From e6f8bdc774918bd620b37b49725ae1bd202ccc26 Mon Sep 17 00:00:00 2001 From: Manuel Thalmann Date: Wed, 21 Aug 2024 18:27:47 +0200 Subject: [PATCH] Run OneShot tasks with dedicated user --- scripts/Common/Scripts/Operations.ps1 | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/scripts/Common/Scripts/Operations.ps1 b/scripts/Common/Scripts/Operations.ps1 index 1f17cc5e..9ba31025 100644 --- a/scripts/Common/Scripts/Operations.ps1 +++ b/scripts/Common/Scripts/Operations.ps1 @@ -13,6 +13,10 @@ $null = New-Module { # ToDo: Store "ProgramData/PortValhalla" path somewhere as const $errorPath = "$env:ProgramData/PortValhalla/error.txt"; + $getUserName = { + "$(Get-SetupUser)OneShot"; + }; + $taskSetter = { param([Nullable[OneShotTask]] $Task) Set-SetupOption $taskOption ([string]$Task); @@ -56,12 +60,23 @@ $null = New-Module { #> function Enable-OneShotListener { $tempTask = "PortValhalla Temp"; - $action = New-ScheduledTaskAction -Execute "pwsh" -Argument ([string](Get-StartupArguments)); + $user = & $getUserName; + $password = [string]([guid]::NewGuid()); + + $adminGroup = @{ + SID = [SecurityIdentifier]::new([WellKnownSidType]::BuiltinAdministratorsSid, $null); + }; + + $null = New-LocalUser -Name $user -Password (ConvertTo-SecureString -AsPlainText $password); + Add-LocalGroupMember -Member $user @adminGroup; + $path = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"; + $null = New-Item -Force -ErrorAction SilentlyContinue $path; + Set-ItemProperty $path -Name $user -Value 0; + + $action = New-ScheduledTaskAction -Execute "pwsh" -Argument "-Command & { $([string](Get-StartupCommand)) } 2>&1 | Tee-Object -FilePath `$env:ProgramData/PortValhalla/OneShotTask.log"; schtasks /Create /SC ONEVENT /EC $logName /MO "*[System[Provider[@Name='$logName'] and EventID=$($oneShotTrigger)]]" /TR cmd.exe /TN $tempTask; $trigger = (Get-ScheduledTask $tempTask).Triggers; - $principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest; - $task = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger; - $null = Register-ScheduledTask -Force $oneShotTaskName -InputObject $task; + $null = Register-ScheduledTask -Force $oneShotTaskName -Action $action -Trigger $trigger -RunLevel Highest -User $user -Password $password; $null = Unregister-ScheduledTask -Confirm:$false $tempTask; } @@ -71,6 +86,7 @@ $null = New-Module { #> function Disable-OneShotListener { Unregister-ScheduledTask -Confirm:$false $oneShotTaskName; + Remove-LocalUser (& $getUserName); } <#