Why Windows is running programs via Task Scheduler

Running Windows Server 2008R2 as a Remote Desktop Session host. I noticed a while ago that there are tons of tasks being created in Task Scheduler. These are not created by the users themselves.

Today, I noticed a user who had 100s of rundll32.exe process with the command line of:

c:\windows\system32\rundll32.exe c:\windows\system32\pcwutl.dll,CreateAndRunTask -path "\\server\programs\program.exe"

What the heck? Anybody knows why Windows is doing that?

The program being run is an old VB 6 program, if that matters. It's run from a shortcut the users have on their desktop which points to the .exe on a network share. I haven't seen the code of that program in a long long time but I don't recall it doing anything special, out of the ordinary.

Also, there are actually in Task Scheduler, some tasks for program #1 and some for program #2 - both are old VB 6 programs. Some of the task start the program through the network share, some from the local drive (I have the program in two places and some users have shortcuts pointing to local drive, some to network share).

The tasks in Task Scheduler are named with a UUID of some sort. The task is marked with the following options:

• Run only when user is logged on
• Trigger: At task creation/modification
• Action: start a program (the program described above)

New data

According to the file information, the DLL is the Program Compatibility Troubleshooter Helper. Still don't know why it does that...