Windows – How to run Register-ScheduledJob from a script running as SYSTEM


I'm trying to run Register-ScheduledJob from a script executing as SYSTEM (from an external deployment tool), but I get an error. This must be initially invoked as SYSTEM due to the way the deployment tool works.

To reproduce this problem (requires powershell.exe running as SYSTEM), I created another scheduled job as follows:

  • Run as user account: SYSTEM
  • Action:
    • Run: powershell.exe
    • Arguments: Register-ScheduledJob -name testjob -filepath c:\target.ps1 > C:\testjob.txt 2>&1

Note: if you want to reproduce this yourself, you'll also have to create c:\target.ps1 as an empty file.

This job can then be executed from Task Scheduler UI, and you can see the output in c:\testjob.txt.

When the script runs Register-ScheduledJob, it shows the following error:

Register-ScheduledJob : An error occurred while registering scheduled job 
definition testjob to the Windows Task Scheduler.  The Task Scheduler error is: 
At line:1 char:1
+ Register-ScheduledJob -name testjob -filepath c:\target.ps1 > C:\testjob.txt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power...edJobDefini 
   tion:ScheduledJobDefinition) [Register-ScheduledJob], ScheduledJobExceptio  
    + FullyQualifiedErrorId : CantRegisterScheduledJobDefinition,Microsoft.Pow 

As far as I can tell this has something to do with not being able to create a job as the SYSTEM user. I'm not really concerned with what target.ps1 actually runs as (eg it doesn't have to be SYSTEM), so long as it's an account that I don't have to manage a password for.

My script has to be initially invoked as SYSTEM (from a service which is running as SYSTEM), so how can I use it to create a scheduled job?

Best Answer

I saw that Register-ScheduledJob -Credential can't eat build-in accounts and people just couldn't register PS-jobs. But this was hacked.

Now, I see that you can't use Register-ScheduledJob as you run it under the SYSTEM account. Ooh, pretty fair trouble.

Can you try the following?

As we know...

Specifies a user account that has permission to run the scheduled job. The default is the current user.

OK, then let's provide something to the Register-ScheduledJob -Credential instead of the default SYSTEM.

This is quite complicated,
so consider the following thoughts.

I use Register-ScheduledJob when I want to schedule a PowerShell script block. It is just convenient. But if you want to schedule a ps1 script file then you can use Register-ScheduledTask. Why not? There are examples over there.

There are ways to run deployment tool projects/jobs under another account.

Many build tools have password masking as a protection against password logging.
Register a non-admin account by adding text credentials to your build tool.
Create a PSCredential object by using PowerShell RunAs Confirm-Free Alternative.
Run you logic as a script block by using
Invoke-Command -Credential $someCreds -ScriptBlock { ... }

Yeah, I made it easier and I just switched my build-machines to a "flesh" account. )
This also can be a solution. And this is a good practice, too.

Time is gone, I believe you've found something else. )