Macrium Reflect V6 - Error 0x8007052e - Scheduled backups fail


Author
Message
gf
gf
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)
Group: Forum Members
Posts: 8, Visits: 19
I run Vista Home Premium SP 2, so the error (s. above) happens with my scheduled backups

I usually work with a normal account (without admin rights) for security reasons, whereas the backup definition file is stored in a folder of the admin account. Is this the reason of the error?

When I follow the instruction of Nick Sills as of Aug 2, 2015, which advices not to switch back to the work account in the usual way but lock instead the admin account, I fear that the Admin Account could still be accessed by attacks from outside. Could that be?

Could it be a better solution instead enabling scheduled backups starting directly from my work account? What has to be changed to achieve this goall? Is the storage of the backup defintion file the key? If yes, does the problem disappear bx moving the defintion file to my work account?

Or is the reason that the program is probably installed in the admin account? If yes, is it possible to re-install the program in my normal work account? If yes, how could that be achieved. Is it necessary to de-install first an then re-install again? If yes and I choose the custom setup, do I have to select or de-select the checkbox "install for all users". If the checkbox is selected, will the program nevertheless be installed in Admin Account? Or ...(see question 2 in this paragraph)?

Still refering to Custom Setup: Do the tree alternatives "Macrium" or "Macrium Reflect" have any influence on the desired location of the installation?

Every contribution which helps to solve the problem with scheduled backups is appreciated.

Kind regards
Giselher


Nick
Nick
Macrium Representative
Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)Macrium Representative (3.1K reputation)
Group: Administrators
Posts: 1.8K, Visits: 10K
gf - 20 August 2018 12:17 PM
I run Vista Home Premium SP 2, so the error (s. above) happens with my scheduled backups

I usually work with a normal account (without admin rights) for security reasons, whereas the backup definition file is stored in a folder of the admin account. Is this the reason of the error?

When I follow the instruction of Nick Sills as of Aug 2, 2015, which advices not to switch back to the work account in the usual way but lock instead the admin account, I fear that the Admin Account could still be accessed by attacks from outside. Could that be?

Could it be a better solution instead enabling scheduled backups starting directly from my work account? What has to be changed to achieve this goall? Is the storage of the backup defintion file the key? If yes, does the problem disappear bx moving the defintion file to my work account?

Or is the reason that the program is probably installed in the admin account? If yes, is it possible to re-install the program in my normal work account? If yes, how could that be achieved. Is it necessary to de-install first an then re-install again? If yes and I choose the custom setup, do I have to select or de-select the checkbox "install for all users". If the checkbox is selected, will the program nevertheless be installed in Admin Account? Or ...(see question 2 in this paragraph)?

Still refering to Custom Setup: Do the tree alternatives "Macrium" or "Macrium Reflect" have any influence on the desired location of the installation?

Every contribution which helps to solve the problem with scheduled backups is appreciated.

Kind regards
Giselher


Thanks for posting,

In case you haven't  seen this, there's a KB article on this exact problem here:

https://knowledgebase.macrium.com/display/KNOW7/Error+0x8007052e+-+Scheduled+task+restrictions+with+Windows+Vista+Starter+and+Home+Editions

If the admin account is locked as described in the KB then this won't provide a security risk. However, If you are concerned about security then you really should consider updating to at least Windows 7 as Vista is no longer supported by MS. 

Unfortunately, Vista home products have a crippled Windows Task scheduler that prevents tasks running if the task user account isn't logged on. This doesn't affect Vista Business or any later versions of Windows.. You could also try changing the scheduled task user account to SYSTEM with no password. TBH I'm not sure if this will work, but you can change the user account by taking 'Other Tasks' > 'Edit Defaults' > 'Schedule' and entering 'SYSTEM' as the user name. 

Kind Regards

Nick - Macrium Support

Next Webinar


Edited 20 August 2018 5:34 PM by Nick
gf
gf
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)
Group: Forum Members
Posts: 8, Visits: 19
Nick - 20 August 2018 5:30 PM
gf - 20 August 2018 12:17 PM
I run Vista Home Premium SP 2, so the error (s. above) happens with my scheduled backups

I usually work with a normal account (without admin rights) for security reasons, whereas the backup definition file is stored in a folder of the admin account. Is this the reason of the error?

When I follow the instruction of Nick Sills as of Aug 2, 2015, which advices not to switch back to the work account in the usual way but lock instead the admin account, I fear that the Admin Account could still be accessed by attacks from outside. Could that be?

Could it be a better solution instead enabling scheduled backups starting directly from my work account? What has to be changed to achieve this goall? Is the storage of the backup defintion file the key? If yes, does the problem disappear bx moving the defintion file to my work account?

Or is the reason that the program is probably installed in the admin account? If yes, is it possible to re-install the program in my normal work account? If yes, how could that be achieved. Is it necessary to de-install first an then re-install again? If yes and I choose the custom setup, do I have to select or de-select the checkbox "install for all users". If the checkbox is selected, will the program nevertheless be installed in Admin Account? Or ...(see question 2 in this paragraph)?

Still refering to Custom Setup: Do the tree alternatives "Macrium" or "Macrium Reflect" have any influence on the desired location of the installation?

Every contribution which helps to solve the problem with scheduled backups is appreciated.

Kind regards
Giselher


Thanks for posting,

In case you haven't  seen this, there's a KB article on this exact problem here:

https://knowledgebase.macrium.com/display/KNOW7/Error+0x8007052e+-+Scheduled+task+restrictions+with+Windows+Vista+Starter+and+Home+Editions

If the admin account is locked as described in the KB then this won't provide a security risk. However, If you are concerned about security then you really should consider updating to at least Windows 7 as Vista is no longer supported by MS. 

Unfortunately, Vista home products have a crippled Windows Task scheduler that prevents tasks running if the task user account isn't logged on. This doesn't affect Vista Business or any later versions of Windows.. You could also try changing the scheduled task user account to SYSTEM with no password. TBH I'm not sure if this will work, but you can change the user account by taking 'Other Tasks' > 'Edit Defaults' > 'Schedule' and entering 'SYSTEM' as the user name. 

gf
gf
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)
Group: Forum Members
Posts: 8, Visits: 19
Hello Nick,

Thanks for answering. Perhaps you may not have noticed that I refer in my post exactly to the article to which you´ve linked in your answer. 

My main point deals with if the task user acount could be my normal account or must it necessarily be the admin acoount. In other words: Is it possible to (re-) install MR to my normal account and would that solve the problem? Or could it be solved by simply moving the backup definition file from admin to my work account?
 
The related questions deal with the installation procedure. Would be nice to learn more about it.

BTW: I know that Vista isn´t supported any more. For some reason I can change to Win 10 only in a few months . Then I will also update to MR 7.

TBH I haven´t understood what you mean by "changing the scheduled task user account to SYSTEM ". Do you mean I should change my admin account to System? I would be grateful if you could explain that step by step. E.g. where do I find 'Other Tasks' > 'Edit Defaults' > 'Schedule' and entering 'SYSTEM'"? 
Anyway, could that be an additional security risk to have a system account instead of an admin account ? 

I know that these questions are newby-like. But I hope you´ll have the patience to answer it in detail.

Best regards
gf
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (7.2K reputation)Macrium Evangelist (7.2K reputation)Macrium Evangelist (7.2K reputation)Macrium Evangelist (7.2K reputation)Macrium Evangelist (7.2K reputation)Macrium Evangelist (7.2K reputation)Macrium Evangelist (7.2K reputation)Macrium Evangelist (7.2K reputation)Macrium Evangelist (7.2K reputation)
Group: Forum Members
Posts: 4.9K, Visits: 36K
Because of what it does and the APIs it uses, Reflect must run under an account with admin privileges, regardless of whether you're launching it interactively or running a scheduled task, so you can't use it as a standard user.  If you launch Reflect interactively as a standard user, you can certainly provide alternate admin credentials at the UAC prompt, but scheduled tasks configured to run as a normal user will fail.  The location of the definition file doesn't matter, because that doesn't change the user account that actually runs the task, and an admin account would be able to read the definition file basically wherever it is, unless you've gone out of your way to prevent that, but of course that wouldn't make sense.  There would also be no point in reinstalling Reflect as another user.  The install process itself requires admin privileges, and once Reflect is installed it's available system-wide, not restricted only to the user who installed it.

As for malware exploiting a logged-on admin account, unless you're worried about it getting information from something that's actually running in that admin session, as opposed to just gaining admin access in general, then to my knowledge, having an admin account logged on doesn't make it easier for malware to exploit than just having the admin account exist on the system.  And since you always have to have at least one active admin account on the system, there will always be one for malware to attempt to exploit -- and that's before considering the existence of privilege escalation attacks that exploit flaws in OS code in order to gain admin privileges even for accounts that shouldn't have them, which is entirely separate from trying to access some other account.  While running as a standard user for everyday tasks certainly isn't a bad idea (although even that's becoming less critical thanks to improvements in UAC and the Windows security framework), I wouldn't worry about having a separate admin account for Reflect on the system as long as you have a half decent password on it, and I definitely wouldn't consider myself more at risk by having that session logged on, as long as that session didn't have anything sensitive running in it that could potentially be accessed by memory mapping attacks.

Changing the scheduled task to the SYSTEM account was an idea that could potentially allow you to run Reflect tasks without having a "traditional" admin account associated with it.  Basically, the SYSTEM account is built into Windows and has admin level privileges, so if you can get a Reflect scheduled task to run as SYSTEM, then Reflect will have the access it needs without you having to maintain an admin account, or at least a logged-on admin account.  However, I'm skeptical that just editing the task in Windows Task Scheduler to change the user to SYSTEM and leaving the password field blank will work.  And if you'll be upgrading to Reflect V7 soon anyway, then this is moot because Reflect V7 configures its scheduled tasks run under the SYSTEM account by default anyway, since V7 uses a newer version of the Windows Task Scheduler API than V6.  That alleviates the need to store admin credentials with Reflect, avoids the risk of scheduled tasks breaking if that password is ever changed and you forget to update Reflect with the new password, and in your case removes the need to have an admin user actually logged on all the time, which if nothing else consumes system resources.  So that might become an additional reason for you to upgrade to V7, and you wouldn't even have to wait until you upgraded to Windows 10 in order to do it since V7 works all the way back to XP.  That said, if you do upgrade to V7 before upgrading Windows, I personally would uninstall and reinstall V7 after you upgrade Windows because Reflect V7 also comes with Macrium Image Guardian, but that requires at least Win7, so it wouldn't be installed if the installation occurred under Vista.  Image Guardian is definitely a capability worth having, especially if you're worried about threats from online sources

Edited 20 August 2018 8:29 PM by jphughan
gf
gf
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)
Group: Forum Members
Posts: 8, Visits: 19
jphughan - 20 August 2018 8:10 PM
Because of what it does and the APIs it uses, Reflect must run under an account with admin privileges, regardless of whether you're launching it interactively or running a scheduled task, so you can't use it as a standard user.  If you launch Reflect interactively as a standard user, you can certainly provide alternate admin credentials at the UAC prompt, but scheduled tasks configured to run as a normal user will fail.  The location of the definition file doesn't matter, because that doesn't change the user account that actually runs the task, and an admin account would be able to read the definition file basically wherever it is, unless you've gone out of your way to prevent that, but of course that wouldn't make sense.  There would also be no point in reinstalling Reflect as another user.  The install process itself requires admin privileges, and once Reflect is installed it's available system-wide, not restricted only to the user who installed it.

As for malware exploiting a logged-on admin account, unless you're worried about it getting information from something that's actually running in that admin session, as opposed to just gaining admin access in general, then to my knowledge, having an admin account logged on doesn't make it easier for malware to exploit than just having the admin account exist on the system.  And since you always have to have at least one active admin account on the system, there will always be one for malware to attempt to exploit -- and that's before considering the existence of privilege escalation attacks that exploit flaws in OS code in order to gain admin privileges even for accounts that shouldn't have them, which is entirely separate from trying to access some other account.  While running as a standard user for everyday tasks certainly isn't a bad idea (although even that's becoming less critical thanks to improvements in UAC and the Windows security framework), I wouldn't worry about having a separate admin account for Reflect on the system as long as you have a half decent password on it, and I definitely wouldn't consider myself more at risk by having that session logged on, as long as that session didn't have anything sensitive running in it that could potentially be accessed by memory mapping attacks.

Changing the scheduled task to the SYSTEM account was an idea that could potentially allow you to run Reflect tasks without having a "traditional" admin account associated with it.  Basically, the SYSTEM account is built into Windows and has admin level privileges, so if you can get a Reflect scheduled task to run as SYSTEM, then Reflect will have the access it needs without you having to maintain an admin account, or at least a logged-on admin account.  However, I'm skeptical that just editing the task in Windows Task Scheduler to change the user to SYSTEM and leaving the password field blank will work.  And if you'll be upgrading to Reflect V7 soon anyway, then this is moot because Reflect V7 configures its scheduled tasks run under the SYSTEM account by default anyway, since V7 uses a newer version of the Windows Task Scheduler API than V6.  That alleviates the need to store admin credentials with Reflect, avoids the risk of scheduled tasks breaking if that password is ever changed and you forget to update Reflect with the new password, and in your case removes the need to have an admin user actually logged on all the time, which if nothing else consumes system resources.  So that might become an additional reason for you to upgrade to V7, and you wouldn't even have to wait until you upgraded to Windows 10 in order to do it since V7 works all the way back to XP.  That said, if you do upgrade to V7 before upgrading Windows, I personally would uninstall and reinstall V7 after you upgrade Windows because Reflect V7 also comes with Macrium Image Guardian, but that requires at least Win7, so it wouldn't be installed if the installation occurred under Vista.  Image Guardian is definitely a capability worth having, especially if you're worried about threats from online sources

gf
gf
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)
Group: Forum Members
Posts: 8, Visits: 19
Hello jphughan,

thank you so much for your really detailed answer. A lot of stuff as one could see written by a real expert.

I need some time to "digest" all that. As I said before I consider myself to be a newb. That´s why I´ll probably ask one or the other question later.

But so far, thank you again.

Best regards
gf 
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search