3

To enable my application to startup with admin rights at user login, I use a task in task scheduler. And it works fine. Mostly. Now I've received bug reports saying that this fails:

rootFolder->RegisterTaskDefinition( _bstr_t(name.toWideCharPointer()), task,              
   TASK_CREATE_OR_UPDATE, _variant_t(L"Builtin\\Administrators"), _variant_t(), 
   TASK_LOGON_GROUP, _variant_t(L""), &registeredTask) -> 0x80070534

0x80070534 seems to mean "No mapping between account names and security IDs was done". I'm following (pretty much verbatim) the example at: http://msdn.microsoft.com/en-us/library/aa381911(v=VS.85).aspx

Ideas what has gone wrong, and how to fix it ? The application has manifest set so the user needs to be admin to run it.

Question: The "Builtin\\Administrators" group, it is language dependent, isn't it ? I think that the user in question might have a non-english Windows 7. If so I imagine it would work better with specifying "S-1-5-32-544" instead ( http://support.microsoft.com/kb/243330 )

Update: So the explicit call looks like:

rootFolder->RegisterTaskDefinition(
            _bstr_t(name.toWideCharPointer()),
            task,
            TASK_CREATE_OR_UPDATE,
            _variant_t(L"S-1-5-32-544"),    // Language independent "BUILTIN\Administrators" 
            _variant_t(),
            TASK_LOGON_GROUP,
            _variant_t(L""),
            &registeredTask)

Make sure that the application is executed with elevated privileges, otherwise that call will fail.

Robert
  • 2,330
  • 29
  • 47
  • Oh... the CoInitializeSecurity call before returns RPC_E_TOO_LATE. I do call it, with other parameters (RPC_C_AUTHN_LEVEL_DEFAULT instead of RPC_C_AUTHN_LEVEL_PKT_PRIVACY), if that should have any bearing on the problem... – Robert Oct 14 '11 at 16:53

2 Answers2

3

The problem indeed lies in the parameter _variant_t(L"Builtin\\Administrators"), which is hard-coded to English version of Windows. By using the language agnostic security identifier "S-1-5-32-544" ( http://support.microsoft.com/kb/243330 ), the problem is resolved.

Update: So the explicit call looks like:

rootFolder->RegisterTaskDefinition(
            _bstr_t(name.toWideCharPointer()),
            task,
            TASK_CREATE_OR_UPDATE,
            _variant_t(L"S-1-5-32-544"),    // Language independent "BUILTIN\Administrators" 
            _variant_t(),
            TASK_LOGON_GROUP,
            _variant_t(L""),
            &registeredTask)

Make sure that the application is executed with elevated privileges, otherwise the call will fail.

Robert
  • 2,330
  • 29
  • 47
  • I'm close to a solution thanks to this answer @Robert! How do you use S-1-5-32-544? I tried `_variant_t(L"S-1-5-32-544")` but it still fails... – Basj Jul 18 '17 at 16:56
  • Is your application running at elevated privilege ? That call needs admin privs to succeed with that parameter. – Robert Jul 19 '17 at 06:50
  • Updated answer. – Robert Jul 19 '17 at 06:57
  • If UAC is disabled (lowest cursor in the UAC options), it should work directly without doing anything about privs ? – Basj Jul 19 '17 at 07:20
  • Hmm... yes, it should indeed, given that the user is part of the admin group. What error code does the call return ? – Robert Jul 19 '17 at 10:40
  • But still, the app needs to be executed with elevated privileges. Disabling UAC only means it will fail silently (if not running elevated). – Robert Jul 19 '17 at 10:45
  • I reenabled UAC in default mode, I have taken [this code](https://msdn.microsoft.com/en-us/library/windows/desktop/aa381911(v=vs.85).aspx) modified with your advice in this current answer (`_variant_t(L"S-1-5-32-544")`), and [here is the full final code](https://pastebin.com/mEzpMJx5). In VC++, Project Settings > Linker > Manifest, I have enabled `requireAdminstrator`. When I build and run, I get the dialog asking for Admin privs, I say yes... And result: still the 0x80070534 error :( I had the following to have done everything needed... – Basj Jul 19 '17 at 11:53
  • Maybe could you share a VC++ project (i have 2013) showing such a TaskScheduler creation? – Basj Jul 19 '17 at 13:40
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/149677/discussion-between-robert-and-basj). – Robert Jul 20 '17 at 06:53
1

After spending some time, I've seen that more modifications than just _variant_t(L"S-1-5-32-544") are needed to make this "Logon Trigger Example (C++)" example work.

All the details can be found in this answer.

Basj
  • 41,386
  • 99
  • 383
  • 673