2
I have a scheduled task which runs a batch file which does some stuff. I want the batch file to kick off another batch file which runs in user space; i.e. %username% == the currently logged-in user, with user permissions, etc. How can I run a command under the current user, given that the scheduled task runs with SYSTEM permissions?
I need this for both Windows XP and Windows 7.
Ricket
Posted 2011-03-15T13:57:24.707
Reputation: 1 406
3
Ever since the introduction of Terminal Services, "current user" can be plural. Even XP supports fast user switching.
The closest you can get is "user connected to the console session". For this, use WTSGetActiveConsoleSessionId() + WTSQueryUserToken() + CreateEnvironmentBlock() + CreateProcessAsUser().
I wrote this: https://gist.github.com/871048 – Compile, run with full path to your batch file as arguments.
Yes, this requires .NET Runtime, but it's likely that your systems already have it. The compiler's part of the Runtime, too: %SystemRoot%\Microsoft.NET\Framework64\v3.5\csc.exe (any version starting with v2.* will work).
Note: WTSQueryUserToken() requires the program to be running as LocalSystem. (According to the docs, SeTcbPrivilege is not enough, but I haven't checked.)
user1686
Posted 2011-03-15T13:57:24.707
Reputation: 283 655
2
Under "When Running Task, use the following user account:" you can set it to "BUILTIN\Users" group, it will run the task as the current logged in user.
SliSir
Posted 2011-03-15T13:57:24.707
Reputation: 21
0
I don't think you can set it through the task scheduler tool to dynamically use the current logged in user, but you can specify a user account to use besides System in the task itself. Both of the below options will require that you have the password for the username.
Windows 7: In the properties window for the task, there is a button in Security Options called "Change User or Group".
Windows XP: In the properties window for the task, you can enter a username in the "Run As" field.
One final option may be to create a startup script that will create the task when the user logs on, and a companion logoff script to delete it when they log off. The command is "Schtasks", which is nearly identical in XP and 7. Documentation for the command is available from MS at the following site: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/schtasks.mspx?mfr=true
Hyppy
Posted 2011-03-15T13:57:24.707
Reputation: 3 636
I'm creating the task via the command line, so I can't change the run as user. Otherwise I would simply check that "run as currently logged on user" box which is terribly convenient! And regarding the logon/logoff script suggestion, that's pretty much what I intend to do, but the schtasks command cannot check the above-mentioned checkbox; it requires an username and password, and I don't want to prompt the user for their password from a script. – Ricket – 2011-03-15T14:27:19.223
1Windows 7 does not seem to have the password entry requirement, at least when I just tried it with UAC off. For XP, you can try using the deprecated AT command instead. – Hyppy – 2011-03-15T14:33:44.613
1But the AT command, even with the /interactive flag, runs the command in SYSTEM privileges. I've been testing it just this morning actually and I can't get it to run in the user environment. It seems there are a multitude of ways I could accomplish this in Windows 7, but the big issue at the moment is Windows XP. – Ricket – 2011-03-15T15:01:02.053
When this answer was posted, I didn't know about
psexecyet. Using it might be easier. – user1686 – 2013-08-06T11:40:13.500