ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Windows Job File Format"

From ForensicsWiki
Jump to: navigation, search
(Variable-length section)
Line 227: Line 227:
 
| ...
 
| ...
 
|
 
|
| User Data <br> Consists of a Unicode string.
+
| User Data
 
|-
 
|-
 
| ...
 
| ...
 
| ...
 
| ...
 
|
 
|
| Reserved Data <br> Consists of a Unicode string.
+
| Reserved Data
 
|-
 
|-
 
| ...
 
| ...
Line 264: Line 264:
 
|
 
|
 
| String <br> UTF-16 little-endian with end-of-string character
 
| String <br> UTF-16 little-endian with end-of-string character
 +
|}
 +
 +
==== User Data ====
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| data size
 +
|-
 +
| 2
 +
| ...
 +
|
 +
| data
 +
|}
 +
 +
==== Reserved Data ====
 +
The Reserved Data is similar in structure as the User Data though if a size is set, is should be 8 and the Reserved Data consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
| 8
 +
| data size
 +
|-
 +
| 2
 +
| 4
 +
|
 +
| Start Error
 +
|-
 +
| 6
 +
| 4
 +
|
 +
| Task Flags
 
|}
 
|}
  
Line 269: Line 313:
  
 
==== Job Signature ====
 
==== Job Signature ====
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
|
 +
|
 +
|
 +
|}
  
 
== See Also ==
 
== See Also ==

Revision as of 16:13, 5 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Overview

On Windows a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.

Fixed-length section

The fixed-length section is 68 bytes in size and consists of:

offset size value description
0 2 Product version
2 2 File version
4 16 Job UUID (or GUID)
20 2 Application name size offset
The offset is relative from the start of the file.
22 2 Trigger offset
The offset is relative from the start of the file.
24 2 Error Retry Count
26 2 Error Retry Interval
28 2 Idle Deadline
30 2 Idle Wait
32 4 Priority
36 4 Maximum Run Time
40 4 Exit Code
44 4 Status
48 4 Flags
52 16 Last run time
Consists of a SYSTEMTIME

SYSTEMTIME

offset size value description
0 2 Year
2 2 Month
4 2 Weekday
6 2 Day
8 2 Hour
10 2 Minute
12 2 Second
14 2 Milli second

Priority

Value Identifier Description
0x00800000 REALTIME_PRIORITY_CLASS The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
0x01000000 HIGH_PRIORITY_CLASS The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
0x02000000 IDLE_PRIORITY_CLASS The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
0x04000000 NORMAL_PRIORITY_CLASS The task has no special scheduling requirements.

Status

Value Identifier Description
0x00041300 SCHED_S_TASK_READY Task is not running but is scheduled to run at some time in the future.
0x00041301 SCHED_S_TASK_RUNNING Task is currently running.
0x00041305 SCHED_S_TASK_NOT_SCHEDULED The task is not running and has no valid triggers.

Flags

See: Flags

Variable-length section

The variable-length section is variable in size and consists of:

offset size value description
0 2 Running Instance Count
2 ... Application Name
Consists of a Unicode string.
... ... Parameters
Consists of a Unicode string.
... ... Working Directory
Consists of a Unicode string.
... ... Author
Consists of a Unicode string.
... ... Comment
Consists of a Unicode string.
... ... User Data
... ... Reserved Data
... ... Triggers
... ... Job Signature

These values are stored as Unicode strings.

Unicode string

offset size value description
0 2 Number of characters
The value will be 0 if the string is empty.
2 ... String
UTF-16 little-endian with end-of-string character

User Data

offset size value description
0 2 data size
2 ... data

Reserved Data

The Reserved Data is similar in structure as the User Data though if a size is set, is should be 8 and the Reserved Data consists of:

offset size value description
0 2 8 data size
2 4 Start Error
6 4 Task Flags

Triggers

Job Signature

offset size value description
0

See Also

External Links