resticprofile icon indicating copy to clipboard operation
resticprofile copied to clipboard
verified publisher icon creativeprojects

[feature] Runlevel option for schedule on Windows

Open auxym opened this issue 9 months ago • 3 comments

Small feature request: could we have a new option for resticprofile schedule that sets the "Run with highest privileges" checkbox in Task Scheduler? This also corresponds to /RL Highest when using the SCHTASKS cli command (https://superuser.com/questions/243605/how-do-i-specify-run-with-highest-privileges-in-schtasks).

Why

Using shcedule-permission: system creates a task that runs as the SYSTEM user. This provides all privileges (eg: create a VSS snapshot, access to all files), but creates issues to access network paths (eg. samba/cifs shares specified as \\server\\path\to\share) that require credentials. The SYSTEM user does not have access to mapped drives, or credentials saved in the Windows Credential Manager created by a user, even from an elevated (run as administrator) shell. From my research, it seems that the only way to allow tasks running as SYSTEM is to use a 3rd party tool (sysinternals PSExec) to run an elevated shell as the SYSTEM user and a combination of net use and/or cmdkey. This feels a bit hackish. Another workaround would be to wrap the resticprofile backup call in a script that first calls net use /user:... /password:... to connect the network path with the given credentials.

Running the scheduled task as a user allows access to the network path with saved credentials, but does not provide sufficient privileges to use the VSS snapshot option, or backup "system" files.

The workaround is relatively simple, that is, after running resticprofile schedule with schedule-permission: user, I go into the task scheduler and manually check the Run with highest privileges. Since running schedule is not something we do very often, this is not a huge deal. Maybe just adding a note to the docs would be OK too.

auxym avatar Mar 30 '25 13:03 auxym

This is a very good point 👍🏻

I'll need to try it to understand how to create the task automatically. By that I mean what permissions are required to create the task (user password + elevated permissions?)

creativeprojects avatar Mar 30 '25 14:03 creativeprojects

How does resticprofile currently create the scheduled task? I don't know much go but if you can point me to the bit of code that does that, I can have a look if I have any idea how to implement this.

auxym avatar Mar 30 '25 20:03 auxym

Sure, I'd appreciate a bit of help 😉

To create a scheduled task on Windows, we create an XML file. The definition of the XML file is here:

https://github.com/creativeprojects/resticprofile/blob/669e77e9417758998c8b647491139474affd4f73/schtasks/settings.go#L9-L27

The object is created on this line, using the Config object as reference: https://github.com/creativeprojects/resticprofile/blob/669e77e9417758998c8b647491139474affd4f73/schtasks/taskscheduler.go#L54

After that, we feed the XML file to the task scheduler using the command line:

schtasks.exe /create /tn task_name /xml file.xml

To understand which parameter to add or update, it's actually quite easy: you can prepare a task in the task scheduler, right click on it and choose export. It will give you the exact same XML file needed to create the task 👍🏻

There are also references to the MSDN documentation in some sections of the code.

Good luck 😄

creativeprojects avatar Mar 30 '25 21:03 creativeprojects

Hello, I have stumbled across this same issue.

Looking at the export, resticprofile would just need to set the task.Principals.Principal.RunLevel = RunLevelHighest, as is already done here.

For my use case I would appreciate this being added to schedule-permission: user_logged_on. What is indeed unclear is if that line can just be added or if it would break something. Safest way would be to add a new like schedule-permission: user_logged_on_run_level_high.

rndph avatar Jun 21 '25 20:06 rndph

What is indeed unclear is if that line can just be added or if it would break something.

I don't think it would break anything; it would just give more permission that would be needed for users only wanting to save their own files (documents, etc.)

creativeprojects avatar Jun 22 '25 11:06 creativeprojects

I would like to see this feature implemented too.

I have issue with schedule-permission: system and installation of resticprofile from scoop. Sheduled program is "C:\Users<USER>\scoop\apps\resticprofile\current\resticprofile.exe" where "current" is symlink. For some reason this path can't be resolved from system user. So i need to change "current" to "0.31.0" manually to get it working (and ofc define paths for other executables in cofing). I don't really want to run it as system user, just want privileges for vss, but without run level feature system user is the only way.

Wouldn't it a bit weird to set task.Principals.Principal.RunLevel = RunLevelHighest for all schedule-permission variants? I'm not sure. Separate windows-only option like schedule-runlevel might be better. @creativeprojects What do you think?

I'm willing to pr if needed.

zumm avatar Jul 29 '25 04:07 zumm

I don't think it would break anything

You need admin privileges to schedule task with RunLevelHighest. So setting RunLevelHighest as default for user_logged_on actually would break "rootless" setups.

zumm avatar Jul 30 '25 20:07 zumm