locked
PS Script does not work as a scheduled task but works fine in ISE console RRS feed

  • Question

  • Hi,

    I have a PS script that uses credentials. The password is being read from an encrypted text file as shown below. When I execute the script in ISE everyting is working as expected, however if i schedule the script to run as a scheduled task it fails. While debugging I noticed that $pass and $cred variables remain empty when scheduled task is executed. 

    $uID = "tharoot" $pass = Get-Content "C:\secret\topsecret.txt" | ConvertTo-SecureString $cred = New-Object System.Management.Automation.PsCredential($uID,$pass)


    Out-File -FilePath  "C:\secret\revealed.txt" -InputObject $pass



    Don't think it's a problem with access rights because the topsecret.txt is being read when I force the execution of a scheduled task. The question is why $pass variable remains empty after the password file is read?

    Any help with this issue is greatly appreciated 




    • Edited by net_tech Friday, September 13, 2019 12:55 AM
    Friday, September 13, 2019 12:50 AM

All replies

  • Friday, September 13, 2019 1:16 AM
  • $pass = Get-Content C:\secret\topsecret.txt |Select -First 1 | ConvertTo-SecureString

    \_(ツ)_/

    • Proposed as answer by jrv Friday, September 13, 2019 3:06 AM
    • Unproposed as answer by net_tech Friday, September 13, 2019 11:07 AM
    Friday, September 13, 2019 3:06 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Friday, September 13, 2019 7:06 AM
  • adding Select -First 1 makes no difference. $pass value remains empty when script is executed as a scheduled task

    Friday, September 13, 2019 11:08 AM
  • stackoverflow had the answer. the password file had to be created as a service account running the script as a task
    Friday, September 13, 2019 12:49 PM
  • That means that the account you were running had no access to the file.  This would have caused an error that you failed to report or detect.

    \_(ツ)_/

    Friday, September 13, 2019 5:18 PM
  • No, it means the account had access to the file (shown in the screenshot) but could not decrypt the content of it.
    Friday, September 13, 2019 8:14 PM
  • No, it means the account had access to the file (shown in the screenshot) but could not decrypt the content of it.

    So where was the error? My point is that your question did not give correct information and you didn't check for errors.

    Also the ConvertTo-SecureString will always work in any account.  Creating a secure string is not an issue but the underlying encrypted string in the file may not convert because it was created in a different account.  This would cause an error which you need to address in yourr script.  If you ha done this then the empty $pass would not be the issue. The issue would be the exception reported from the conversion.  Of course the variable is empty.  The code threw an exception and terminated.  $pass was never assigned.

    When running headless in a service your code must always address exceptions and be able to report them or the outcome will be misleading.

    $ErrorActionPreference = 'Stop'
    Try{
    $scriptpath = Split-Path $MyInvocation.InvocationName

    $uID = "tharoot" $txt = Get-Content C:\secret\topsecret.txt $pass = $txt | ConvertTo-SecureString $cred = New-Object System.Management.Automation.PsCredential($uID, $pass) } Catch{ $_ | Out-String | Out-File C:\secret\revealed.txt if($_.Exception.HResult){ exit $_.Exception.HResult }else{ exit 99 } }



    \_(ツ)_/



    Friday, September 13, 2019 8:26 PM
  • Thanks for the lesson. This is what gets written to the revealed.txt file if the password isn't decrypted. not sure if I would be able to figure out the problem after seeing this exception, BUT if you google ConvertTo-SecureString : Key not valid for use in specified state. the 1st hit is a youtube video that explains the root cause https://www.youtube.com/watch?v=tVHjsGUSNcA and also provides you with an alternative solution to use -Key or -SecureKey parameter 


    So I am 100% with you on addressing exceptions.

    ConvertTo-SecureString : Key not valid for use in specified state.
    
    At C:\secret\lesson.ps1:6 char:20
    +     $pass = $txt | ConvertTo-SecureString
    +                    ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicExceptio 
       n
        + FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.Powe 
       rShell.Commands.ConvertToSecureStringCommand


     


    • Edited by net_tech Saturday, September 14, 2019 12:50 AM
    Saturday, September 14, 2019 12:45 AM
  • The error clearly tells you that the issue is with the key you are using to decode the file contents.  That, in this case, clearly points to the fact that the encrypted file does not belong to the account trying to decrypt the file.

    THis is how and why to use error management especially when running headless.


    \_(ツ)_/

    Saturday, September 14, 2019 2:21 AM
  • Hi,
    Was your issue resolved? 
    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,
    Lee

    Just do it.

    Friday, October 4, 2019 8:16 AM