Unable to see Scheduled Task even with access rights to SYSTEM32\Tasks

Question

I have a follow-up question to this.

I have a task folder RPA with two tasks as follows:

I created these two tasks myself using the Task Scheduler UI (as in above image). My trouble is I am now unable to see SPSBatch using SchTasks.exe:

I am user BEETHOVEN\kingk and have the same Full access rights to both tasks in the \Windows\System32\Tasks\RPA folder:

Besides file permissions on the files in the Tasks folder, what else is controlling access to tasks?

I've extended those answers with a solution and script: https://serverfault.com/a/1046122/471857 — unNamed, Dec 14 '20 at 15:37

score 2 · Answer 1 · answered Mar 06 '19 at 16:24

2

The security descriptor is stored in the registry, similar to what is done for services.

Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RPA
Value: SD

Probably also a value for each task.

answered Mar 06 '19 at 16:24

Greg Askew

34,339
3
52
81

Yes, there's a `SD` value each for a folder and task. Is there any UI to view and update this? How is the default determined or set? – Old Geezer Mar 06 '19 at 16:39
There is no UI. – Greg Askew Mar 06 '19 at 17:03

score 1 · Answer 2 · answered Jan 07 '20 at 12:46

@OldGeezer @GregAskew thanks to your link to SD I was able to translate the binary SD to readable property with following Powershell:

$PathToTask = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft"
$SDBin =  ( (get-itemProperty $PathToTask).sd )

ConvertFrom-SddlString ([wmiclass]"Win32_SecurityDescriptorHelper").BinarySDToSDDL($SDBin).SDDL

With the above you should be able to read what are the current ACLs, and if you work your way through methods from Win32_SecurityDescriptorHelper , you should be able to create your own ACL and replace it, giving you access to the task. I haven't tested that though

Unable to see Scheduled Task even with access rights to SYSTEM32\Tasks

2 Answers2

Linked