Get-WmiObject returns nothing in a PowerShell script running as scheduled task

Elamari 1 Reputation point
2022-03-02T14:39:53.287+00:00

This isn't a question, it's more of an answer. But after coming across whatever happened in
https://social.technet.microsoft.com/Forums/Windows/en-US/51ba12ae-fe5e-4664-b7e9-c48c819979c5/getwmiobject-returns-nothing-in-a-powershell-script-running-as-scheduled-task?forum=Offtopic
(top google result) I wanted to just chuck this on the forum.

I was running a PowerShell script via Windows Task scheduler that was doing so;
$services = Get-WmiObject win32_service

The goal of this was to pop the array into a file after filtering out some services and making some changes to what's returned.

I created a domain service account domain\account and was running a scheduled powershell task invoking the relevant script, however
$services | Out-File -Filepath 'E:\Monitoring\Svc_Accounts\Services.txt'

was returning an entirely blank .txt file.

Running ISE as the service account and then running the script was producing results in the file, leading to a bit of confusion.

I resolved this issue by assigning a local server user account to the automated task instead of the domain account.
Turns out get-wmiobject doesn't place nice in an automated task being run by a domain user.

Hope this helps!

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,407 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Elamari 1 Reputation point
    2022-03-02T14:40:06.083+00:00

    I resolved this issue by assigning a local server user account to the automated task instead of the domain account.
    Turns out get-wmiobject doesn't place nice in an automated task being run by a domain user.


  2. MotoX80 32,326 Reputation points
    2022-03-03T14:21:31.17+00:00

    Try checking "Run with highest privileges" on the task.

    I would have expected a local account, and domain account, who are both members of the Administrators group to produce the same results. Unfortunately, I no longer have access to a domain to test with.

    This script will display service control manager permissions.

    $MySDDL = (sc.exe sdshow scmanager)  
    $NewAcl = New-Object System.Security.AccessControl.DirectorySecurity  
    $NewAcl.SetSecurityDescriptorSddlForm($MySDDL)  
    $NewAcl.Access                                 # show who has access  
                           
    
     
    

    When you logon with any account you are "Interactive" which has the required permissions. Without "Run with highest privileges" you don't get Administrator access and instead the account is an "Authenticated User" which only has ReadData. That is not sufficient to enumerate the services.

    I don't know what's different with the local account.

    FileSystemRights  : ReadData, AppendData, WriteExtendedAttributes, ReadPermissions  
    AccessControlType : Allow  
    IdentityReference : NT AUTHORITY\INTERACTIVE  
    IsInherited       : False  
    InheritanceFlags  : None  
    PropagationFlags  : None  
      
      
    FileSystemRights  : ReadData  
    AccessControlType : Allow  
    IdentityReference : NT AUTHORITY\Authenticated Users  
    IsInherited       : False  
    InheritanceFlags  : None  
    PropagationFlags  : None  
      
      
    FileSystemRights  : ReadData, CreateFiles, AppendData, ReadExtendedAttributes, WriteExtendedAttributes,   
                        ExecuteFile, Delete, ReadPermissions, ChangePermissions, TakeOwnership  
    AccessControlType : Allow  
    IdentityReference : BUILTIN\Administrators  
    IsInherited       : False  
    InheritanceFlags  : None  
    PropagationFlags  : None  
    

    If you don't want to run the task with "Run with highest privileges", then you can use my script in this post to grant access to another group that you can add the domain account to.

    https://learn.microsoft.com/en-us/answers/questions/690654/non-administrative-user-need-access-on-service-con-1.html

    0 comments No comments