Invoking command that needs admin authority


Author
Message
Patrick O'Keefe
Patrick O'Keefe
Expert
Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)
Group: Forum Members
Posts: 604, Visits: 4.1K
Following a backup I would like to automatically invoke a command that needs admin authority and, since this is a scheduled backup, I would very much like to avoid UAC prompts. Does Reflect invoke its scripts elevated? 

I have one scripted backup - a PS script-  but I'm very weak on both PS and VBS so don't really understand what the scripts are doing.  In both VBS and PS scripts I see an ELEVATE function (with a comment referencing Vista) saying that there will be only one UAC prompt, but there is no UAC prompt issued when my script runs.  That script does nothing that needs admin authority so I don't know whether it's run elevated or not. 

Generated .bat scripts do not contain the ELEVATE processing.  Does that mean commands invoked from a .bat script do not run elevated?

I know I could create a scripted backup with the actual backup commented out and answer these questions myself, but I'd rather have the answers first.  I'm not sure I could tell a scripting error from a real answer.

Beardy
Beardy
Expert
Expert (817 reputation)Expert (817 reputation)Expert (817 reputation)Expert (817 reputation)Expert (817 reputation)Expert (817 reputation)Expert (817 reputation)Expert (817 reputation)Expert (817 reputation)Expert (817 reputation)
Group: Forum Members
Posts: 640, Visits: 2.4K
By default scheduled scripts & associated backups are run in the SYSTEM account, which has elevated privileges.
Patrick O'Keefe
Patrick O'Keefe
Expert
Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)
Group: Forum Members
Posts: 604, Visits: 4.1K
Thanks.  I knew they ran under SYSTEM.  For all I knew, the authority was stripped.  I guess I need to elsewhere for the uninvoked command.

Update:
OK.  I'm baffled.  I've got a PS script with everything lobotomized except
function OnBackupSuccess()
{
Write-Host " * Backup succeeded ($strXmlFilePath).";
# Handle backup success...
# Start-Process -FilePath C:\Batch_files\Robocopy\Copy_Prog_Data.bat -PassThru
Start-Process -FilePath C:\Batch_files\SyncBack\ProgData_Copy.bat -PassThru
# Start-Process -FilePath C:\Batch_files\WinSCP\ProgData_Copy.bat -PassThru
}

If I uncomment them, the Robocopy and WinSCP batch files execute with no problem. They don't need elevated authority, but they have other issues that make then undesirable.  The SyncBack batch files acts as though it never gets invokes, but if I paste the command into an elevated command prompt it executes with no problem.  If I copy the entire Start-Process line into an elevated PowerShell window, it works without error.

Maybe it isn't an elevated authority problem, but something is causing a silent failure.  The batch file contains just a single line:
"C:\Program Files\2BrightSparks\SyncBackPro\SyncBackPro.exe" "ProgData Copy"

I don't see how that could cause trouble, but my scripting skills are pretty feeble..  Maybe I'll try putting that command directly in the Reflect PS script.

Edited 27 July 2022 4:30 AM by Patrick O'Keefe
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)
Group: Forum Members
Posts: 14K, Visits: 85K
When you create a scheduled task, there’s an option to have it run “with highest privileges”. If you choose that, which Reflect does on tasks it creates, then you essentially pre-authorize elevated execution of that task going forward. Reflect backups absolutely DO require elevated privileges. Not sure why you’re claiming that nothing in your scripted backup PS1 requires that privilege level.

The Elevate function is there for cases where you call the script manually from a non-elevated context. In that case, you will see a UAC prompt.  And using that function rather than relying on elevation being triggered when the Start-Process line calls Reflect allows other items in the script to run elevated, including any possible pre-backup applications, while also allowing a single upfront UAC prompt to cover everything that will occur in the script rather than incurring separate and "point-in-time" UAC prompts for Reflect and any additional apps.

BAT scripts don't have an Elevate function because the Command Prompt environment doesn't provide a way to do that for an entire script if the script was started from a non-elevated context.  Reflect will still throw a UAC prompt when the BAT file calls it if the BAT was started from a non-elevated context, but that elevation wouldn't cover anything else in the script.  And if you started the BAT from a non-elevated context and that BAT had a long-running pre-backup application, you'd have to launch the script and then wait for that to complete before seeing the UAC prompt that would allow Reflect to start.  If you weren't there at that point, your script sit there waiting on that prompt.  That could be an annoyance.  Similarly, if a post-backup application required elevation (and was coded to prompt for it in non-elevated execution scenarios rather than just failing), then you'd face the same problem of having to wait for the Reflect backup to complete before seeing and accepting the UAC prompt for that post-backup application.  The Elevate function available in PowerShell avoids all of that.

If you need to run an application after a backup, then simply specify that application in the script generation wizard. Reflect will make the appropriate changes to the script, and that post-execution application will run elevated even if you were to invoke the script from a non-elevated context, thanks to that function.
Edited 27 July 2022 5:07 AM by jphughan
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)
Group: Forum Members
Posts: 14K, Visits: 85K
Just saw your update. Add the “-Wait” parameter to your Start-Process line. By default, scripts will not wait for processes invoked via Start-Process to actually exit before proceeding with the script. Notice that the Start-Process line that calls Reflect itself includes this parameter.

Alternatively, use the & operator to call the external application, in which case you can just add the same syntax you would use in a Command Prompt context, such as:
& “C:\Program Files\2BrightSparks\SyncBackPro\SyncBackPro.exe" "ProgData Copy"


For applications called that way, PowerShell does wait for them to exit by default.

Or as I said, just use Reflect’s script generation wizard to specify your post-backup application.
Edited 27 July 2022 4:40 AM by jphughan
Patrick O'Keefe
Patrick O'Keefe
Expert
Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)
Group: Forum Members
Posts: 604, Visits: 4.1K
+x
jphughan - 27 July 2022 4:33 AM
When you create a scheduled task, there’s an option to have it run “with highest privileges”. If you choose that, which Reflect does on tasks it creates, then you essentially pre-authorize elevated execution of that task going forward. Reflect backups absolutely DO require elevated privileges. Not sure why you’re claiming that nothing in your scripted backup PS1 requires that privilege level.

I guess I should have said that I had no way of knowing that the script was running with elevated privilege.  I should have realized that the backup itself needed the privilege level.

jphughan - 27 July 2022 4:33 AM
...
If you need to run an application after a backup, then simply specify that application in the script generation wizard. Reflect will make the appropriate changes to the script, and that post-execution application will run elevated even if you were to invoke the script from a non-elevated context, thanks to that function.

I hadn't noticed the options in the script generation wizard.  The Elevation option is on by default.  I just tried the post-execution option.  It inserted my code in the main function following execution of the backup.  I tried it but the code still didn't run.

I would rather have it run only on successful backup so I'm going back to my original scheme of putting it in the OnBackupSuccess.

jphughan - 27 July 2022 4:39 AM
Just saw your update. Add the “-Wait” parameter to your Start-Process line. By default, scripts will not wait for processes invoked via Start-Process to actually exit before proceeding with the script. Notice that the Start-Process line that calls Reflect itself includes this parameter.

For the SyncBack invocation I don't think the "-Wait" will matter much.  I think that invokes a background (asynchronous) execution.  However, if I have to give up on using SyncBackPro and go with WinSCP or Robocopy I definitely do not want to wait.  I don't want the Reflect task to wait for them to complete.

jphughan - 27 July 2022 4:39 AM
Alternatively, use the & operator to call the external application, in which case you can just add the same syntax you would use in a Command Prompt context, such as:
& “C:\Program Files\2BrightSparks\SyncBackPro\SyncBackPro.exe" "ProgData Copy"


For applications called that way, PowerShell does wait for them to exit by default.

I tried that but with the same results - no execution.  I copied the line into an elevated PowerShell window and it successfully executed there.  The command obviously works so I assume I'm making an error in the PS script (even though invocation of the other 2 batch files works from the script).

Maybe my next step is to try a VBS script.  I'm very slightly more familiar with VBS than PS.


jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)
Group: Forum Members
Posts: 14K, Visits: 85K
Have you tried running the full PS1 script interactively in an elevated PowerShell window?  That will allow you to see any output generated by your attempt to run SyncBackPro in the context of the larger PS1 script.  Just testing that command in isolation isn't the same thing.  Or you could use Start-Transcript to log the console output to a specified file if you want to keep testing background scheduled task execution.

But short of that, you're attempting fixes in the dark.

Patrick O'Keefe
Patrick O'Keefe
Expert
Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)
Group: Forum Members
Posts: 604, Visits: 4.1K
This is going to sound stupid, but I didn't know that a Reflect PS or VBS script could execute outside of Reflect - setting up execution environment, etc.  Anyway, I tried the script and it worked.  

I need to stop working on this for a while because I'm making careless errors.  Now the script will not invoke any of my batch files.  I'll return to this later.



jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)Macrium Evangelist (22K reputation)
Group: Forum Members
Posts: 14K, Visits: 85K
We all have things to learn! Smile  Yes, those scripts can and in fact necessarily do execute outside of Reflect, because the script calls Reflect, not the other way around.  The purpose of having a script is to allow you to customize what happens before and/or after the script calls Reflect.

But if the script worked when run interactively, then I wonder if SyncBackPro doesn't like being run under the SYSTEM account.  You can change that by configuring Reflect to run its scheduled tasks as some other admin user rather than the SYSTEM account under Edit Defaults > Schedule.  Not sure what to tell you about batch files, but I'm definitely familiar with the "one step forward, one step back" periods of script tweaking!

Patrick O'Keefe
Patrick O'Keefe
Expert
Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)Expert (879 reputation)
Group: Forum Members
Posts: 604, Visits: 4.1K
jphughan - 27 July 2022 7:25 PM
But if the script worked when run interactively, then I wonder if SyncBackPro doesn't like being run under the SYSTEM account.  You can change that by configuring Reflect to run its scheduled tasks as some other admin user rather than the SYSTEM account under Edit Defaults > Schedule.  Not sure what to tell you about batch files, but I'm definitely familiar with the "one step forward, one step back" periods of script tweaking!
I thought of that, too, so I made that change.  But by that time none of the batch files were running so the test proved nothing.  I may not get back to any extended testing of this this for a day or two.

GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search