![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/07\/taskhost_arg0_2.png\")
<\/a><\/figure>\n\n\n\nAnytime you see a placeholder \/ reference like this you start wondering whether it is a bug or a feature.<\/p>\n\n\n\n
After grepping all .exe and .dll files under Windows directory I couldn’t find any references to $(Arg0). Only after grepping all files I finally came across the following task entry:<\/p>\n\n\n\n
- c:\\WINDOWS\\System32\\Tasks\\Microsoft\\Windows\\RAC<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/07\/taskhost_arg0.png\")
<\/a><\/figure>\n\n\n\nAfter looking at other Task XML files I noticed there are other variants of such command line argument under the <data> field
– – as far as I know they are not reported anywhere on the dedicated Task Scheduler interface or in Autoruns:<\/p>\n\n\n\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/07\/taskhost_arg0_3.png\")
<\/a><\/figure>\n\n\n\nOther entries found:<\/p>\n\n\n\n
- SYSTEM
- Microsoft\\Windows\\CertificateServicesClient\\SystemTask<\/li><\/ul>
- Microsoft\\Windows\\Customer Experience Improvement Program\\UsbCeip<\/li><\/ul><\/li>
- USER
- Microsoft\\Windows\\CertificateServicesClient\\UserTask<\/li><\/ul><\/li>
- <![CDATA[KEYROAMING]]>
- Microsoft\\Windows\\CertificateServicesClient\\UserTask-Roam<\/li><\/ul><\/li>
- <![CDATA[$(Arg0)]]>
- Microsoft\\Windows\\SideShow\\GadgetManager<\/li><\/ul><\/li>
- ![CDATA[$(Arg1)]]
- Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask<\/li>
- Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask<\/li>
- Microsoft\\Windows\\Media Center\\PvrRecoveryTask<\/li>
- Microsoft\\Windows\\Media Center\\PvrScheduleTask<\/li>
- Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask<\/li><\/ul><\/li>
- PageNotZero
- Microsoft\\Windows\\MemoryDiagnostic\\CorruptionDetector<\/li><\/ul><\/li>
- Decompression
- Microsoft\\Windows\\MemoryDiagnostic\\DecompressionFailureDetector<\/li><\/ul><\/li>
- <![CDATA[Logon]]>
- Microsoft\\Windows\\Offline Files\\Logon Synchronization<\/li><\/ul><\/li>
- $(Arg0)
- Microsoft\\Windows\\RAC\\RacTask<\/li>
- Microsoft\\Windows\\Task Manager\\Interactive<\/li><\/ul><\/li><\/ul>\n\n\n\n
So, if you come across weird command line arguments used by taskhost.exe, the Tasks folder is a place to look at. Note that CDATA notation which I left intact (copied directly from the files) will not be present in the logs. As such, if you see e.g. ‘taskhost.exe KEYROAMING’ it is coming from the following entry:<\/p>\n\n\n\n
- Microsoft\\Windows\\CertificateServicesClient\\UserTask-Roam<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/07\/taskhost_arg0_4.png\")
<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"While looking at Sysmon logs on Windows 7 I noticed a strange process entry that had the following properties: service.exe – as a parent process taskhost.exe – as an image $(Arg0) – as a command line argument Anytime you see … Continue reading
- Microsoft\\Windows\\CertificateServicesClient\\UserTask-Roam<\/li><\/ul>\n\n\n\n
- Microsoft\\Windows\\CertificateServicesClient\\SystemTask<\/li><\/ul>
- SYSTEM