I can run my powershell script as administrator in powershell, and it yields good list of running VM's. But when I run it in TaskScheduler with highest privileges, it's showing an empty list of running VM's. We have Server 2008 R2, PowerShell V3, and I downloaded the Hyper-V module for powershell recently. I created an account on the server with Administrators privileges, and Administrators have full control for all directories that the script is copying files from/to.
Also, when I run the script through powershell, I needed to run as administrator. When I run it with the powershell prompt this is what it looks like:
C:\windows\system32> powershell -NoProfile -noninteractive -ExecutionPolicy bypass -Command "& c:\Scripts\BackupVhdShell_2_param.ps1 -single_backup_file_to_loc 'E:\' -single_backup_file_from_loc 'S:\SQL-bak.vhd'"
So that works from powreshell to start/stop vm's and copy files.
In Task Scheduler, this is how I have it set up and it yields the empty list of running VM's:
Run with highest privileges is checked. I have my login credentials saved so it can wake up the server when I'm not here or if it's not up.
In The Program/script field: %SystemRoot%\SysWow64\WindowsPowerShell\v1.0\powershell.exe
In the Add Arguments field: -NoProfile -noninteractive -ExecutionPolicy bypass -Command "& c:\Scripts\BackupVhdShell_2_param.ps1 -single_backup_file_to_loc 'E:\' -single_backup_file_from_loc 'S:\SQL-bak.vhd'"
Any thoughts? I'm not sure if TaskManager isn't finding HyperV module? Or maybe I need Runas to get it to be administrator? I'm having trouble finding info on that. This link was similar but different: http://ss64.com/nt/runas.html Same thing as this: http://peter.hahndorf.eu/blog/
This is what the majority of the script looks like. Note that I have since added logging to the file and know that this line is coming up empty when the script is run through TaskScheduler: <[array]$vmNames = #(Get-VM -Running | %{$_.elementname})>
Again, it works fine through powershell.
The script:
param($single_backup_file_to_loc, $single_backup_file_from_loc)
function StopVMsInOrder ([array][String]$vmNames){
#this function will stop VM's in list, sequentially
Write-Host "Processing virtual machines in order"
foreach ($name in $vmNames) {
Write-Host "Analyzing $name"
Try {
#Write-Host "...Saving $name"
#Save-VM -VM $name -wait -Force
Write-Host "..shutdown $name" #name)"
Invoke-VMShutdown -VM $name -Force #$vm.name
} #try
Catch {
Write-Host "Failed to get virtual machine $name"
} #catch
}#foreach
} #function StopVMsInOrder
function StartVMsInOrder ([array][String]$vmNames){
#this function will start VM's in list, sequentially as opposed to all at once
Write-Host "Processing virtual machines in order"
foreach ($name in $vmNames) {
Write-Host "Analyzing $name"
Try {
Write-Host "..Starting $name"
Start-VM -VM $name -wait
} #try
Catch {
Write-Host "Failed to get virtual machine $name"
} #catch
}#foreach
} #function StartVMsInOrder
function CopyFileToFolder ([string]$Source,[string]$destination){
# get filename
...
}
#################start of script##############
import-module Hyperv
#get list of running vm's
[array]$vmNames = #(Get-VM -Running | %{$_.elementname})
Write-Host "To: $single_backup_file_to_loc"
Write-Host "From: $single_backup_file_from_loc"
#call function to stop vm's
StopVMsInOrder $vmNames
if($single_backup_file_to_loc -ne " ")
{
#someone passed in a parameter for one-off use of script
[array]$destFileArray = #($single_backup_file_to_loc)
[array]$sourceFileArray = #($single_backup_file_from_loc)
}else
{
Write-Host "To Loc not Defined as param"
#get set up for what need to backup vhd's
#where back it up to
}
$i=0
for ($i = $sourceFileArray.GetLowerBound(0); $i -le $sourceFileArray.GetUpperBound(0); $i++) {
$tempSource = $sourceFileArray[$i]
$tempDest = $destFileArray[$i]
CopyFileToFolder $tempSource $tempDest
Write-Host "i: $i"
}
Write-Host "Done with vhd backup"
#call function to start vm's
StartVMsInOrder $vmNames
Write-Host "Done with vm start"
I finally figured it out! I changed it so I was using the other version of powershell in TaskScheduler: %SystemRoot%\system32.... Now it's finding the VM's.
Related
I'm trying to update an elevated PowerShell script that's using StartProcess on a BAT file that runs RunAs on PowerShell.exe to run another PowerShell script without elevation in order to clone a git repository so that the directory is created in a way that a normal non-elevated user will be able to use.
Elevated PS1: Start-Process
=> Elevated .BAT: RunAs /trustlevel:0x20000
=> Non-elevated PS1
This is failing in some environments and I can't figure out why so I'm trying to figure out how to capture stdout and stderr from all levels of this process, but I'm not seeing the error or any output. I can capture it down to the BAT file level, but I can't seem to see anything that's happening within the inner-most Powershell script.
This seems like an awful lot of work just to programmatically clone a Git repository from an elevated process. Is there a way to make this work or is there an easier way?
EDIT: Just learned that this solution was broken as of Windows 11 Update 22H2: https://superuser.com/questions/1749696/parameter-is-incorrect-when-using-runas-with-trustlevel-after-windows-11-22h2
but the workaround is to use the /machine switch when running RunAs.
I suggest simplifying your approach as follows:
Use synchronous invocation of runas.exe, via Start-Process -Wait, which obviates the need for an intermediate batch file, and the need for a named pipe (System.IO.Pipes.NamedPipeClientStream)
Let the runas.exe-launched PowerShell child process that runs test2.ps1 capture that script's output in a temporary file, which you can read after the Start-Process -Wait call returns.
test2.ps1 can then just produce output normally - no need for System.IO.Pipes.NamedPipeClientStream
Elevated PowerShell Script (test.ps1):
function IsAdmin{
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$Is64 = [Environment]::Is64BitOperatingSystem
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Output "Running with elevated privileges. (64-bit=$Is64)"
} else {
Write-Output "Running without elevated privileges. (64-bit=$Is64)"
}
}
IsAdmin
# Create a temporary file in which to capture the output from the
# PowerShell child process launched by runas.exe.
$outFile = New-TemporaryFile
# Use Start-Process -Wait to directly invoke runas.exe,
# which doesn't just wait for runas.exe ITSELF to exit, but also
# waits for its CHILD processes.
# This ensures that execution is blocked until the other PowerShell script exits too.
Start-Process -Wait runas.exe #"
/machine:amd64 /trustlevel:0x20000 "powershell -c & \"$PSScriptRoot\test2.ps1\" -drive C:\ *> \"$outFile\""
"#
# Now $outFile contains all output produced by the other PowerShell script.
Write-Verbose -Verbose "Output from the runas.exe-launched PowerShell script:"
Get-Content -LiteralPath $outFile
$outFile | Remove-Item # Clean up.
Non-Elevated PowerShell Script (test2.ps1):
param([string]$drive)
function IsAdmin{
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$Is64 = [Environment]::Is64BitOperatingSystem
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Output "Running with elevated privileges. (64-bit=$Is64)"
} else {
Write-Output "Running without elevated privileges. (64-bit=$Is64)"
}
}
function Setup-Test{
Write-Output "Testing Powershell with Parameter Drive=$drive"
git config --global user.name
cd bob
Write-Error "Error Line 1
Error Line 2"
Write-Error "Error Line 3"
$d = 3/0
Write-Output "Done Testing Powershell"
}
IsAdmin
Setup-Test
This can be solved with a named pipe.
Elevated PowerShell Script (test.ps1)
function IsAdmin{
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$Is64 = [Environment]::Is64BitOperatingSystem
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Output "Running with elevated privileges. (64-bit=$Is64)"
} else {
Write-Output "Running without elevated privileges. (64-bit=$Is64)"
}
}
IsAdmin
Write-Output "Running $PSScriptRoot\test.bat"
Start-Process -FilePath "$PSScriptRoot\test.bat" -ArgumentList "C:\" -NoNewWindow
$np = new-object System.IO.Pipes.NamedPipeClientStream('.','SAMPipe', [System.IO.Pipes.PipeDirection]::In,[System.IO.Pipes.PipeOptions]::None,[System.Security.Principal.TokenImpersonationLevel]::Impersonation)
$np.Connect()
$sr = new-object System.IO.StreamReader($np)
while ($l=$sr.ReadLine()) {
Write-Output $l
}
$sr.Close()
$np.Close()
BAT file in the middle to de-elevate (test.bat)
runas /machine:amd64 /trustlevel:0x20000 "powershell -command %~dp0test2.ps1 -drive %1 >dummy.txt"
Non-Elevated PowerShell Script (test2.ps1)
param([string]$drive)
function IsAdmin{
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$Is64 = [Environment]::Is64BitOperatingSystem
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Output "Running with elevated privileges. (64-bit=$Is64)"
} else {
Write-Output "Running without elevated privileges. (64-bit=$Is64)"
}
}
function Setup-Test{
Write-Output "Testing Powershell with Parameter Drive=$drive"
git config --global user.name
cd bob
Write-Error "Error Line 1
Error Line 2"
Write-Error "Error Line 3"
$d = 3/0
Write-Output "Done Testing Powershell"
}
$np = New-Object System.IO.Pipes.NamedPipeServerStream('SAMPipe',[System.IO.Pipes.PipeDirection]::Out)
$np.WaitForConnection()
$sw = New-Object System.IO.StreamWriter($np)
$sw.WriteLine('Begin Non-Elevated Process Pipe')
Invoke-Command -ScriptBlock {
try {
IsAdmin
Setup-Test
} catch {
Write-Error $_
}
} -ErrorVariable errVar -OutVariable out
foreach ($line in $out){
$sw.WriteLine($line)
}
foreach ($line in $errVar) {
$sw.WriteLine($line)
}
$sw.WriteLine('End Non-Elevated Process Pipe')
$sw.Close()
$np.Close()
Output
Running with elevated privileges. (64-bit=True)
Running C:\Users\bmarty\source\PowerShellTest\test.bat
C:\Users\bmarty\source\PowerShellTest>runas /machine:amd64 /trustlevel:0x20000 "powershell -command C:\Users\bmarty\source\PowerShellTest\test2.ps1 -drive C:\ >dummy.txt"
Begin Non-Elevated Process Pipe
Running without elevated privileges. (64-bit=True)
Testing Powershell with Parameter Drive=C:\
Ben Marty
Cannot find path 'C:\Users\bmarty\source\PowerShellTest\bob' because it does not exist.
Error Line 1
Error Line 2
Error Line 3
Attempted to divide by zero.
System.Management.Automation.RuntimeException: Attempted to divide by zero. ---> System.DivideByZeroException: Attempted to divide by zero.
--- End of inner exception stack trace ---
at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
Attempted to divide by zero.
Attempted to divide by zero.
End Non-Elevated Process Pipe
Done running
I don't understand why the output of git config only appears in the output if I include >dummy.txt in the BAT file.
Try working with ACLs instead. You can set that up on the parent directory so you don't even need to run the script in an elevated context.
Just set up a "gitclone" account that can write into the repository parent directory and then add the rest of the users as read+execute.
The rest will come automagically through inheritance.
Then run script as that "gitclone" user.
I am passing a powershell script through userdata to terraform ec2 windows instance, should I use Write-Host or Write-Output, so that the output from the script gets written to the execution log file.
if (!(Test-Path -Path $outputFile)) {
Write-Warning "$outputFile does not exist`r`n"
}
else {
Write-Host "$outputFile exists`r`n"
}
I'm trying to get one master PowerShell script to run all of the others while waiting 30-60 seconds to ensure that the tasks are completed. Everything else I tried wouldn't stop/wait for the first script and its processes to complete before going through all the others at the same time and would cause a restart automatically.
Main script, run as admin:
$LogStart = 'Log '
$LogDate = Get-Date -Format "dd-MM-yyy-hh-mm-ss"
$FileName = $LogStart + $LogDate + '.txt.'
$scriptList = #(
'C:\Scripts\1-OneDriveUninstall.ps1'
'C:\Scripts\2-ComputerRename.ps1'
);
Start-Transcript -Path "C:\Scripts\$FileName"
foreach ($script in $scriptList) {
Start-Process -FilePath "$PSHOME\powershell.exe" -ArgumentList "-Command '& $script'"
Write-Output "The $script is running."
Start-Sleep -Seconds 30
}
Write-Output "Scripts have completed. Computer will restart in 10 seconds."
Start-Sleep -Seconds 10
Stop-Transcript
C:\Scripts\3-Restart.ps1
1-OneDriveUninstall.ps1:
Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
taskkill /f /im OneDrive.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
2-ComputerRename.ps1:
$computername = Get-Content env:computername
$servicetag = Get-WmiObject Win32_Bios |
Select-Object -ExpandProperty SerialNumber
if ($computername -ne $servicetag) {
Write-Host "Renaming computer to $servicetag..."
Rename-Computer -NewName $servicetag
} else {
Write-Host "Computer name is already set to service tag."
}
The log file shows:
Transcript started, output file is C:\Scripts\Log 13-09-2019-04-28-47.txt.
The C:\Scripts\1-OneDriveUninstall.ps1 is running.
The C:\Scripts\2-ComputerRename.ps1 is running.
Scripts have completed. Computer will restart in 10 seconds.
Windows PowerShell transcript end
End time: 20190913162957
They aren't running correctly at all though. They run fine individually but not when put into one master script.
PowerShell can run PowerShell scripts from other PowerShell scripts directly. The only time you need Start-Process for that is when you want to run the called script with elevated privileges (which isn't necessary here, since your parent script is already running elevated).
This should suffice:
foreach ($script in $scriptList) {
& $script
}
The above code will run the scripts sequentially (i.e. start the next script only after the previous one terminated). If you want to run the scripts in parallel, the canonical way is to use background jobs:
$jobs = foreach ($script in $scriptList) {
Start-Job -ScriptBlock { & $using:script }
}
$jobs | Wait-Job | Receive-Job
I have a PowerShell script:
& $psexec $serveraddr -u $remoteuser -p $remotepass -accepteula C:\Windows\System32\inetsrv\appcmd.exe list apppool /xml | C:\Windows\System32\inetsrv\appcmd.exe recycle apppool /in
that I am using to recycle all IIS pools. The problem is that only default, given from IIS pools are recycled. No private pools are recycled. They are not found by the second appcmd. First appcmd finds all pools, given by IIS and private.
Error is:
ERROR ( message:Nie można odnaleźć obiektu APPPOOL o identyfikatorze "Core1". )
from polish language it is:
ERROR ( message: Can't find object APPPOOL with id "Core1". )
I can't recycle private pools. Is there a way to bypass this?
This is a one liner to recyle all Applications Pools :
& $env:windir\system32\inetsrv\appcmd list apppools /state:Started /xml | & $env:windir\system32\inetsrv\appcmd recycle apppools /in
So the second part of the command is executed locally. I've changed the script to recycle every each pool by single commands:
& $psexec $server -u $remoteuser -p $remotepass -accepteula C:\Windows\System32\inetsrv\appcmd.exe recycle apppool /apppool.name:Core1
This is an overkill for your question, but you might be interested in the general alternate approach to do something in parallel on the several servers:
$servers=#('server1', 'server2', 'server3')
$recycleAppPools = {
echo $(Get-Wmiobject -Class Win32_ComputerSystem).Name
appcmd list apppools /state:Started /xml | appcmd recycle apppools /in
echo "`n"
}
workflow Perform-Deployment {
Param ($servers, $actionBlock)
# Run on all servers in parallel
foreach -parallel ($server in $servers) {
"Doing on $server..."
# Execute script on the server
InlineScript {
$scriptBlock = [scriptblock]::Create($Using:actionBlock)
Invoke-Command -computername $Using:server -ScriptBlock $scriptBlock
}
}
}
cls
# Execute workflow
Perform-Deployment $servers $recycleAppPools
Moreover, you could pass parameters to your script block, like, for example:
$DeployPythonPackage = {
param($venv, $pythonPackagePath)
& "$venv\scripts\pip" install --upgrade $pythonPackagePath
}
workflow Perform-Deployment {
Param ($servers, $actionBlock, $venv, $pythonPackagePath)
# Run on all servers in parallel
foreach -parallel ($server in $servers) {
"Deploying Python package '$pythonPackagePath' on $server..."
# Execute script on the server
InlineScript {
$scriptBlock = [scriptblock]::Create($Using:actionBlock)
Invoke-Command -computername $Using:server -ScriptBlock $scriptBlock `
-ArgumentList $Using:venv, $Using:pythonPackagePath
}
}
}
cls
# Execute workflow
Perform-Deployment $servers $DeployPythonPackage $venv $pythonPackagePath
I am very new to powershell and I'm not sure what I did wrong. It is running fine on my Windows 8 PC but when I send it to someone else (he has Windows 7; created this for him), he gets a not allowed to run scripts error.
Tried with -ExecutionPolicy RemoteSigned but still no luck.
##################
<# CONFIG START #>
##################
#replace the path with your steam path. For example: C:\Program Files (x86)\Steam\Steam.exe
$steam_path = "C:\Program Files (x86)\Steam\steam.exe"
#You can change it to Ethernet 1 or Ethernet 2 or Ethernet 3 etc depending on which adapter you want to disable.
#If you have custom name for them (you can rename them from control panel), have to use that name.
$adapter_name = "Ethernet 1"
<#
What program to run.
1: Steam Dota 2
2: Steam CS
3: Steam CSS
4: Steam CSGO
5: Custom Program 1
6: Custom Program 2
7: Custom Program 3
#>
$game_id = "5"
<# Custom Program path and arguments#>
$cp1_path = "C:\Program Files (x86)\counter-strike source\css.exe"
$cp1_arg = " "
$cp2_path = ""
$cp2_arg = " "
$cp3_path = ""
$cp2_arg = " "
$delay = 20
################
<# CONFIG END #>
################
"Checking admin permissions..."
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
"Administrator permissions required."
$arguments = '-ExecutionPolicy RemoteSigned -file "' + $myinvocation.mycommand.definition + '"'
# $arguments
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
"Exiting Steam..."
Start-Process -FilePath $steam_path -ArgumentList "-shutdown" -Wait:$true
Start-Sleep -s 2
"Disabling Network Adapter..."
Disable-NetAdapter -Name $adapter_name -Confirm:$false
Start-Sleep -s 5
"Starting Game..."
Switch($game_id)
{
1
{
Start-Process -filepath "steam://rungameid/570"
}
2
{
Start-Process -filepath "steam://rungameid/10"
}
3
{
Start-Process -filepath "steam://rungameid/240"
}
4
{
Start-Process -filepath "steam://rungameid/730"
}
5
{
Start-Process $cp1_path -ArgumentList $cp1_arg
}
6
{
Start-Process $cp2_path -ArgumentList $cp2_arg
}
7
{
Start-Process $cp3_path -ArgumentList $cp3_arg
}
}
Start-Sleep -s $delay
"Enabling Network Adapter..."
Enable-NetAdapter $adapter_name -Confirm:$false
exit
If you sent him the script, then RemoteSigned is doing it's job just fine. He got the script remotely (from you) and it is not signed, so it won't be executed.
Tell your friend to navigate to the ps1 script in Windows Explorer and right click, then choose "Unblock." He will then need to restart the PowerShell instance if it has failed to run the script already since this kind of information is cached by Windows.
The error indicates you didn't correctly set the execution policy. Firstly, you have run Powershell as an administrator. To do this, right click on the Powershell icon in the start menu and click on "Run as Administrator". Next you have to run the following command in Powershell:
Set-ExecutionPolicy RemoteSigned
You will be prompted to allow the change. Type "Y" and press return.
Finally, try running your script.