Home / server / Questions / 907945
In Process
gregmac
Asked: 2018-04-17 13:19:11 +0800 CST

How do I run Register-ScheduledJob from a script running as SYSTEM?

  • 772

I'm trying to run Register-ScheduledJob from a script executing as SYSTEM (from an external deployment tool), but I get an error. This must be initially invoked as SYSTEM due to the way the deployment tool works.

To reproduce this problem (requires powershell.exe running as SYSTEM), I created another scheduled job as follows:

  • Run as user account: SYSTEM
  • Action:
    • Run: powershell.exe
    • Arguments: Register-ScheduledJob -name testjob -filepath c:\target.ps1 > C:\testjob.txt 2>&1

Note: if you want to reproduce this yourself, you'll also have to create c:\target.ps1 as an empty file.

This job can then be executed from Task Scheduler UI, and you can see the output in c:\testjob.txt.

When the script runs Register-ScheduledJob, it shows the following error:

Register-ScheduledJob : An error occurred while registering scheduled job 
definition testjob to the Windows Task Scheduler.  The Task Scheduler error is: 
(32,4):UserId:.
At line:1 char:1
+ Register-ScheduledJob -name testjob -filepath c:\target.ps1 > C:\testjob.txt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power...edJobDefini 
   tion:ScheduledJobDefinition) [Register-ScheduledJob], ScheduledJobExceptio  
  n
    + FullyQualifiedErrorId : CantRegisterScheduledJobDefinition,Microsoft.Pow 
   erShell.ScheduledJob.RegisterScheduledJobCommand

As far as I can tell this has something to do with not being able to create a job as the SYSTEM user. I'm not really concerned with what target.ps1 actually runs as (eg it doesn't have to be SYSTEM), so long as it's an account that I don't have to manage a password for.

My script has to be initially invoked as SYSTEM (from a service which is running as SYSTEM), so how can I use it to create a scheduled job?

windows

1 Answers

  1. I saw that Register-ScheduledJob -Credential can't eat build-in accounts and people just couldn't register PS-jobs. But this was hacked.

    Now, I see that you can't use Register-ScheduledJob as you run it under the SYSTEM account. Ooh, pretty fair trouble.

    Can you try the following?

    As we know...

    -Credential
    Specifies a user account that has permission to run the scheduled job. The default is the current user.

    OK, then let's provide something to the Register-ScheduledJob -Credential instead of the default SYSTEM.

    This is quite complicated,
    so consider the following thoughts.

    I use Register-ScheduledJob when I want to schedule a PowerShell script block. It is just convenient. But if you want to schedule a ps1 script file then you can use Register-ScheduledTask. Why not? There are examples over there.

    There are ways to run deployment tool projects/jobs under another account.

    Many build tools have password masking as a protection against password logging.
    Register a non-admin account by adding text credentials to your build tool.
    Create a PSCredential object by using PowerShell RunAs Confirm-Free Alternative.
    Run you logic as a script block by using
    Invoke-Command -Credential $someCreds -ScriptBlock { ... }

    Yeah, I made it easier and I just switched my build-machines to a "flesh" account. )
    This also can be a solution. And this is a good practice, too.

    Time is gone, I believe you've found something else. )

    • 0