Target-query -f tasks throws "ValueError: Unknown calendar type" when parsing XML Tasks files #1505
Description
Dear dissect team,
using version 3.24 I do get an error when using target-query -f tasks to parse tasks files under windows/system32/tasks, eg. windows/system32/tasks/at26.
The details of the malformed task XML file were redacted.
The file was extracted from a Windows 7 Ultimate and is present on a folder together with all other collected system artifacts (${TARGET_PATH}). The suspect malformed XML file is UTF-16 encoded.
$ target-query -q "${TARGET_PATH}" -f tasks |rdump --jsonlines
[reading from stdin]
Traceback (most recent call last):
File "/tools/venv-plaso/bin/target-query", line 8, in <module>
sys.exit(main())
^^^^^^
File "/tools/venv-plaso/lib/python3.11/site-packages/dissect/target/tools/utils/cli.py", line 471, in wrapper
return func(\*args, \*\*kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/tools/venv-plaso/lib/python3.11/site-packages/dissect/target/tools/query.py", line 250, in main
for record in record_generator:
File "/tools/venv-plaso/lib/python3.11/site-packages/dissect/target/plugins/os/windows/tasks/_plugin.py", line 218, in tasks
for trigger in task_object.get_triggers():
File "/tools/venv-plaso/lib/python3.11/site-packages/dissect/target/plugins/os/windows/tasks/xml.py", line 347, in get_triggers
raise ValueError("Unknown calendar type")
ValueError: Unknown calendar type
Additional details below, please let me know if you need any further details.
Thank you for this great project!
$ target-query -q "${TARGET_PATH}" -f tasks |rdump --jsonlines
[reading from stdin]
Traceback (most recent call last):
File "/tools/venv-plaso/bin/target-query", line 8, in <module>
sys.exit(main())
^^^^^^
File "/tools/venv-plaso/lib/python3.11/site-packages/dissect/target/tools/utils/cli.py", line 471, in wrapper
return func(\*args, \*\*kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/tools/venv-plaso/lib/python3.11/site-packages/dissect/target/tools/query.py", line 250, in main
for record in record_generator:
File "/tools/venv-plaso/lib/python3.11/site-packages/dissect/target/plugins/os/windows/tasks/_plugin.py", line 218, in tasks
for trigger in task_object.get_triggers():
File "/tools/venv-plaso/lib/python3.11/site-packages/dissect/target/plugins/os/windows/tasks/xml.py", line 347, in get_triggers
raise ValueError("Unknown calendar type")
ValueError: Unknown calendar type
{"hostname": "REDACTED", "domain": null, "task_path": "C:
Windows
system32
tasks
at26", "uri": null, "security_descriptor": null, "source": null, "date": null, "last_run_date": null, "author": null, "version": null, "description": null, "documentation": null, "task_name": null, "app_name": null, "args": null, "start_in": null, "comment": null, "run_as": null, "cpassword": null, "enabled": true, "action": null, "principal_id": "Author", "user_id": "@AtServiceAccount", "logon_type": "InteractiveTokenOrPassword", "group_id": null, "display_name": "at26", "run_level": "HighestAvailable", "process_token_sid_type": null, "required_privileges": null, "restart_on_failure_interval": null, "restart_on_failure_count": null, "mutiple_instances_policy": null, "disallow_start_on_batteries": null, "stop_going_on_batteries": null, "allow_start_on_demand": null, "start_when_available": null, "network_profile_name": null, "run_only_network_available": null, "wake_to_run": null, "hidden": null, "delete_expired_task_after": null, "idle_duration": null, "idle_wait_timeout": null, "idle_stop_on_idle_end": null, "idle_restart_on_idle": null, "network_settings_name": null, "network_settings_id": null, "execution_time_limit": null, "priority": null, "run_only_idle": null, "unified_scheduling_engine": null, "disallow_start_on_remote_app_session": null, "data": null, "raw_data": "<Task version=\"1.0\">\n <RegistrationInfo />\n <Triggers>\n <CalendarTrigger>\n <StartBoundary>2017-01-11T11:11:11</StartBoundary>\n <ScheduleByWeek>\n <DaysOfWeek>\n <Sunday />\n <Monday />\n <Tuesday />\n <Wednesday />\n <Thursday />\n <Friday />\n <Saturday />\n </DaysOfWeek>\n </ScheduleByWeek>\n </CalendarTrigger>\n </Triggers>\n <Principals>\n <Principal id=\"Author\">\n <UserId>@AtServiceAccount</UserId>\n <LogonType>InteractiveTokenOrPassword</LogonType>\n <RunLevel>HighestAvailable</RunLevel>\n </Principal>\n </Principals>\n <Actions Context=\"Author\">\n <Exec>\n <Command>C:
AAAAA\\\\AAAaaAaaa
AaAaaAaaa.exe</Command>\n <Arguments>/m</Arguments>\n </Exec>\n </Actions>\n</Task>", "_source": "REDACTED", "_classification": null, "_generated": "2026-01-11T11:11:11.111111+00:00", "_version": 1}
{"hostname": "REDACTED", "domain": null, "arguments": "/m", "working_directory": null, "cc": null, "bcc": null, "class_id": null, "com_data": null, "attachment": null, "body": null, "subject": null, "header_name": null, "uri": null, "action_type": "Exec", "command": "C:
AAAAA\\\\AAAaaAaaa
AaAaaAaaa.exe", "server": null, "email_from": null, "replyto": null, "header_value": null, "tile": null, "to": null, "_source": "REDACTED", "_classification": null, "_generated": "2026-01-11T11:11:11.111111+00:00", "_version": 1}
1. note the redacted "command": "C:
AAAAA\\\\AAAaaAaaa
AaAaaAaaa.exe" part.
$ target-query --version
dissect.target version 3.24
file "${TARGET_PATH}/windows/system32/tasks/at26"
[PATH REDACTED]/windows/system32/tasks/at26: XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
$ dd if="${TARGET_PATH}/windows/system32/tasks/at26" bs=1 skip=296 count=1024 status=none|xxd; echo
00000000: 0d00 0a00 2000 2000 3c00 5400 7200 6900 .... . .<.T.r.i.
00000010: 6700 6700 6500 7200 7300 3e00 0d00 0a00 g.g.e.r.s.>.....
00000020: 2000 2000 2000 2000 3c00 4300 6100 6c00 . . . .<.C.a.l.
00000030: 6500 6e00 6400 6100 7200 5400 7200 6900 e.n.d.a.r.T.r.i.
00000040: 6700 6700 6500 7200 3e00 0d00 0a00 2000 g.g.e.r.>..... .
00000050: 2000 2000 2000 2000 2000 3c00 5300 7400 . . . . .<.S.t.
00000060: 6100 7200 7400 4200 6f00 7500 6e00 6400 a.r.t.B.o.u.n.d.
00000070: 6100 7200 7900 3e00 3200 3000 3100 3700 a.r.y.>.REDACTED IP.
00000080: 2d00 3000 3200 2d00 3100 3300 5400 3100 ~~.0.2.~~.1.3.T.1.
00000090: 3200 3a00 3000 3000 3a00 3000 3000 3c00 2.:.0.0.:.0.0.<.
000000a0: 2f00 5300 7400 6100 7200 7400 4200 6f00 /.S.t.a.r.t.B.o.
000000b0: 7500 6e00 6400 6100 7200 7900 3e00 0d00 u.n.d.a.r.y.>...
000000c0: 0a00 2000 2000 2000 2000 2000 2000 3c00 .. . . . . . .<.
000000d0: 5300 6300 6800 6500 6400 7500 6c00 6500 S.c.h.e.d.u.l.e.
000000e0: 4200 7900 5700 6500 6500 6b00 3e00 0d00 B.y.W.e.e.k.>...
000000f0: 0a00 2000 2000 2000 2000 2000 2000 2000 .. . . . . . . .
00000100: 2000 3c00 4400 6100 7900 7300 4f00 6600 .<.D.a.y.s.O.f.
00000110: 5700 6500 6500 6b00 3e00 0d00 0a00 2000 W.e.e.k.>..... .
00000120: 2000 2000 2000 2000 2000 2000 2000 2000 . . . . . . . .
00000130: 2000 3c00 5300 7500 6e00 6400 6100 7900 .<.S.u.n.d.a.y.
00000140: 2000 2f00 3e00 0d00 0a00 2000 2000 2000 ./.>..... . . .
00000150: 2000 2000 2000 2000 2000 2000 2000 3c00 . . . . . . .<.
00000160: 4d00 6f00 6e00 6400 6100 7900 2000 2f00 M.o.n.d.a.y. ./.
00000170: 3e00 0d00 0a00 2000 2000 2000 2000 2000 >..... . . . . .
00000180: 2000 2000 2000 2000 2000 3c00 5400 7500 . . . . .<.T.u.
00000190: 6500 7300 6400 6100 7900 2000 2f00 3e00 e.s.d.a.y. ./.>.
000001a0: 0d00 0a00 2000 2000 2000 2000 2000 2000 .... . . . . . .
000001b0: 2000 2000 2000 2000 3c00 5700 6500 6400 . . . .<.W.e.d.
000001c0: 6e00 6500 7300 6400 6100 7900 2000 2f00 n.e.s.d.a.y. ./.
000001d0: 3e00 0d00 0a00 2000 2000 2000 2000 2000 >..... . . . . .
000001e0: 2000 2000 2000 2000 2000 3c00 5400 6800 . . . . .<.T.h.
000001f0: 7500 7200 7300 6400 6100 7900 2000 2f00 u.r.s.d.a.y. ./.
00000200: 3e00 0d00 0a00 2000 2000 2000 2000 2000 >..... . . . . .
00000210: 2000 2000 2000 2000 2000 3c00 4600 7200 . . . . .<.F.r.
00000220: 6900 6400 6100 7900 2000 2f00 3e00 0d00 i.d.a.y. ./.>...
00000230: 0a00 2000 2000 2000 2000 2000 2000 2000 .. . . . . . . .
00000240: 2000 2000 2000 3c00 5300 6100 7400 7500 . . .<.S.a.t.u.
00000250: 7200 6400 6100 7900 2000 2f00 3e00 0d00 r.d.a.y. ./.>...
00000260: 0a00 2000 2000 2000 2000 2000 2000 2000 .. . . . . . . .
00000270: 2000 3c00 2f00 4400 6100 7900 7300 4f00 .<./.D.a.y.s.O.
00000280: 6600 5700 6500 6500 6b00 3e00 0d00 0a00 f.W.e.e.k.>.....
00000290: 2000 2000 2000 2000 2000 2000 3c00 2f00 . . . . . .<./.
000002a0: 5300 6300 6800 6500 6400 7500 6c00 6500 S.c.h.e.d.u.l.e.
000002b0: 4200 7900 5700 6500 6500 6b00 3e00 0d00 B.y.W.e.e.k.>...
000002c0: 0a00 2000 2000 2000 2000 3c00 2f00 4300 .. . . . .<./.C.
000002d0: 6100 6c00 6500 6e00 6400 6100 7200 5400 a.l.e.n.d.a.r.T.
000002e0: 7200 6900 6700 6700 6500 7200 3e00 0d00 r.i.g.g.e.r.>...
000002f0: 0a00 2000 2000 3c00 2f00 5400 7200 6900 .. . .<./.T.r.i.
00000300: 6700 6700 6500 7200 7300 3e00 0d00 0a00 g.g.e.r.s.>.....
00000310: 2000 2000 3c00 5000 7200 6900 6e00 6300 . .<.P.r.i.n.c.
00000320: 6900 7000 6100 6c00 7300 3e00 0d00 0a00 i.p.a.l.s.>.....
00000330: 2000 2000 2000 2000 3c00 5000 7200 6900 . . . .<.P.r.i.
00000340: 6e00 6300 6900 7000 6100 6c00 2000 6900 n.c.i.p.a.l. .i.
00000350: 6400 3d00 2200 4100 7500 7400 6800 6f00 d.=.".A.u.t.h.o.
00000360: 7200 2200 3e00 0d00 0a00 2000 2000 2000 r.".>..... . . .
00000370: 2000 2000 2000 3c00 5500 7300 6500 7200 . . .<.U.s.e.r.
00000380: 4900 6400 3e00 4000 4100 7400 5300 6500 I.d.>[email protected].
00000390: 7200 7600 6900 6300 6500 4100 6300 6300 r.v.i.c.e.A.c.c.
000003a0: 6f00 7500 6e00 7400 3c00 2f00 5500 7300 o.u.n.t.<./.U.s.
000003b0: 6500 7200 4900 6400 3e00 0d00 0a00 2000 e.r.I.d.>..... .
000003c0: 2000 2000 2000 2000 2000 3c00 4c00 6f00 . . . . .<.L.o.
000003d0: 6700 6f00 6e00 5400 7900 7000 6500 3e00 g.o.n.T.y.p.e.>.
000003e0: 4900 6e00 7400 6500 7200 6100 6300 7400 I.n.t.e.r.a.c.t.
000003f0: 6900 7600 6500 5400 6f00 6b00 6500 6e00 i.v.e.T.o.k.e.n.
$ dd if="${TARGET_PATH}/windows/system32/tasks/at26" bs=1 skip=296 count=1024 status=none|iconv -f UTF-16 -t UTF-8; echo
<Triggers>
<CalendarTrigger>
<StartBoundary>2017-01-11T11:11:11</StartBoundary>
<ScheduleByWeek>
<DaysOfWeek>
<Sunday />
<Monday />
<Tuesday />
<Wednesday />
<Thursday />
<Friday />
<Saturday />
</DaysOfWeek>
</ScheduleByWeek>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>@AtServiceAccount</UserId>
<LogonType>InteractiveToken
$