I've got a custom scheduled task set up in Windows Task Scheduler, but somehow the access control permissions for it have gotten broken. Even though I'm logged in as admin, I can't change the user account the task is running under, or delete the task, or disable it. I am getting "Permission Denied" errors instead.
The machine is running Windows 10 Pro 1803. It is a workgroup machine, not in a domain.
The task is one I created myself (it just launches a PowerShell script twice a day, nothing fancy), so it shouldn't be subject to any anti-tamper mechanisms like the Windows Update-related tasks.
I have tried the following:
- Launch 'Scheduled Tasks' from the Start Menu, by right-clicking and selecting "Run As Administrator". I get
The user account does not have permission to delete this task.
- Delete the task by running the PowerShell command
Unregister-ScheduledTask -TaskName 'My custom task'
, from an Administrator-level PowerShell prompt. This returnsAccess is denied
. - Launching the MMC snap in using
.\psexec -i -d -s mmc taskschd.msc
. If I understand correctly, this should be launching the Task Scheduler console snap-in as SYSTEM. I can't delete the task using this, either – I get the same error message as when running using the normal user account, launching the snap-in as Administrator.
Can anyone give me some pointers as to why this might be happening, and how I can fix it?
Where are the task definitions stored? File system, or registry, or elsewhere? It seems like I might need to fix some corrupted security info.
Best Answer
All tasks definitions stored in both
and
C:\Windows\System32\Tasks\*
Security Descriptors exists both on files in filesystem and stored in the registry for each task:
This registry value is in the binary form and it seems that there is no decent UI for it.
You could get retrive it via Powershell and Task Scheduler API (https://docs.microsoft.com/en-us/windows/win32/api/_taskschd/index):
BUT:
C:\$WINDOWS.~BT\NewOS\Windows\System32\Tasks_Migrated\
whether it contains hardlinks to task's files inC:\Windows\System32\Tasks
C:\$WINDOWS.~BT\NewOS\Windows\System32\Tasks_Migrated\
and after thatUnregister-ScheduledTask
work as expected.UPDATE:
I've finally investigated a problem with "broken" tasks permissions in Windows 10. It has nothing common with permissions at all and looks like an unexpected outcome of security patch.
11/06/2019 Microsoft released a patch for CVE-2019-1069. This patch fixed a vulnerability of the Task Scheduler and to exploit it an adversary need to create a hardlink to a file associated with some task.