I am not able to create a scheduled task under latest Win11 when running a Powershell script as "local system". It gets me an error "New-ScheduledTaskTrigger : Cannot connect to CIM server. Access to a CIM resource was not available to the client."
Here is the code to replicate the issue. How can it be solved?:
#requires -runasadmin
# this works as admin:
$trigger = New-ScheduledTaskTrigger -Once -At (get-date)
# switching to local system:
$id = [System.Security.Principal.WindowsIdentity]
if (-not $id::GetCurrent().IsSystem) {
$advApi = add-type '
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(UInt32 Access, bool inherit, UInt32 pid);
[DllImport("advapi32.dll")]
public static extern bool OpenProcessToken(IntPtr Thread, UInt32 Access, out IntPtr Handle);
[DllImport("advapi32.dll")]
public extern static bool DuplicateToken(IntPtr Handle, int Level, out IntPtr Copy);
[DllImport("advapi32.dll")]
public static extern bool SetThreadToken(IntPtr Thread, IntPtr Token);
' -Name advApi -PassThru
$service = Get-WmiObject win32_service | where { $_.name -eq 'SamSs'}
$sysHandle = $advApi::OpenProcess(0x1000, $false, $service.processID)
$otherToken = [IntPtr]0
$myToken = [IntPtr]0
$null = $advApi::OpenProcessToken($sysHandle, 6, [ref]$otherToken)
$null = $advApi::DuplicateToken($otherToken, 2, [ref]$myToken)
$null = $advApi::SetThreadToken(0, $myToken)
}
if ($id::GetCurrent().IsSystem) {
"now we have local system rights for this process."
}
# this is failing now:
$trigger = New-ScheduledTaskTrigger -Once -At (get-date)
# back to admin:
$advApi::SetThreadToken(0, 0)
# this works again:
$trigger = New-ScheduledTaskTrigger -Once -At (get-date)
After testing many different approaches, I came to the conclusion that I cannot use the classic PS-command for creating a scheduled task in a reliable way when the main process runs as "Local system". Therefore I decided to go with this approach which works very reliable on any Windows-version: