locked
Powershell started from Task Scheduler generates EventID 1530 RRS feed

  • Question

  • I have a task scheduler setup to run a powershell at startup using a service account.  The powershell itself starts a second powershell which monitors a group of folders continuously and upon seeing a certain condition starts a third powershell.  The first and third powershells close after executing their tasks.  A period of time (~5 minute) after running the task scheduler task the Event viewer reports an EventID 1530 warning and the monitoring (2nd) powershell looses the ability to start the third powershell (it's unable to get a PID).  The problem only exists when using task manager to start the powershell, starting the powershell from a command window running as the service account does not have the problem.

    So 1) Why is my powershell accessing registry keys to begin with, nothing in my script is explicitly doing it.  2) How can I automate the startup of the powershell so that it doesn't create EventID 1530.

    Wednesday, February 20, 2019 4:32 PM

All replies

  • There is no way for us to guess at what you are doing. 

    \_(ツ)_/

    Wednesday, February 20, 2019 7:11 PM
  • Hi,

    Thanks for your question.

    Maybe you can try to post your script or give more information about your task scheduler for better help.

    Best regards,

    Lee


    Just do it.

    Thursday, February 21, 2019 3:29 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Monday, February 25, 2019 7:13 AM
  • No the issue hasn't been resolved.  For now I am manually starting the powershell script whenever the server is rebooted.

    The task scheduler executes the following command:

    powershell -File EncSvcControl.ps1 -Start -LogToFile

    This is run using a service account and is set to run whether user is logged on or not and the run with highest privileges box is checked.

    Without sharing the full EncSvcControl.ps1 script, ultimately it sees the -Start switch and based upon that it executes the following command:

    $procid = Start-Process powershell "-File $ScriptPath $_ENCSVC_SCRIPT_ARGS" -WorkingDirectory $_ENCSVC_PRIVATE_DIR -PassThru 


    after which time EncSvcControl.ps1 terminates.

    The new script defined by $ScriptPath (EncSvcMain.ps1) is the one that is constantly monitoring folders.  Upon seeing an appropriate file, it too calls a Start-Process command:

        $proc = Start-Process powershell "-NonInteractive -NoProfile -File $workfile -PrivateSpace $_ENCSVC_PRIVATE_DIR -UserDir $Dir -initcheck $_WRK_DBG" -WorkingDirectory $Path -PassThru -WindowStyle $_WRK_WS -ErrorVariable errVar -ErrorAction:SilentlyContinue
        
        if (ProcessValid $proc)
        {
            $msg =  "  Worker process started: PID " + $proc.id
            WriteLog $msg
        
            $msg = $base_msg + "Worker process started: PID " + $proc.id
            Out-File -Append -FilePath $startfile_path -InputObject $msg 
            $msg = $base_msg + "START ACKnowledged"
            Out-File -Append -FilePath $startfile_path -InputObject $msg 
            Rename-Item $startfile_path -NewName $_ENVSVC_CMD_STARTME_ACK -Force
    
        } else {
    
            $msg = "  Creation of worker process failed! PID = " + $proc.ExitCode
            WriteLog $msg
            
            $msg = $base_msg + "Creation of worker process failed!"
            Out-File -Append -FilePath $startfile_path -InputObject $msg 
            $msg = "ErrMsg: $errVar"
            Out-File -Append -FilePath $startfile_path -InputObject $msg 
            $msg =  $base_msg + "Processing aborted"
            Out-File -Append -FilePath $startfile_path -InputObject $msg 
            Rename-Item $startfile_path -NewName $_ENCSVC_STAT_ABORTED -Force
        
        }


    It is at this point that after the EventID 1530 that the above code takes the "Creation of worker process failed" route.


    • Edited by JoeHokie01 Monday, March 4, 2019 7:42 PM
    Monday, March 4, 2019 1:37 PM
  • Try adding these parameters to the powershell command. 

    -NonInteractive -noprofile

    I would also suggest adding more logging statements, particularly for the start-process commands so that you can verify the contents of all the variables that you are passing to it.   

    Monday, March 4, 2019 2:29 PM
  • You cannot use named arguments with the PowerShell "-File command.  The arguments must be strings or numbers.


    \_(ツ)_/

    Monday, March 4, 2019 3:48 PM
  • Nope adding those commands didn't help.  It worked the first few times, but ~5 minutes after starting the task, I get the EventID 1530 and after that the Start-Process command in EncSvcMain starts returning a NULL value (which is the same behavior as without the additional commands.

    I already have pretty detailed logging statements which verify that the variables being passed are correct.  Also the script works initially or when started not started via the task manager.

    Does anyone have any ideas as to why the EncSvcMain powershell would be accessing the registry?   It seems this will be the key to the problem.

    Monday, March 4, 2019 6:32 PM
  • Please post your code correctly using the code posting tool. What you have posted cannot be copied for testing and  is mostly unreadable.


    \_(ツ)_/

    Monday, March 4, 2019 6:36 PM
  • As I pointed out above, this line is wrong:

    $proc = Start-Process powershell "-File $workfile -PrivateSpace $_ENCSVC_PRIVATE_DIR -UserDir $Dir -initcheck $_WRK_DBG" -WorkingDirectory $Path -PassThru -WindowStyle $_WRK_WS -ErrorVariable errVar -ErrorAction:SilentlyContinue


    \_(ツ)_/

    Monday, March 4, 2019 6:38 PM
  • I have only provided snippets of the code for reference.  Nor will I be able to post the entire source due to IP limitations.  I am not expecting this code to be tested.  I am merely looking for ideas/suggestions as to the source of my problems.
    Monday, March 4, 2019 6:40 PM
  • This is a better way and correctly  assigns the arguments.

    $arglist = @(
        "-WorkingDirectory $Path",
        "-WindowStyle $_WRK_WS",
        '-NoProfile',
        "-File $workfile",  # must be last PowerShell argument before PS1 arguments
        # the following will not work in a task.  Pass by value instead.
        "-initcheck $_WRK_DBG"
        "-PrivateSpace $_ENCSVC_PRIVATE_DIR",
        "-UserDir $Dir"
    )
    if ($proc = Start-Process -ArgumentList $arglist -PassThru -ErrorVariable errVar -ErrorAction SilentlyContinue) {
        # process success
    } else {
        # log error
    }



    \_(ツ)_/




    • Edited by jrv Monday, March 4, 2019 6:50 PM
    Monday, March 4, 2019 6:46 PM
  • I have only provided snippets of the code for reference.  Nor will I be able to post the entire source due to IP limitations.  I am not expecting this code to be tested.  I am merely looking for ideas/suggestions as to the source of my problems.

    Please post readable code.  Use the tool provided.  Edit the post and fix the code.  This I a forum requirement and a courtesy if you expect others to help.

    \_(ツ)_/

    Monday, March 4, 2019 6:52 PM
  • I am now starting EncSvcMain with the following code:

    $arglist = @(
                    '-NoProfile',
                    '-NonInteractive',
                    "-File $ScriptPath",
                    "_ENCSVC_SCRIPT_ARGS"
    )    
                
    $procid = Start-Process powershell -ArgumentList $arglist -WorkingDirectory $_ENCSVC_PRIVATE_DIR -PassThru
    $msg = "  EncSvcMain process started: " + $procid.id

    I am still observing the same behavior.



    Monday, March 4, 2019 10:35 PM
  • You didn't use my code and you haven't understood the issues I am posting about.  Without some idea of what you are trying ot do I cannot help beyond showing you the correct methods.

    If you are setting this in a task then th rules are completely different. How is the task set up?  The setup I posted and you posted only work at a PowerShell prompt.


    \_(ツ)_/

    Monday, March 4, 2019 10:54 PM
  • I'm sorry I haven't been able to properly describe my problem to your satisfaction.  I did try your suggestions just at different locations in the overall solution and they still didn't work. (I figured the problem is associated with the start-process for the monitoring script)   I have been able to get the overall task to work albeit it's quite a kludge and am open to further suggestion.

    I ended up having the task scheduler call a simple .bat with the following code to start the first powershell script which does nothing more that start the second powershell monitoring script and then ends. (I also considered using the task scheduler to start the monitoring script on a periodic basis, but went away from that so I could continue using the script as-is without major re-work.   I inherited this from another team that had been using it without issue for a couple of years)

    start powershell -ExecutionPolicy Bypass -NoProfile -File EncSvcControl.ps1 -Start -LogToFile
    pause

    The key is the pause statement,  without that I still get EventID 1530.  I guess the way the task scheduler works is that when it creates a task it updates the registry for the user profile used to run the task.  As long as the task is running it's happy, but once the task completes it closes the registry regardless of whether the task started additional processes or not.  I'm assuming once the registry was closed the monitoring script no longer had sufficient privilege to start any additional processes.  Using the pause statement keeps the task running from the task scheduler perspective and thus the registry stays available for use by the monitoring task.

    I would have thought the use of the -NoProfile statements would have isolated the powershell scripts from the registry, but apparently not.

    Tuesday, March 5, 2019 10:16 PM
  • It is a design issue and there is no way to help you without knowing exactly what you are trying to do.


    \_(ツ)_/

    Tuesday, March 5, 2019 10:21 PM
  • The pause is just causing the task to effectively hang. 

    Are you running it as a service account because the code references files on network shares? If all files are local, set the task to run as "system".

    You could also try to run it as a service. Srvany from the old resource kit will do that. Or use NSSM, it's a better srvany. 

    https://www.microsoft.com/en-us/download/details.aspx?id=17657

    https://nssm.cc

     
    Tuesday, March 5, 2019 10:35 PM