SYSTEM scheduled task access to network share

[DrLarch]

I have a scheduled task that runs as the local SYSTEM account (runs whether user is logged in or not and run with highest privileges is selected). The problem is trying to access files on a network share that requires authentication. I'm trying to find a way to do this but can't seem to authenticate out from the SYSTEM environment and copy files from the share. From what I understand, this is by design in Windows security.

I've tried using the DriveMapAdd function before accessing and this as well:

RunWait(@ComSpec & " /c " & 'net use "\\myserver\data" /USER:domain\user pass', "", @SW_HIDE)
If FileExists($sSourceDir & $sINIFileName) Then
    FileCopy($sSourceDir & $sINIFileName, "C:\test\" & $sINIFileName, 1)
    RunWait(@ComSpec & " /c " & 'net use /delete \\myserver\data', "", @SW_HIDE)
    RunWait(@ComSpec & " /c " & 'klist purge', "", @SW_HIDE)
EndIf

And:

$sCMD = 'copy ' & $sSourceDir & 'example.ini c:\ah\example.ini'
RunAsWait("user", "domain", "password", 1, $sCMD, "", @SW_HIDE)

But these all fail. I've tried the RunAsWait command with all four login flags but nothing works. When using interactive (1) I can see that the user is loaded under c:\users, but it still can't copy the files.

These commands work when running a command as SYSTEM (via psexec) but it must be inheriting my user environment when logged in:

     net use "\\myserver\data" /USER:domain\user pass
     copy \\myserver\data\file.txt c:\test\file.txt
     net use /delete \\myserver\data
     klist purge

I could try using psexec as well but I'm trying to avoid relying on external apps. And the windows runas.exe app requires interactive authentication, so that won't work either.

Is there any way to do this natively within an Autoit script? I know this is more of a Windows security question, but any help would be appreciated.

[orbs]

instead of using the local SYSTEM account, create a dedicated account with sufficient rights in both local target directory and server share.

if this is a domain environment, that should be quite easy.

if this is a workgroup, it is only slightly less simple - you'll need to create an account on the server and use it for the server access, while using the local dedicated account to run the task. you can make that account invisible in Windows logon screen, if that troubles you.

[Nine]

Another solution could be to use Task Scheduler UDF and create a task on the fly to run your network connection process...

[spudw2k]

On 12/23/2023 at 4:48 PM, orbs said:

if this is a domain environment, that should be quite easy.

^ Agreed.

If operating in a domain environment, you can set permissions to allow the computer account (COMPUTER$) to have permissions to the folder, and avoid storing user credentials; either explicitly, or a using security group (*preferred).

[DrLarch]

Thank you for the responses. Due to the security we have, I think that's the only way I'm going to be able to pull this off. I was hoping to be able to avoid a separate script run under another task but oh well. I wasn't familiar with the task scheduler UDF, so I'm going to check it out. I've used commands via Runwait and xml files to create new scheduled tasks, so I'll see how the UDF works.

 

Thanks again