[python-win32] how to code pywin32 run existing window task scheduler?

[Eryk Sun]

On 1/14/21, Tim Roberts <timr at probo.com> wrote:
> On Jan 13, 2021, at 8:07 PM, Pongthorn Sangkaphet
>
>> I have tried already but error
>>
> That’s 0x80070005, which is ERROR_ACCESS_DENIED.  Have you tried running
> this from an elevated process?

The default security descriptor of a task grants all access to
administrators, and the principal user of the task is granted read
access. Implicitly, however, the principal can execute a task as long
the task security grants read access. Because the principal user can
execute a task, this allows an administrator to configure a task to
run elevated (i.e. with highest privileges) as the administrator user,
which bypasses UAC (e.g. when executed via schtasks /run from a
restricted security context). If the principal user has the batch
logon right, then the task can also run in the services session (i.e.
the option to run whether or not the user is logged on), but that's
not pertinent to the question of execute access.

If you need to allow some other user to read and execute a task (e.g.
to bypass UAC in the context of the principal user), then you'll need
to grant that user file read (FR) and execute (FX) access. Begin by
retrieving the task's DACL_SECURITY_INFORMATION (4) in SDDL form from
GetSecurityDescriptor [1]. You can convert this string to an SD record
to work with it programmatically, or simply append an allow ACE in
SDDL form, such as "(A;;FRFX;;;<string SID>)". Then write the new DACL
via SetSecurityDescriptor.

---
[1] https://docs.microsoft.com/en-us/windows/win32/taskschd/registeredtask