SOC Event Lookup
Event ID 4700ScheduledTaskP3

Windows Event ID 4700: A scheduled task was enabled

Windows Security Event ID 4700 records that a scheduled task was enabled.

Applicable version
Windows Server 2008 and later where the audit subcategory is enabled
Last reviewed
2026-07-13

Trigger Scenarios

Microsoft documents that this event is generated every time a scheduled task is enabled.

Key Fields

Task Name

The enabled task path. Microsoft recommends monitoring critical tasks that should never be enabled.

Task Content

Task XML content that can expose command, arguments, trigger, and principal context.

Subject Logon ID

Hexadecimal logon session for the account enabling the task.

Common False Positives

  • Administrators may enable tasks during maintenance or application deployment.
  • Vendor updaters can re-enable their own disabled tasks.

Related Events

MITRE ATT&CK Mapping

  • T1053.005Scheduled Task/Job: Scheduled Task

Detection Notes

Use threshold=1 for critical Task Name values that should never be enabled, as Microsoft recommends. Task Name in the Task Scheduler Library root such as \Updater or Task Content running powershell.exe from C:\Users\Public supports T1053.005 Scheduled Task when an actor reactivates persistence. Correlate Subject Logon ID with 4624/4688 and compare Task Content against the approved baseline.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4700
| project TimeGenerated, Computer, Account, TaskName, TaskContent
Splunk SPL
index=wineventlog EventCode=4700 | table _time, host, Account_Name, Task_Name, Task_Content
Sample Log
EventID: 4700
Subject Logon ID: 0x42a91
Task Name: \Updater
Task Content: <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>

Source