Windows Plug and Play Cleanup

Windows Plug and Play Cleanup
Photo by Anton / Unsplash

This post is another entry to David Cowen's Sunday Funday challenge series at HECFBlog. This week he asked the following question:

Windows 10 keep changing and with it its behavior. In Windows 8.1 and early versions of Windows 10 there was a task to delete plug and play devices that haven't been plugged in for 30 days. In more recent versions of Windows 10 this appears to be disabled. For this challenge please document what versions of Windows 10 has the task enabled and if it survives being upgraded.

So with that question in mind I fired up 'a few' Windows 10 VMs, and started poking about:

VMs.PNG

Plug and Play Cleanup

The 'Plug and Play Cleanup' scheduled task is responsible for clearing legacy versions of drivers. It would appear (based upon reports online) that it also picks up drivers which have not been used in 30 days, despite its description stating that "the most current version of each driver package will be kept". As such, removable devices which have not been connected for 30 days may have their drivers removed.

The scheduled task itself is located at ‘C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup’, and its content is displayed below:

xml.png

The task references 'pnpclean.dll' which is responsible for performing the cleanup activity additionally we see that the ‘UseUnifiedSchedulingEngine’ field is set to ‘TRUE’ which specifies that the generic task scheduling engine is used to manage the task. The ‘Period’ and ‘Deadline’ values of 'P1M' and 'P2M' within ‘MaintenanceSettings’ instruct Task Scheduler to execute the task once every month during regular Automatic maintenance and if it fails for 2 consecutive months, to start attempting the task during the emergency Automatic maintenance. Further information on ‘maintenancesettingstype’ available here.

Different Versions of Windows

To answer the question of which Windows update did away with this scheduled task we first look at the major releases, installing the OS clean from media which has each of the respective updates applied. These clean installs are then reviewed for the presence of the scheduled task. I additionally examined each task (compared by hash) and performed the same review of the 'pnpclean.dll’ within each version.

The table below details the result of this analysis:

Table.PNG

Based upon a fresh install, the last major release of Windows 10 to come with the ‘Plug and Play Cleanup’ scheduled task in place was Windows 10 1607 (Anniversary Update). The DLL 'pnpclean.dll’ has been updated in each release (at least enough to cause different MD5 hashes). The scheduled task on the other hand is consistent between all three releases where it is observed (1507, 1511 and 1607).

One other interesting finding during research of this topic was that the PnPCleanup task has been associated with some issues historically, one example was in relation to AWS hosted servers, specifically Windows Server 2012 R2 AMIs made available before 10 September 2014. In these AMIs the task would sometimes identify the EC2 network device as inactive following a reboot and remove it's driver from the system. This would cause the instance to lose network connectivity after a reboot, which is apparently a problem in cloud hosted servers... Further details here and here.

Persistence after Update

Regarding persistence after update, a significant number of changes are made to scheduled tasks between the major Windows Updates and as such my working assumption was that updating 1607 to a later version would result in the scheduled task being deleted. This was tested by taking a fresh install of 1607, connecting it to the network and allowing it to download and install all available updates. Following the update (and multiple restarts), the system was now at 1803 however when reviewing the Task Scheduler, we can still see a ‘Plug and Play Cleanup’ task is still there. The ‘pnpclean.dll’ has however been updated; replaced with a new version that matches the one we found in the fresh 1803 install (confirmed via hash match).

To test whether the task was actually being executed I manually initiated Automatic Maintanance in each version of Windows under testing then immediately (read: almost immediately) executed the following command on the command line:

schtasks | find "Queued"

In all cases running it before initiating Maintenance returned 0 results. Running it after initiating maintenance had the following results:

Table2.PNG

Most notably, on the system we examined which was installed as 1607 and upgraded to 1803 via Windows Update we saw the following:

run.png

When we then go on to review the task within Scheduled Tasks we can see that it has now been updated with a 'Last Tun Time':

AfterRun.png

In conclusion, the last major Windows OS update which included the 'Plug and Play Cleanup' Scheduled Task was Windows 10 1607. Installing from media which contains Windows 10 1703 will not cause the task to be created, however updating from 1607 (or prior) to a more up to date version will leave the scheduled task in place and it will still be activated during system maintenance.

Some interesting resources relating to this feature can be found here:

http://www.hecfblog.com/2017/04/windows-now-built-in-anti-forensics.html
https://deploymentresearch.com/Research/Post/484/Inside-the-hack-that-fixes-most-of-the-Windows-10-build-10122-upgrade-issues
https://virtualfeller.com/2017/05/04/optimize-vdi-windows-10-scheduled-tasks-original-anniversary-and-creator-updates/