows\Offline Files\Logon Synchronization
  • $(Arg0)
    • Microsoft\Windows\RAC\RacTask
    • Microsoft\Windows\Task Manager\Interactive

So, if you come across weird command line arguments used by taskhost.exe, the Tasks folder is a place to look at. Note that CDATA notation which I left intact (copied directly from the files) will not be present in the logs. As such, if you see e.g. ‘taskhost.exe KEYROAMING’ it is coming from the following entry:

  • Microsoft\Windows\CertificateServicesClient\UserTask-Roam
Share this :)

Comments are closed.