EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4701Audit SuccessSecurityT1053.005

Windows Event ID 4701Scheduled Task Disabled

Logged when a scheduled task is disabled — via schtasks.exe /change /disable, PowerShell Disable-ScheduledTask, or the Task Scheduler COM API. The task remains registered but will not fire until re-enabled.

MITRE ATT&CK

Technique

T1053.005 · Scheduled Task

Tactic

Defense Evasion

View on attack.mitre.org →

Why It Matters

Task disabling is a dual-use attacker technique. Offensive use: disable a legitimate task (Windows Defender, backup, monitoring heartbeat), perform malicious operations during the silence window, then re-enable to avoid sustained alerting on the absence of expected activity. The disable-modify-re-enable sequence (4701 → 4702 → 4700) is a common payload swap pattern used by post-exploitation frameworks to update a running persistence task without triggering new-task-creation detections. Defensive monitoring gap: disabling security-related tasks — Windows Defender Scheduled Scan, Windows Backup, or custom monitoring agents — can create critical blind spots. An unexpected 4701 for any task in the \Microsoft\Windows\Windows Defender\ or backup agent path from a non-SYSTEM account should be treated as a defense impairment event alongside Event ID 7036 (service stopped) and 1102 (audit log cleared).

Key Fields

Task NameThe disabled task's name — the full path reveals the severity: \Microsoft\Windows\Windows Defender\ tasks = defense impairment; \Microsoft\Windows\WindowsBackup\ = backup blind spot creation; built-in OS tasks disabled by non-SYSTEM accounts are highest priority regardless of name
Subject Account NameWho disabled the task — SYSTEM or known deployment/maintenance accounts are expected during planned maintenance. A standard user, service account, or unexpected privileged account disabling tasks, especially security-adjacent ones, is a strong signal. Check whether this account also appears in subsequent 4702 (modification) events
Subject Logon IDCorrelate with Event 4624 to determine authentication context — a Type 3 (network) logon indicates remote disable, which paired with subsequent remote modification and re-enable is the full remote payload swap signature

Investigation Tips

  1. 1.Check what task was disabled: the Task Name determines the investigation priority. Defender Scheduled Scan, backup tasks, or custom SOC monitoring agents = treat as defense impairment (mirroring logic from Event ID 7036 and 1116/1117). Any other built-in OS task disabled by a user account outside a maintenance window = investigate the modifying account.
  2. 2.Follow-on modification: search for a 4702 (task modified) event for the same Task Name after this disable. If the task was disabled, then its XML was modified, then it was re-enabled (4700), you have the full payload swap sequence. The modification event contains the new malicious payload in Task New Content.
  3. 3.Gap analysis for security tasks: if a Defender or backup task was disabled (4701) and then re-enabled (4700) some time later, calculate the gap. During that window, check 4688 (process creation) and 4663 (file access) for suspicious activity that the now-blinded tool would normally have caught.
  4. 4.Disable without re-enable: a task disabled (4701) that never gets a corresponding 4700 may be a legitimate decommission — but if it's a security tool, a monitoring agent, or an EDR heartbeat task, the absence of re-enablement is itself an alert. Query for 4701 events without matching 4700 for the same task in the following 24 hours.
  5. 5.Remote disable: if Subject Logon ID maps to a Type 3 (network) 4624 logon, the task was disabled from another host. This is the first step of remote task manipulation — identify the source IP and correlate with any 4702 and 4700 events on this host from the same session.
  6. 6.Audit policy: 4701 requires 'Audit Other Object Access Events' under Advanced Audit Policy → Object Access — the same gate as 4698, 4699, 4700, and 4702. If your policy captures task creation but you're not seeing disables and enables, verify the policy applies to workstations and member servers, not just domain controllers.

Detection Logic (KQL)

Microsoft Sentinel (KQL) — detect disabling of security-relevant tasks and task disables that are never followed by a re-enable (permanent suppression).

// Security or backup task disabled by non-SYSTEM account (defense impairment)
SecurityEvent
| where EventID == 4701
| where TaskName has_any (
    "\\Windows Defender\\",
    "\\WindowsBackup\\",
    "\\Windows\\UpdateOrchestrator\\",
    "\\Microsoft\\Windows\\Windows Error Reporting\\")
| where SubjectAccount !endswith "$"
| where SubjectAccount !in ("SYSTEM", "NT AUTHORITY\\SYSTEM")
| project TimeGenerated, SubjectAccount, TaskName, Computer
| sort by TimeGenerated desc

// Task disabled but never re-enabled within 6 hours (permanent suppression)
let disables = SecurityEvent
| where EventID == 4701
| project DisabledTime = TimeGenerated, TaskName, Computer, Account = SubjectAccount;
let enables = SecurityEvent
| where EventID == 4700
| project EnabledTime = TimeGenerated, TaskName, Computer;
disables
| join kind=leftouter enables on TaskName, Computer
| where isnull(EnabledTime) or EnabledTime > DisabledTime + 6h
| where Account !endswith "$"
| project Computer, Account, TaskName, DisabledTime
| sort by DisabledTime desc

Related Event IDs

4700Scheduled task enabled — the re-enable step; 4701 → 4702 → 4700 = disable, modify payload, re-enable: the payload swap pattern
4702Scheduled task modified — modification between a disable and re-enable means the task content was changed while dormant; the new XML is the payload
4698Scheduled task created — tasks can be created in disabled state (no 4700 at birth); disable of a recently created task may indicate the attacker is staging a dormant backdoor
4699Scheduled task deleted — disable followed by deletion means the task was staged, then permanently removed; check for execution events between the two
7036Service stopped — Defender or monitoring service stopped alongside task disable = coordinated defense impairment
4688Process creation — schtasks.exe /change /disable or Disable-ScheduledTask in command line just before 4701; also check what ran during the disabled window

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4701

See Event ID 4701 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects scheduled task disabled patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →