ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Windows Job File Format"

From ForensicsWiki
Jump to: navigation, search
(Status)
(variable-length section)
Line 187: Line 187:
  
 
=== variable-length section ===
 
=== variable-length section ===
 +
The variable-length section contains the following values:
 +
* Running Instance Count
 +
* Application Name
 +
* Parameters
 +
* Working Directory
 +
* Author
 +
* Comment
 +
* User Data
 +
* Reserved Data
 +
* Triggers
 +
* Job Signature
  
 
== See Also ==
 
== See Also ==

Revision as of 15:42, 5 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Overview

On Windows a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.

fixed-length section

The fixed-length section is 68 bytes in size and consists of:

offset size value description
0 2 Product version
2 2 File version
4 16 Job UUID (or GUID)
20 2 Application name size offset
The offset is relative from the start of the file.
22 2 Trigger offset
The offset is relative from the start of the file.
24 2 Error Retry Count
26 2 Error Retry Interval
28 2 Idle Deadline
30 2 Idle Wait
32 4 Priority
36 4 Maximum Run Time
40 4 Exit Code
44 4 Status
48 4 Flags
52 16 Last run time
Consists of a SYSTEMTIME

SYSTEMTIME

offset size value description
0 2 Year
2 2 Month
4 2 Weekday
6 2 Day
8 2 Hour
10 2 Minute
12 2 Second
14 2 Milli second

Priority

Value Identifier Description
0x00800000 REALTIME_PRIORITY_CLASS The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
0x01000000 HIGH_PRIORITY_CLASS The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
0x02000000 IDLE_PRIORITY_CLASS The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
0x04000000 NORMAL_PRIORITY_CLASS The task has no special scheduling requirements.

Status

Value Identifier Description
0x00041300 SCHED_S_TASK_READY Task is not running but is scheduled to run at some time in the future.
0x00041301 SCHED_S_TASK_RUNNING Task is currently running.
0x00041305 SCHED_S_TASK_NOT_SCHEDULED The task is not running and has no valid triggers.

Flags

See: Flags

variable-length section

The variable-length section contains the following values:

  • Running Instance Count
  • Application Name
  • Parameters
  • Working Directory
  • Author
  • Comment
  • User Data
  • Reserved Data
  • Triggers
  • Job Signature

See Also

External Links