Difference between revisions of "Windows Job File Format"

From ForensicsWiki
Jump to: navigation, search
m (Job Signature)
Line 89: Line 89:
 
|}
 
|}
  
==== SYSTEMTIME ====
+
==== Product version ====
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! offset
+
! Value
! size
+
! Identifier
! value
+
! Description
! description
+
 
|-
 
|-
| 0
+
| 0x0400
| 2
+
|  
|
+
| Windows NT 4.0
| Year
+
 
|-
 
|-
| 2
+
| 0x0500
| 2
+
 
|
 
|
| Month
+
| Windows 2000
 
|-
 
|-
| 4
+
| 0x0501
| 2
+
 
|
 
|
| Weekday
+
| Windows XP
 
|-
 
|-
| 6
+
| 0x0600
| 2
+
 
|
 
|
| Day
+
| Windows Vista
 
|-
 
|-
| 8
+
| 0x0601
| 2
+
 
|
 
|
| Hour
+
| Windows 7
 
|-
 
|-
| 10
+
| 0x0602
| 2
+
 
|
 
|
| Minute
+
| Windows 8
 
|-
 
|-
| 12
+
| 0x0603
| 2
+
 
|
 
|
| Second
+
| Windows 8.1
|-
+
| 14
+
| 2
+
|
+
| Milli second
+
 
|}
 
|}
  
Line 184: Line 171:
 
==== Flags ====
 
==== Flags ====
 
See: [http://msdn.microsoft.com/en-us/library/cc248283.aspx Flags]
 
See: [http://msdn.microsoft.com/en-us/library/cc248283.aspx Flags]
 +
 +
==== SYSTEMTIME ====
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Year
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| Month
 +
|-
 +
| 4
 +
| 2
 +
|
 +
| Weekday
 +
|-
 +
| 6
 +
| 2
 +
|
 +
| Day
 +
|-
 +
| 8
 +
| 2
 +
|
 +
| Hour
 +
|-
 +
| 10
 +
| 2
 +
|
 +
| Minute
 +
|-
 +
| 12
 +
| 2
 +
|
 +
| Second
 +
|-
 +
| 14
 +
| 2
 +
|
 +
| Milli second
 +
|}
  
 
=== Variable-length section ===
 
=== Variable-length section ===

Revision as of 11:33, 5 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Overview

On Windows a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.

Fixed-length section

The fixed-length section is 68 bytes in size and consists of:

offset size value description
0 2 Product version
2 2 File version
4 16 Job UUID (or GUID)
20 2 Application name size offset
The offset is relative from the start of the file.
22 2 Trigger offset
The offset is relative from the start of the file.
24 2 Error Retry Count
26 2 Error Retry Interval
28 2 Idle Deadline
30 2 Idle Wait
32 4 Priority
36 4 Maximum Run Time
40 4 Exit Code
44 4 Status
48 4 Flags
52 16 Last run time
Consists of a SYSTEMTIME

Product version

Value Identifier Description
0x0400 Windows NT 4.0
0x0500 Windows 2000
0x0501 Windows XP
0x0600 Windows Vista
0x0601 Windows 7
0x0602 Windows 8
0x0603 Windows 8.1

Priority

Value Identifier Description
0x00800000 REALTIME_PRIORITY_CLASS The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
0x01000000 HIGH_PRIORITY_CLASS The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
0x02000000 IDLE_PRIORITY_CLASS The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
0x04000000 NORMAL_PRIORITY_CLASS The task has no special scheduling requirements.

Status

Value Identifier Description
0x00041300 SCHED_S_TASK_READY Task is not running but is scheduled to run at some time in the future.
0x00041301 SCHED_S_TASK_RUNNING Task is currently running.
0x00041305 SCHED_S_TASK_NOT_SCHEDULED The task is not running and has no valid triggers.

Flags

See: Flags

SYSTEMTIME

offset size value description
0 2 Year
2 2 Month
4 2 Weekday
6 2 Day
8 2 Hour
10 2 Minute
12 2 Second
14 2 Milli second

Variable-length section

The variable-length section is variable in size and consists of:

offset size value description
0 2 Running Instance Count
2 ... Application Name
Consists of a Unicode string.
... ... Parameters
Consists of a Unicode string.
... ... Working Directory
Consists of a Unicode string.
... ... Author
Consists of a Unicode string.
... ... Comment
Consists of a Unicode string.
... ... User Data
... ... Reserved Data
... ... Triggers
... ... Job Signature

These values are stored as Unicode strings.

Unicode string

offset size value description
0 2 Number of characters
The value will be 0 if the string is empty.
2 ... String
UTF-16 little-endian with end-of-string character

User Data

offset size value description
0 2 data size
2 ... data

Reserved Data

The Reserved Data is similar in structure as the User Data though if a size is set, is should be 8 and the Reserved Data consists of:

offset size value description
0 2 8 data size
2 4 Start Error
6 4 Task Flags

Triggers

offset size value description
0 2 Number of triggers
2 ... Array of triggers
Trigger
offset size value description
0 2 Trigger Size
2 2 Reserved1
4 2 Begin Year
6 2 Begin Month
8 2 Begin Day
10 2 End Year
12 2 End Month
14 2 End Day
16 2 Start Hour
18 2 Start Minute
20 4 Minutes Duration
24 4 Minutes Interval
28 4 Flags
32 4 Trigger Type
36 2 TriggerSpecific0
38 2 TriggerSpecific1
40 2 TriggerSpecific2
42 2 Padding
44 2 Reserved2
46 2 Reserved3

Job Signature

offset size value description
0 2 1 Signature version
2 2 1 Minimum client version
4 64 Signature

See Also

External Links