Scheduling a task with highest privileges

Started by Ron47, May 01, 2014, 12:16:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Ron47

May 01, 2014, 12:16:36 PM

We've developed a hands-free speech application for individuals with disabilities which needs to run elevated.

The UAC prompt is not hands-free, which creates a problem for our users.

Found a way to get around the prompt by using Task Scheduler to schedule the task and then running the task.

(http://lifehacker.com/how-to-eliminate-uac-prompts-for-specific-applications-493128966)

I modified script from WinBatch support (thanks!)
(Create a Daily Scheduled Task
Keywords: Create Make Scheduled Task Schedule.Service Daily Trigger)

and ended up with the script that follows.

The task created doesn't work because the task needs to be "Run with highest privileges"

So, how can I modify the following script so that it will create a task that will Run with highest privileges?
(I edited the script so that it will Run Notepad, which of course doesn't need highest privileges to run.)

Thanks!

Ron


;script to create task

; A constant that specifies an executable action.
ActionTypeExec = 0

;********************************************************
; Create the TaskService object.
service = ObjectCreate("Schedule.Service")
service.Connect()

;********************************************************
; Get a folder to create a task definition in.
rootFolder = service.GetFolder("\")

; The taskDefinition variable is the TaskDefinition object.
; The flags parameter is 0 because it is not supported.
taskDefinition = service.NewTask(0)

;********************************************************
; Define information about the task.

; Set the registration info for the task by
; creating the RegistrationInfo object.
regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Start NotePad without UAC prompt"
regInfo.Author = "Administrator"

; Set the task setting info for the Task Scheduler by
; creating a TaskSettings object.
settings = taskDefinition.Settings
settings.Enabled = @TRUE
settings.StartWhenAvailable = @TRUE
settings.Hidden = @FALSE

;********************************************************
; Create the action for the task to execute.
; Add an action to the task to run notepad.exe.

Action = taskDefinition.Actions.Create( ActionTypeExec )
Action.Path = "C:\Windows\System32\notepad.exe"

;***********************************************************
; Register (create) the task.

rootFolder.RegisterTaskDefinition( "RunNotePad", taskDefinition, 6, , , 3)
Pause("", "Task submitted.")

exit

Deana

#1
May 01, 2014, 12:47:59 PM
Ron,

Here is a link to all of the Task Scheduler Scripting Objects: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383607(v=vs.85).aspx

Here is a link explaining Security Contexts for Tasks, specifically take a look at the topic 'User Account Control (UAC) Security for Tasks': http://msdn.microsoft.com/en-us/library/windows/desktop/aa382140(v=vs.85).aspx

Principal.RunLevel property sets the identifier that is used to specify the privilege level that is required to run the tasks that are associated with the principal.
: http://msdn.microsoft.com/en-us/library/windows/desktop/aa382076(v=vs.85).aspx


Deana F.
Technical Support
Wilson WindowWare Inc.

Ron47

#2
May 01, 2014, 12:59:38 PM
Just what I was looking for.

Thanks!
Ron

Deana

#3
May 01, 2014, 01:13:16 PM
Here is a simple code sample I came up with:
Code (winbatch) Select

;script to create task
userid = 'SYSTEM'
password =  _NULL

; A constant that specifies an executable action.
ActionTypeExec = 0

;********************************************************
; Create the TaskService object.
service = ObjectCreate("Schedule.Service")
service.Connect()

;********************************************************
; Get a folder to create a task definition in.
rootFolder = service.GetFolder("\")

; The taskDefinition variable is the TaskDefinition object.
; The flags parameter is 0 because it is not supported.
taskDefinition = service.NewTask(0)


;********************************************************
; Define information about the task.

; Set the registration info for the task by
; creating the RegistrationInfo object.
regInfo = taskDefinition.RegistrationInfo
regInfo.Description = "Start NotePad without UAC prompt"
regInfo.Author = "Administrator"

; Set the task setting info for the Task Scheduler by
; creating a TaskSettings object.
settings = taskDefinition.Settings
settings.Enabled = @TRUE
settings.StartWhenAvailable = @TRUE
settings.Hidden = @FALSE

Principal = taskDefinition.Principal
Principal.LogonType = 5; TASK_LOGON_SERVICE_ACCOUNT Indicates that a Local System, Local Service, or Network Service account is being used as a security context to run the task.
Principal.RunLevel = 1; TASK_RUNLEVEL_HIGHEST

;********************************************************
; Create the action for the task to execute.
; Add an action to the task to run notepad.exe.

Action = taskDefinition.Actions.Create( ActionTypeExec )
Action.Path = "C:\Windows\System32\notepad.exe"

;***********************************************************
; Register (create) the task.
_NULL = ObjectType( 'NULL', 0 ); ObjectType( 'BSTR', ObjectType( 'NULL', 0 ) )

rootFolder.RegisterTaskDefinition( "RunNotePad", taskDefinition, 6, userid , password , 3)
Pause(Principal.DisplayName , "Task submitted.")
exit 
Deana F.
Technical Support
Wilson WindowWare Inc.

td

#4
May 01, 2014, 02:37:15 PM
The OP didn't give an OS version but if this solution is for Windows 8.whatever with the default UAC group policy settings, I don't think a task scheduler shortcut on the desktop will get around the UAC prompt.  No matter what RunLevel property setting you use.  IIRC, it does still work on Windows 7.

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

Ron47

#5
May 01, 2014, 03:13:24 PM
Deana,

Thanks for code. Works perfectly.

My users who need this (and can't turn UAC off) are all using Windows 7.
I've created a task scheduler shortcut on the desktop and it's bypassing UAC with Windows 7. My users will put the shortcut in the start-up menu and they'll be up and running.


Thanks,

Ron










Deana

#6
May 02, 2014, 09:27:49 AM
Quote from: Ron47 on May 01, 2014, 03:13:24 PM
Deana,

Thanks for code. Works perfectly.

My users who need this (and can't turn UAC off) are all using Windows 7.
I've created a task scheduler shortcut on the desktop and it's bypassing UAC with Windows 7. My users will put the shortcut in the start-up menu and they'll be up and running.
I can also run the task from the command prompt but I've having problems running from a script.
The 'Automate the Task Scheduler Using COM' example that you have on your support page isn't working because the TaskScheduler dll will not successfully register on my Win7 computer.

Is there another easy way to run the task from a WinBatch script?

Thanks,

Ron

A lot has changed with the Task Scheduler between XP and Vista. That article (clearly states that TaskScheduler.dll is for Windows XP and Older: http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/Scheduler+Automate~the~Task~Scheduler~Using~COM.txt

If you would  like to start an existing task from WinBatch on Windows Vista or newer you can use the same Schedule.Service COM object you used to create the task.

Code (winbatch) Select
objTaskService = ObjectCreate("Schedule.Service")
objTaskService.Connect
objRootFolder = objTaskService.GetFolder("\")
objTask = objRootFolder.GetTask("RunNotePad")
_NULL = ObjectType( 'NULL', 0 )
objTask.Run(_NULL)

Reference:
http://msdn.microsoft.com/en-us/library/aa382079(v=vs.85).aspx
Deana F.
Technical Support
Wilson WindowWare Inc.

DAG_P6

#7
May 02, 2014, 03:15:17 PM
When we faced a similar issue a few months ago, our solution was to run the task as the SYSTEM security principal. Even on Windows 7, UAC hasn't reared its ugly head. However, since our task doesn't need to interact with anything more advanced than STDOUT, this approach may not be appropriate for the speech aid program. Nevertheless, it's another option to consider for other types of tasks.

As a bonus,  since  SYSTEM doesn't  require a password, you don't need to worry about where to hide it.
David A. Gray
You are more important than any technology.

Ron47

#8
May 03, 2014, 06:05:47 PM
Deana and David,

Thanks for the code. I had written a simple ShellExecute command, but one of the beta testers said that he's still getting a UAC prompt so I may end up using your code for the script and David's system security approach for setting it up.

Thanks!

Ron

Deana

#9
May 03, 2014, 06:26:37 PM
Quote from: Ron47 on May 03, 2014, 06:05:47 PM
Deana and David,

Thanks for the code. I had written a simple ShellExecute command, but one of the beta testers said that he's still getting a UAC prompt so I may end up using your code for the script and David's system security approach for setting it up.

Thanks!

Ron

Ron,
The code I posted to create the task specified SYSTEM as the user id...

Code (winbatch) Select
;script to create task
userid = 'SYSTEM'
Deana F.
Technical Support
Wilson WindowWare Inc.
Print
Go Up Pages1
User actions