2 Replies Latest reply on May 18, 2018 10:30 AM by dhinkson

    How to allow Task Scheduler to call a VBS.

    dhinkson Rookie

      Through Task Scheduler we have a VBS that runs 3 times a week.  This script runs a two items, one it runs ccmeval.exe and Smc.exe to check for virus updates.

       

      I was able to elevate the VBS script by adding it to UsersPrivileges under Everyone group.  I am able to run the script directly from it's location "C:\ProgramData\" but when running it from Task Scheduler wscript.exe gets denied.


      I am not aware of anyway of elevating Task Scheduler.  Wanted to see if anyone has thoughts on how I can allow this to run.

        • 1. Re: How to allow Task Scheduler to call a VBS.
          timothyb SupportEmployee

          Under Advanced Settings, if you have any of the script validation options enabled, the script host is then denied by default.  When AM is processing the rules, it detects that wscript.exe has been blocked and then tries to parse the command line to determine the name of the script.  If it successfully finds the script name it will then attempt to run the rules against the script to see if it's allowed to run.  If the script isn't allowed to run, it will typically state that the scripted host was denied to run (in this case wscript.exe).  Because the rules are processed against the script as well, ensure that it passes a rule (e.g. the script is owned by a Trusted Owner or there is a rule to allow it to run).

           

          Task Scheduler allows the option to run the script as a specified user.  So it would probably be worth ensuring that the user account in question is allowed to run the script.

           

          I would suggest capturing a ProcMon log of Task Scheduler running the script.  I would initially filter it on the script filename to determine which process is actually executing wscript/cscript.  Then double click on the process and under one of the tabs you'll see a list of DLLs loaded by the process.  It would be worth a quick check to see if the Application Control hook is injected into the process (AMAppHook.dll).  You might have a hook exclusion in place that prevents the hook injecting into the parent process of wscript/cscript.  If this is the case, then the hook doesn't submit the request to AMAgent and it will be picked up by the filter driver.

           

          A suggestion to workaround the issue might be to create a Process Rule to allow the parent process of wscript/cscript to run wscript.exe and/or cscript.exe.  Initially I would test this to ensure it worked.  Then you could add additional security, such as adding the parameters passed to wscript/exe to the file rule.  It would be worth reviewing these in the ProcMon log, as they need to be identical to the parameters called at the time of execution.

          • 2. Re: How to allow Task Scheduler to call a VBS.
            dhinkson Rookie

            Hi Tim,

             

            Thanks for you quick reply.

             

            I was able to create a Process Rule to allow Task Scheduler (taskschd.dll) to run the script by adding the script to the Allowed Items.  Tested and this script now runs without being denied.

             

            Appreciate your assistance.