How to run Windows Server 2003 version of SchTasks.exe on Windows 2000

[mai]

I am not sure if it is the right place to post. Feel free to delete / move the post if needed.

As you know SchTasks.exe is a command line utility that manage jobs in Task Scheduler. However it is for XP, 2003 and above only. There are info on the net that shows how to hack *XP* version of SchTasks.exe to run on 2000. However, I want to hack *2003* version because it is more versatile. After extensive search I got nothing, so I had to do it myself.

My approach is as follow. I opened the executable with PE Explorer and got output from the disassembler. Since the executable was (obviously) doing a check on OS version, it must have called an API such as GetOSVersion(). The API turned out to be VerifyVersionInfo(). According to the MSDN, the 1st argument to this function is a pointer to a version structure. I looked at the disassembler output and located the address of the structure. I spotted a "1" and a "5" there, and my instinct told me that the "1" was the OS minor version and "5" was the OS major version. So I suspected this was why the executable did not work on Windows 2000.

So I changed the OS minor version to "0" with a hex editor, and fixed the PE checksum. Then, I copied the hacked binary to a Windows 2000 system and tested it. It seemed have no problems adding and deleting tasks so my problem appeared to have been solved.

------

If you need to run Windows 2003 version of schtasks.exe on Windows 2000, use this procedure

1. Create a copy of SchTasks.exe, say Sch.exe.
   
2. Open Sch.exe with a hex editor.
   
3. Search for the pattern 05 00 00 00 01 00 00 00.
   
4. Change the 01 to 00 (which becomes checking for Windows 2000 or above, rather than XP or above).
   
5. Save and close the hacked binary.
   
6. Fix the PE checksum using any available utilities. Google for pechksum, setcsum, etc.
   

BTW, my solution was tested with Windows Server 2003 SP2 version of SchTasks.exe on Windows 2000 Server SP4.

[jaclaz]

Just for the record:

http://toastytech.com/guis/indexwindows.html

• 5.0 means 2K
  
• 5.1 means XP
  
• 5.2 means Server 2003
  

So the function must work something like "later than".

jaclaz

[RodBarnes]

I followed your steps but was unsuccessful. Like you, I've successfully patched a WinXP version following instructions found here and it worked on W2K. But I need the /ET and /DU options available from the W2K3 version. So I tried your steps but nothing happens. I changed to 01 to 00 and then ran CheckSum.exe to fix the PE header but when I execute schtasks it just goes back to the command prompt. I'm using the same schtasks.exe from Windows 2003 SP2 as you listed.

Any ideas?

[skip]

So I changed the OS minor version to "0" with a hex editor, and fixed the PE checksum. Then, I copied the hacked binary to a Windows 2000 system and tested it. It seemed have no problems adding and deleting tasks so my problem appeared to have been solved.

------

If you need to run Windows 2003 version of schtasks.exe on Windows 2000, use this procedure

1. Create a copy of SchTasks.exe, say Sch.exe.
   
2. Open Sch.exe with a hex editor.
   
3. Search for the pattern 05 00 00 00 01 00 00 00.
   
4. Change the 01 to 00 (which becomes checking for Windows 2000 or above, rather than XP or above).
   
5. Save and close the hacked binary.
   
6. Fix the PE checksum using any available utilities. Google for pechksum, setcsum, etc.
   

BTW, my solution was tested with Windows Server 2003 SP2 version of SchTasks.exe on Windows 2000 Server SP4.

[RodBarnes]

I found a way to get there but I ended up following the same model I've read about in other articles (like this one) on patching the WinXP schtasks. I determined that the correct location for the Win2003 schtasks is 0116B0. Then I used the same steps as described in those articles to patch the value from 75 to EB. Works great!

I thought it might be educational to others if I included the steps I took to figure out the location:

1. Opened the WinXP schtasks.exe in PEExplorer and viewed the assembler.
   
2. Identified the location in the assembly that represents the changed byte identified in other articles and resulting difference in the code.
   
3. I noted that the change simply makes it a jmp (Jump) instead of jnz (JumpNotZero) so it ignores the version comparison.
   
4. I followed the jump address and found that the subroutine calls VerifyVersionInfoW().
   
5. Opened the Win2003 schtasks.exe in PEExplorer and viewed the assembler.
   
6. I searched for subroutines that call VerifyVersionInfoaW(). I found two of them.
   
7. I searched for references to those subroutines looking for calls/jumps. I found only one where it followed a test of eax,eax just as was done in the WinXP assembler.
   
8. Based upon this, I identified the address and then used a hex-editor to patch the byte from 75 to EB.
   

Edited September 9, 2010 by RodBarnes

[pointertovoid]

Some software need a minimum OS version only for reasons of licence (sorry for being unseemly), others because they do call functions that appeared with the version they require, still others because they weren't tested will the older version.

In the last cases, you may run into troubles that appear late and hence are difficult to link with one particular piece of software. This was especially frequent with W98 when users (or application installers) changed some Dll inappropriately.

One precaution would be, using for instance FileAlyzer,

http://www.safer-networking.org/en/download/index.html

http://www.safer-networking.org/en/filealyzer/index.html

to compare what functions your application calls, and which one are offered by your system.

This holds for drivers as well!

The test isn't perfect because some software calls different functions depending on the OS version it detects. But it's often precise.

Such a hand check is slow, so I'd like it to be automated and described my wish in detail there:

http://www.physforum.com/index.php?showtopic=24897

this checker would be very useful to me, a user of W95 and W2k.

[Phenomic]

Dunno if it would work, but if you like tweaking you'd love Linux, it's a tweaker's paradise, and it's open source so if it doesn't work you can re-write it.