If the Command Prompt, PowerShell, or an unknown program window flashes during logon or at random intervals without you doing anything, there are many chances that it’s a Task Scheduler job. The windows popping up frequently can be a huge distraction when you’re working or playing a game on the computer.
Sometimes, 2 or 3 CMD windows may open and close quickly (like 2-3 seconds) during Windows startup. You’ll need to know which program ran just to make sure that it’s not malware.
By the time you open Task Manager and check the Processes or Details tab, the Command Prompt process or the unknown program will have already finished running. The Command Prompt or the PowerShell window may close so quickly that you may not even have the time to see what it is running or even to take a screenshot using PrintScreen.
This post tells you the possible reasons why the Command Prompt or the PowerShell window pops up randomly and how to find the exact name of the unknown task that last ran.
The following are the common reasons why a Command Prompt window would open and close automatically.
If a Command Prompt window opens up and closes quickly, it could be due to automatic maintenance task(s) kicking in. This is especially if the Command Prompt window flashes when the system is left idle for a few minutes. You can view the list of automatic maintenance tasks using PowerShell.
If that’s not it, then it could be a Scheduled Task.
Office 365 background task
There are two scheduled tasks in Task Scheduler Library
- OfficeBackgroundTaskHandlerLogon runs when a user logs on
- OfficeBackgroundTaskHandlerRegistration runs every hour
When the above tasks run, they open and close a Command Prompt window in a flash, which can be very annoying to the user. Both tasks are set to run under the “Users” account group. Setting
OfficeBackgroundTaskHandlerRegistration to run under the “System” account will prevent the Command Prompt pop-ups from appearing, and the task will run hidden.
- Open Task Scheduler, and go to the
OfficeBackgroundTaskHandlerRegistration, right-click and select Properties.
- Click on Change User Or Group, type System, OK, OK.
Driver Setup Utility
There is a 3rd party software named Driver Setup Utility which runs tasks (via Scheduler) to update the drivers at certain intervals, causing the Command Prompt to open up and close automatically. OEMs such as Acer, Gateway, and Packard Bell seem to bundle the DriverSetupUtility in the computers. The DriverSetupUtility or the driver updater program is set to run as a scheduled task every hour as a daily task, and you’ll see a screen something like this when they run:
FINDSTR: Cannot open C:\ProgramData\acer\updater2\updater2.xml The system cannot find the path specified. Cannot access file C:\Program Files\DriverSetupUtility\FUB\+ FINDSTR: Cannot open C:\ProgramData\packard bell\updater2\updater2.xml The system cannot find the path specified. Cannot access file C:\Program Files\DriverSetupUtility\FUB\+ FINDSTR: Cannot open C:\ProgramData\gateway\updater2\updater2.xml The system cannot find the path specified. Cannot access file C:\Program Files\DriverSetupUtility\FUB\+ FINDSTR: Cannot open C:\ProgramData\gateway\updater2\updater2.xml
The third-party driver updater programs are not essential for the system. If you don’t plan to use the driver updater program(s), open Control Panel → Programs and Features → uninstall Driver Setup Utility (or DriverSetupUtility) from there.
Dell, on the other hand, has its own SupportAssist utility which doesn’t run those crazy batch files. It has a neat interface and the user is notified of any updates for the system.
“Firefox Default Browser Agent” Task
In Firefox 75 and higher, there is a scheduled task that will collect telemetry data and send it to Mozilla. For more information about this task, see Understanding default browser trends – Data at the Mozilla website.
This task is named “Firefox Default Browser Agent”, located under the “Task Scheduler Library” → “Mozilla” folder.
The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspicious circumstances, it will prompt users to change back to Firefox no more than two times. This task is installed automatically by Firefox, and is reinstalled when Firefox updates.
When the task is triggered, it launches the file “
C:\Program Files\Mozilla Firefox\default-browser-agent.exe”
To disable this task, update the “
default-browser-agent.enabled” preference on the
about:config page or the Firefox enterprise policy setting “DisableDefaultBrowserAgent”.
Other programs to watch out for:
cm-blackhawk.exeprogram. cm-blackhawk.exe may auto-start at login and may keep coming up every minute or so.
PinVantageToolbarToastand the related task in the Task Scheduler under the name “
BatteryGaugeMaintenance“. It might be related to the Lenovo Vantage app, a software that can manage your device settings, update your drivers, run device diagnostics, etc.
If none of the above applies to you, let’s use other ways to find the offending program out!
What if you don’t use Office 365 or Driver Updater? If the info mentioned in the “Cause” section above doesn’t apply in your case, here are some general tracking methods you can follow to narrow down the program or task that’s being triggered.
Find exactly why the CMD or PowerShell window popped up!
The built-in Task Scheduler lists the Last Run Time and all other details about the tasks, but checking each and every folder manually is time-consuming.
To track scheduled tasks, you may use PowerShell, the built-in Task Scheduler console tool
SchTasks.exe, or the 3rd party TaskSchedulerView utility. Here is how to determine if the Command Prompt window that last flashed on the screen was launched as a Task Scheduler job.
Method 1: Using PowerShell
Launch PowerShell as administrator, and run the following command-line:
Get-ScheduledTask | Get-ScheduledTaskInfo | select TaskName, TaskPath, LastRunTime | out-gridview
This shows the list of scheduled tasks, the corresponding “last run time” data, and the branch (Task Scheduler).
Sort the results by
LastRunTime (descending) to know the list of tasks that ran most recently.
Now, you can easily narrow down the task that ran recently. From the narrowed-down results, it’s very easy to isolate the task that initiated the Command Prompt or a console program (that runs under the command shell.)
Method 2: Using TaskSchedulerView Utility
TaskSchedulerView from NirSoft shows you all the information about Tasks. This tool displays the list of all tasks from the Task Scheduler and lets you disable or enable multiple tasks at once. For every task listed, the following information is displayed:
- Task Name
- Hidden (Yes/No)
- Last Run/Next
- Run Times
- Task Folder
- EXE filename or COM handler of the task
- Number of missed runs
- and more…
In TaskSchedulerView, sort the listing by the “Last Run” column and double-click the last run task to find exactly which program was last executed.
If the task is a standard Windows task, simply ignore it. Should the task name or the program name be suspicious, do a full system scan using Malwarebytes antimalware in addition to running a full antivirus scan with updated signatures.
(However, not all programs that run in the background are scheduled tasks. It can be possible that a program that’s currently running, launches another program or command-line for legitimate reasons. Or it could be running from one of the several startup entry points. Autoruns, Process Explorer, and Process Monitor utilities (see “Method 4” at the end of this article) should give you a clear picture of running processes and autostart entries.)
Method 3: Using SchTasks.exe to Get Tasks List and Last Run Time
The Task Scheduler run history can be queried using the
schtasks.exe console tool.
Open an elevated Command Prompt window and type in:
schtasks /query /FO TABLE /v | clip
Note: For querying tasks, SchTasks.exe doesn’t require you to run from an elevated Command Prompt.
The output is copied to the clipboard. Open Notepad and paste the output.
You’ll see the list of Tasks and their complete details, including the Last Run Time. Match the time with the actual time the unknown program window appeared and disappeared.
We are particularly interested in the three columns – Last Run Time, TaskName, and Task to Run. Inspect these fields till the end of the file, as this list is not grouped or sorted by Last Run Time.
Importing into Excel
For a detailed inspection, generate a CSV report instead of TABLE or LIST report format, using this command:
schtasks /query /FO CSV /V >d:\tasks-list.csv
d:\tasks-list.csv is the file name and path where the output will be written to. Open the CSV file using Excel, rearrange columns as required, and format it accordingly. Sort by Last Run Time (descending).
Method 4: Process Monitor
Process Monitor or Process Explorer from Windows Sysinternals should tell you exactly what’s currently running in the background. If you run a Process Monitor trace to watch for new process or thread creation activities in real time, you should be able to determine if the Command Prompt window or any other program that popped up on the screen (and exited quickly) was launched by Task Scheduler or not.
Here is a sample Task Scheduler job that opened a Command Prompt window. The process creation was traced using Process Monitor.
After you know the PID or the parent process, all you need to do is look up that PID in the Task Manager Details tab. It could be pointing to
svchost.exe which is a host process that runs Windows Services. Turning on the command-line column in Task Manager will display the service group. If the service group name says
"Schedule", it’s Task Scheduler.
If an unknown program or Command Prompt window pops up and closes quickly before you can read the Window title, you now know how to find which program was run.
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
- How to Find Which Program Caused An Unknown Error Message
- How to Use Process Monitor to Track Registry and File System Changes
- How to Determine the Parent Process of a Running Process in Windows