Cannot register task using standard user account

Oct 31, 2011 at 9:23 AM

Hi,

I write a program to create a task and let other users can modify its trigger.

First, I create one task under administrator account like this one:

using (TaskService ts = new TaskService())
{
                    TaskDefinition td = ts.NewTask();

                    DailyTrigger dailyTrig = new DailyTrigger();
                    dailyTrig.StartBoundary = DateTime.Now;
                    dailyTrig.DaysInterval = 2;
                    td.Triggers.Add(dailyTrig);

                    ExecAction ac = new ExecAction("D:\\a.exe");
                    td.Actions.Add(ac);

                    // Register the task in the root folder
                    ts.RootFolder.RegisterTaskDefinition("TEST", td, TaskCreation.CreateOrUpdate, "SYSTEM", null, TaskLogonType.ServiceAccount);

}

This task will run a.exe under local system account. It's good, I can create the task, and let it run

After that, I log off and log in as a standard user (not administrator) such as TEST, and then modify the task.

 

using (TaskService ts = new TaskService())
{
                Task task = ts.FindTask(_taskName);
                TaskDefinition td;
                if (task != null)
                {
                    task.Enabled = true;
                    td = task.Definition;
                    td.Triggers.Clear();

                    WeeklyTrigger weeklyTrig = new WeeklyTrigger();
                    weeklyTrig.WeeksInterval = 1;
                    weeklyTrig.DaysOfWeek = DaysOfTheWeek.Monday | DaysOfTheWeek.Tuesday | DaysOfTheWeek.Wednesday | DaysOfTheWeek.Thursday | DaysOfTheWeek.Friday;
                    td.Triggers.Add(weeklyTrig);

                    ts.RootFolder.RegisterTaskDefinition(_taskName, td, TaskCreation.CreateOrUpdate, _userId, null, TaskLogonType.ServiceAccount);
                }
}

 

The problem is when it runs to the red line of code, it causes error that 0x80070005 (E_ACCESSDENIED)

 

When I log off and run under Administrator account, this code can run correctly.

 

My question is if I want to modify a task (create by administrator account) under standard user account (not administrator account), how can I do this?


This one is so strange, as only Administrator can create and modify task in Task Scheduler?

 

Thanks so much.

Nov 1, 2011 at 6:27 AM

Does anyone have any idea?

Coordinator
Nov 2, 2011 at 4:28 AM

The following is pulled from the MSDN documentation and edited to match this library:

By default, a user who creates a task can read, update, delete, and run the task. A user must have file write permission on a task file to update a task, file read permission on a task file to read a task, delete permission on a task file to delete a task, and file execute permission on a task to run a task using the Task.Run or RunEx methods. Members of the Administrators group or the SYSTEM account can read, update, delete, and run any tasks. Members of the Users group, the LocalService account, and the NetworkService account can only read, update, delete, and run the tasks that they have created. This default behavior is changed when the DACL of the task file is changed, in which case the DACL defines which users have file write, read, execute, and delete permission. To set permissions for a task file, use the Task.SecurityDescriptor property or set the security descriptor when you register the task using the RegisterTask or RegisterTaskDefinition methods.
 
A user must have WriteDAC permission in addition to the read/write permissions to update a task if the task update requires a change to the DACL for the task.

Nov 5, 2011 at 2:10 PM

Hi Dahall, Thanks for your response.

Now, I decide to use impersonation so that standard user can impersonates user Administrator to register task, not standard user.

I have 2 ways to do this.

1. First, I use the TaskService constructor, like this one:

using (TaskService ts = new TaskService(Environment.MachineName, "ADMIN", Environment.MachineName, "123456", false))

{

....       

ts.RootFolder.RegisterTaskDefinition("TEST", td, TaskCreation.CreateOrUpdate, "SYSTEM", null, TaskLogonType.ServiceAccount);

}

This one cause an error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). I already checked the the username and password of admin.

 

2. Second I use Impersonation class from Microsoft, so that I will impersonate Admin before register the task.

using (Impersonation imp = new Impersonation("ADMIN", "DOMAIN", "123456"))

{
                    using (TaskService ts = new TaskService())
                    {

                                   ts.RootFolder.RegisterTaskDefinition("TEST", td, TaskCreation.CreateOrUpdate, "SYSTEM", null, TaskLogonType.ServiceAccount);

                    }

}

When I go to line  using (TaskService ts = new TaskService()), it cause an error:

Retrieving the COM class factory for component with CLSID {0F87369F-A4E5-4CFC-BD3E-73E6154572DD} failed due to the following error: 80070542.

 

Is it possible for using impersonation so that standard user can impersonate Admin to register task with SYSTEM account?

Can you show me which part of code that I make wrong?

Thanks so much.

 

Coordinator
Nov 7, 2011 at 6:31 PM

What is your target platform?

Nov 8, 2011 at 12:49 AM

Hi Dahall,

My platform is Windows Vista Business 32 bit.

Coordinator
Nov 8, 2011 at 3:02 PM

Method (1) from your example above is the one I have tested and used. It works. You need to make sure the account is either a domain admin or local admin and use the appropriate domain or workstation name. You also need to make sure the account has LOGON32_LOGON_BATCH rights.

Nov 10, 2011 at 4:17 AM

Hi Dahall,

I use a local ADMIN account and the domain name of my local machine, it also has LOGON32_LOGON_BATCH right. Can you check for me whether this one works or not, in my case, it does not work, causing an error access is denied.

 

First, I log in as ADMIN account ( I create this one, not the built in administrator), to create one task name TEST.

Then I login as user TEST (standard user) and use impersonation in constructor of Task Service class to ADMIN account and modify the task.

It causes an error that access is denied. when running to the line

using (TaskService ts = new TaskService(Environment.MachineName, "ADMIN", Environment.MachineName, "123456", false))

Coordinator
Nov 11, 2011 at 2:24 AM

I was just looking at some of the tasks on my Windows 7 system. They are registered under the "Users" group. This would give all system users the ability to change and run the task. Give that a try and let us know if it works.

Coordinator
Nov 11, 2011 at 2:25 AM
Edited Nov 11, 2011 at 2:25 AM

By the way, I tried your test and got the same errors. I can't explain what is happening so that is why I proposed the 'Users' group solution.

Nov 18, 2011 at 8:54 AM

Hi Dahall,

Sorry for late reply.

For standard user, it cannot register the task under a group, so it cannot modify the task when register with "Users" group. In my mind, I think there is no way for a standard user to register the task with "SYSTEM" account. If someone knows how to make it, very appreciate. Thanks.

 

Oct 10, 2012 at 4:27 PM
Edited Oct 10, 2012 at 4:35 PM

Hi all,
I'm reading this post since I'm having "Access is denied" on RegisterTaskDefinition, launching my application from a domain user which belongs to Administrators group on the machine (I'm trying on both Windows 7 and Windows Server 2008 R2).

What is strange is that thientan0206 said that the first operation works fine ("First, I create one task under administrator account like this one: [...] It's good, I can create the task, and let it run"). In my case, this simply operation already causes the "Access is denied" message error.

I tried to copy and paste these lines of code in a sample app:

using (TaskService ts = new TaskService()) 
{
                    TaskDefinition td = ts.NewTask();
                    DailyTrigger dailyTrig = new DailyTrigger();
                    dailyTrig.StartBoundary = DateTime.Now;
                    dailyTrig.DaysInterval = 2;
                    td.Triggers.Add(dailyTrig);
                    ExecAction ac = new ExecAction("D:\\a.exe");
                    td.Actions.Add(ac);
                    // Register the task in the root folder
                    ts.RootFolder.RegisterTaskDefinition("TEST", td, TaskCreation.CreateOrUpdate,
                    "SYSTEM", null, TaskLogonType.ServiceAccount);
}

...launched it and it doesn't work: I'm getting that annoying message.
Of course, if I try adding the same activity using the Task Scheduler snap-in, the activity gets created succesfully...
Why? What I'm doing wrong? 

Coordinator
Oct 10, 2012 at 8:14 PM

jeanie77: I just ran the following code without a problem logged into a domain account which is in my local Adminstrators group and had no errors. I have to assume there is something about your runtime environment that is causing the problem. Could it be UAC? Are you running the application "as Administrator"?

using (TaskService ts = new TaskService())
{
   TaskDefinition td = ts.NewTask();
   td.Triggers.Add(new DailyTrigger(2));
   td.Actions.Add(new ExecAction("D:\\a.exe"));
   Task t = ts.RootFolder.RegisterTaskDefinition(taskName, td, TaskCreation.CreateOrUpdate, "SYSTEM", null, TaskLogonType.ServiceAccount);
}

Oct 11, 2012 at 7:49 AM
Edited Oct 11, 2012 at 8:37 AM

Hi Dahall,
thank you for your reply.

Yes, I have UAC enabled (Default - Notify me only when programs try to make changes to my computer) and probably that's the reason why I cannot register using the API. 

If I launch my application "As Administrator", it registers successfully.

The problem is that "Access is denied" error comes out for several and different reasons...
Thank you, bye! Valentina