none
How does "Run with the highest privileges" really work in Task Scheduler ?

    Question

  • Hi guys. Could you please explain to me how "Run with the highest privileges" really works in Task Scheduler ? My understanding was that it elevates privileges for any kind of user. I have Windows7 Enterprise. Here is my task


    <?xml version="1.0" encoding="UTF-16"?>
    <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
      <RegistrationInfo>
        <Date>2010-01-11T18:26:34.8204129</Date>
        <Author>COMPNAME\Administrator</Author>
      </RegistrationInfo>
      <Triggers>
        <RegistrationTrigger>
          <Enabled>true</Enabled>
        </RegistrationTrigger>
      </Triggers>
      <Principals>
        <Principal id="Author">
          <UserId>COMPNAME\test</UserId>
          <LogonType>InteractiveToken</LogonType>
          <RunLevel>HighestAvailable</RunLevel>
        </Principal>
      </Principals>
      <Settings>
        <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
        <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
        <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
        <AllowHardTerminate>true</AllowHardTerminate>
        <StartWhenAvailable>false</StartWhenAvailable>
        <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
        <IdleSettings>
          <StopOnIdleEnd>true</StopOnIdleEnd>
          <RestartOnIdle>false</RestartOnIdle>
        </IdleSettings>
        <AllowStartOnDemand>true</AllowStartOnDemand>
        <Enabled>true</Enabled>
        <Hidden>false</Hidden>
        <RunOnlyIfIdle>false</RunOnlyIfIdle>
        <WakeToRun>false</WakeToRun>
        <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
        <Priority>7</Priority>
      </Settings>
      <Actions Context="Author">
        <Exec>
          <Command>C:\Windows\regedit.exe</Command>
        </Exec>
      </Actions>
    </Task>



    User test is a regular user. I expected that if task set to "Run with the highest privileges" I would be able to access all Windows registry keys for example I'd be able to create new entry in HKEY_LOCAL_MACHINE\SYSTEM and owner of that entry would be user test even though he/she is not member of Administrators group.

    Please advise. Thanks!
    Tuesday, January 12, 2010 4:48 AM

Answers

  • With the UAC, users of the admin group have 2 tokens. The filtered token represents standard user rights. This token is used to create the shell. So you have standard user rights. When you click an executable and select "run as administor", the full token is used which contains admin rights.

    When you now configre Task scheduler and select "Run with the highest privileges", the full token (admin rights) is used. This only works if the user is in the admin group, because only those users have 2 tokens. When you want to run a programm with admin rights from a standard user account, you have to select "run whether the user is logged on or not" and select a user which is member of the admingroup.

    André

    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    • Proposed as answer by Andre.Ziegler Tuesday, January 12, 2010 2:15 PM
    • Marked as answer by ruslanv Wednesday, January 13, 2010 12:16 AM
    Tuesday, January 12, 2010 2:15 PM