1

I am managing an ASP.NET site providing users with managed access to various functionality on an IIS Server. The application is running on the .NET Framework 4.6.1 and the users are very happy with the features, mostly running SQL stored procedures. Now, there is "one more thing".

There is a need to, basically, see the state of three tasks in Task Scheduler Library running on the same box. The author of those tasks I have credentials to. Then, the desire is to enable or disable at will.

My first approach is to write PowerShell scripts that can be called from the ASP.NET site. Running as Windows PowerShell ISE as Administrator on the box, I have a script that provides the desired output:

# https://stackoverflow.com/questions/1313673/execute-powershell-as-an-administrator-from-c-sharp
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted

# https://blog.danskingdom.com/Run-PowerShell-as-another-user/
$securePassword = ConvertTo-SecureString "*******" -AsPlainText -force 
$credential = New-Object System.Management.Automation.PsCredential("domain\username",$securePassword)
# After specifying your credentials, you can then use them in your call to create a New-PSSession using the PowerShell script below.
$s = New-PSSession -credential $credential -ComputerName localhost 
Enter-PSSession -Session $s

# https://bobcares.com/blog/manage-scheduled-tasks-with-powershell/
$results= Get-ScheduledTask | Where-Object {$_.TaskPath -eq "\"} | Where-Object { $_.TaskName -like "STAGE_DEMO_*"}
Exit-PSSession

Write-Output $results

Now my Page_Load comes from the accepted answer to this question: Binding output from powershell script to gridview in asp.net c#

protected void Page_Load(object sender, EventArgs e)
{
    this.UnobtrusiveValidationMode = System.Web.UI.UnobtrusiveValidationMode.None;
        
    // Initialize PowerShell engine
    var shell = PowerShell.Create();

    // Add the script to the PowerShell object
    string rootPath = Server.MapPath("~");

    var scriptPath = rootPath + @"\Scripts\PowerShell\*****.ps1";
    shell.Commands.AddCommand(scriptPath);

    try
    {
        var results = shell.Invoke();
    }
    catch (Exception exception)
    {
        Console.WriteLine(exception.Message);
    }
}

Executing, I do not get usable output:

enter image description here

In my case, the actual credentials are validated, since they work in the ISE, running as Administrator.

However, if I replaced my script with this one:

write-output @(
    (new-object PSCustomObject -Property ([ordered] @{
         "MyProperty1" = "MyValue1.1"
         "MyProperty2" = "MyValue2.1"
         "MyProperty3" = "MyValue3.1"
    })),
    (new-object PSCustomObject -Property ([ordered] @{
          "MyProperty1" = "MyValue1.2"
          "MyProperty2" = "MyValue2.2"
          "MyProperty3" = "MyValue3.2"
    }))
);

I get very nice results I can see working with:

enter image description here

So, I am convinced I am running into an issue with at least one of these things:

  1. My script itself in some way I do not see.
  2. The security I am trying to support - that is supporting the equivalent of running as administrator in the PS ISE.
  3. The format of my own output

I have been thoroughly looking at these and am not finding a path forward.

Please, can someone tell me: am I encountering an insurmountable issue?

If so, what is the advice for managed Task Scheduler access to list/disable/enable tasks of another author, preferable through an ASP.NET site?

Thank you

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Tom Schulte
  • 419
  • 1
  • 6
  • 20
  • 1
    Are you running from inside VS? If so you need to start VS by right click shortcut and select Runa As Admin. A c# app will automatically run As Admin by double click exe file, but inside VS you must start VS As Admin. – jdweng Aug 13 '23 at 20:31
  • 1
    @jdweng: No .NET application (whether created with C# or a different .NET language) runs with elevation _by default_ - an explicitly crafted [application manifest](https://learn.microsoft.com/en-us/windows/win32/sbscs/application-manifests) requesting elevation is necessary. – mklement0 Aug 14 '23 at 00:38
  • 1
    `Enter-PSSession`'s purpose is to enter an _interactive session_ on a remote machine _that the user must exit manually_. By contrast, for _unattended execution_ of commands on a remote machine, use `Invoke-Command`. See the linked duplicate for details. – mklement0 Aug 14 '23 at 00:47
  • Thank you @jdweng - VS as Administrator got me the expected results from my PS script, so that is good. So, does that mean I will need to publish to an App pool running as an Administrator? @mklement0 - Or, maybe an explicitly crafted application manifest requesting elevation would make a pool with elevated permissions unnecessary? Thank you also, for the education on `Enter-PSSession` versus `Invoke-Command` Without that change, I did get the expected results, but I am still going to go forward with that change. – Tom Schulte Aug 14 '23 at 01:26
  • It depends on the folder(s) you are using and the permissions. Folders like Program Files and c:\Windows only admin can write. – jdweng Aug 14 '23 at 08:56
  • Thanks @jdweng I don't need to read from/write to any folders. I only need Task Scheduler Library and read/enable/disable tasks from a given author. – Tom Schulte Aug 14 '23 at 14:24
  • Task Schedular will only allow normal users to run task as the current user. If you need to run the Task Schedular with different credentials you need to run As Admin. – jdweng Aug 14 '23 at 14:29

0 Answers0