ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Analyzing Program Execution" and "Windows Job File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
== Linux ==
+
== Overview ==
 +
On [[Windows]] a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.
  
== Mac OS X ==
+
=== Fixed-length section ===
 +
The fixed-length section is 68 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Product version
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| File version
 +
|-
 +
| 4
 +
| 16
 +
|
 +
| Job UUID (or GUID)
 +
|-
 +
| 20
 +
| 2
 +
|
 +
| Application name size offset <br> The offset is relative from the start of the file.
 +
|-
 +
| 22
 +
| 2
 +
|
 +
| Trigger offset <br> The offset is relative from the start of the file.
 +
|-
 +
| 24
 +
| 2
 +
|
 +
| Error Retry Count
 +
|-
 +
| 26
 +
| 2
 +
|
 +
| Error Retry Interval
 +
|-
 +
| 28
 +
| 2
 +
|
 +
| Idle Deadline
 +
|-
 +
| 30
 +
| 2
 +
|
 +
| Idle Wait
 +
|-
 +
| 32
 +
| 4
 +
|
 +
| Priority
 +
|-
 +
| 36
 +
| 4
 +
|
 +
| Maximum Run Time
 +
|-
 +
| 40
 +
| 4
 +
|
 +
| Exit Code
 +
|-
 +
| 44
 +
| 4
 +
|
 +
| Status
 +
|-
 +
| 48
 +
| 4
 +
|
 +
| Flags
 +
|-
 +
| 52
 +
| 16
 +
|
 +
| Last run time <br> Consists of a SYSTEMTIME
 +
|}
  
== Windows ==
+
==== SYSTEMTIME ====
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Year
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| Month
 +
|-
 +
| 4
 +
| 2
 +
|
 +
| Weekday
 +
|-
 +
| 6
 +
| 2
 +
|
 +
| Day
 +
|-
 +
| 8
 +
| 2
 +
|
 +
| Hour
 +
|-
 +
| 10
 +
| 2
 +
|
 +
| Minute
 +
|-
 +
| 12
 +
| 2
 +
|
 +
| Second
 +
|-
 +
| 14
 +
| 2
 +
|
 +
| Milli second
 +
|}
 +
 
 +
==== Priority ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x00800000
 +
| REALTIME_PRIORITY_CLASS
 +
| The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
 +
|-
 +
| 0x01000000
 +
| HIGH_PRIORITY_CLASS
 +
| The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
 +
|-
 +
| 0x02000000
 +
| IDLE_PRIORITY_CLASS
 +
| The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
 +
|-
 +
| 0x04000000
 +
| NORMAL_PRIORITY_CLASS
 +
| The task has no special scheduling requirements.
 +
|}
 +
 
 +
==== Status ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x00041300
 +
| SCHED_S_TASK_READY
 +
| Task is not running but is scheduled to run at some time in the future.
 +
|-
 +
| 0x00041301
 +
| SCHED_S_TASK_RUNNING
 +
| Task is currently running.
 +
|-
 +
| 0x00041305
 +
| SCHED_S_TASK_NOT_SCHEDULED
 +
| The task is not running and has no valid triggers.
 +
|}
 +
 
 +
==== Flags ====
 +
See: [http://msdn.microsoft.com/en-us/library/cc248283.aspx Flags]
 +
 
 +
=== Variable-length section ===
 +
The variable-length section is variable in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Running Instance Count
 +
|-
 +
| 2
 +
| ...
 +
|
 +
| Application Name <br> Consists of a Unicode string.
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Parameters <br> Consists of a Unicode string.
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Working Directory <br> Consists of a Unicode string.
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Author <br> Consists of a Unicode string.
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Comment <br> Consists of a Unicode string.
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| User Data <br> Consists of a Unicode string.
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Reserved Data <br> Consists of a Unicode string.
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Triggers
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Job Signature
 +
|}
 +
 
 +
These values are stored as Unicode strings.
 +
 
 +
==== Unicode string ====
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Number of characters <br> The value will be 0 if the string is empty.
 +
|-
 +
| 2
 +
| ...
 +
|
 +
| String <br> UTF-16 little-endian with end-of-string character
 +
|}
 +
 
 +
==== Triggers ====
 +
 
 +
==== Job Signature ====
  
 
== See Also ==
 
== See Also ==
=== Windows ===
+
* [[Windows]]
* [[Prefetch]]
+
* [[SuperFetch]]
+
* [[Windows Application Compatibility]]
+
  
 
== External Links ==
 
== External Links ==
=== Windows ===
+
* [http://msdn.microsoft.com/en-us/library/cc248285.aspx .JOB File Format], by [[Microsoft]]
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
+
  
[[Category:Analysis]]
+
[[Category:File Formats]]

Revision as of 16:06, 5 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Overview

On Windows a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.

Fixed-length section

The fixed-length section is 68 bytes in size and consists of:

offset size value description
0 2 Product version
2 2 File version
4 16 Job UUID (or GUID)
20 2 Application name size offset
The offset is relative from the start of the file.
22 2 Trigger offset
The offset is relative from the start of the file.
24 2 Error Retry Count
26 2 Error Retry Interval
28 2 Idle Deadline
30 2 Idle Wait
32 4 Priority
36 4 Maximum Run Time
40 4 Exit Code
44 4 Status
48 4 Flags
52 16 Last run time
Consists of a SYSTEMTIME

SYSTEMTIME

offset size value description
0 2 Year
2 2 Month
4 2 Weekday
6 2 Day
8 2 Hour
10 2 Minute
12 2 Second
14 2 Milli second

Priority

Value Identifier Description
0x00800000 REALTIME_PRIORITY_CLASS The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
0x01000000 HIGH_PRIORITY_CLASS The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
0x02000000 IDLE_PRIORITY_CLASS The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
0x04000000 NORMAL_PRIORITY_CLASS The task has no special scheduling requirements.

Status

Value Identifier Description
0x00041300 SCHED_S_TASK_READY Task is not running but is scheduled to run at some time in the future.
0x00041301 SCHED_S_TASK_RUNNING Task is currently running.
0x00041305 SCHED_S_TASK_NOT_SCHEDULED The task is not running and has no valid triggers.

Flags

See: Flags

Variable-length section

The variable-length section is variable in size and consists of:

offset size value description
0 2 Running Instance Count
2 ... Application Name
Consists of a Unicode string.
... ... Parameters
Consists of a Unicode string.
... ... Working Directory
Consists of a Unicode string.
... ... Author
Consists of a Unicode string.
... ... Comment
Consists of a Unicode string.
... ... User Data
Consists of a Unicode string.
... ... Reserved Data
Consists of a Unicode string.
... ... Triggers
... ... Job Signature

These values are stored as Unicode strings.

Unicode string

offset size value description
0 2 Number of characters
The value will be 0 if the string is empty.
2 ... String
UTF-16 little-endian with end-of-string character

Triggers

Job Signature

See Also

External Links