I have an app which run on a VM via a task scheduler. And the app tries to write to the credential manager but fails with error code 1312. The way I start my app on VM from host machine is via code:
$password= "password" | ConvertTo-SecureString -asPlainText -Force;
$username = "name";
$credential = New-Object System.Management.Automation.PSCredential($username,$password);
Invoke-Command -VMName INSTANCE_ID -Credential $credential -ScriptBlock
{
$gettime = (Get-Date).AddMinutes(2);
$run = $gettime.ToString('HH:mm');
$action = New-ScheduledTaskAction -Execute 'C:\logging.bat';
$trigger = New-ScheduledTaskTrigger -Once -At $run;
$setting = New-ScheduledTaskSettingsSet -Priority 4
$principal = New-ScheduledTaskPrincipal -GroupID "BUILTIN\Administrators" -RunLevel Highest;
Register-ScheduledTask -Action $action -Trigger $trigger -Setting $setting -Principal $principal -TaskName "ID_Logging_Task" -Description "my description"
}
As per understanding I am running with the highest privilege possible plus I have logged onto the VM via sysinternal autlogon tools. I don't understand what is going wrong here. What setting needs to be changed so that it can find a proper log on session.
UPDATE:
I added
$principal = New-ScheduledTaskPrincipal -UserID "DOMAIN\USERNAME" -LogonType Interactive -RunLevel Highest
with same username in Register-ScheduledTask without password as when I specify password my app does not launch in interactive mode but as a background process. I need to fix 1312 error while running my app in interactive mode and in the highest privilege.
This appears to be similar to Powershell: Set a Scheduled Task to run when user isn't logged in
If running a scheduled task as a GroupID, then someone from that group would need to be logged into the machine at the time that the task is scheduled to run.
For the task to run without anyone logged in, then either a UserID must be specified for the Principal with a corresponding username and password provided in
Register-ScheduledTask, -OR- the principal should be the SYSTEM account, e.g.:Tasks running under the SYSTEM account will have admin rights, but will only have access to network resources specifically granted to the computer's domain account (COMPUTERNAME$).
Update:
Regarding running the task in interactive mode, see https://serverfault.com/q/458848
Based on what I could find, running a schedule task interactively as a specific user requires that user to be logged on to the system at the time the task runs. If the user is not logged in, error 1312 will result.
On the other hand, if the task is configured as "run whether user is logged on or not", and a password is supplied, then the task can not interact with the desktop.
In one of the answers, someone suggests setting up the task with GroupID "Users". This could possibly run interactively, but it isn't going to have elevated permissions.
The operating system is designed to not allow unprivileged users to directly run privileged operations. Using a scheduled task is not going to bypass this, and isn't going to allow a non-privileged user to run an interactive application as a different, privileged user.
If it is necessary for non-privileged users to have access to privileged operations, then it is best to design a front-end application that runs as a non-privileged process, which then communicates with a privileged service or task. Such communication can be done via named-pipes or via writing to the application log with specific event ids and messages. However, extreme caution is needed to avoid unintended privilege escalation.