Introduction

Windows Task Scheduler tasks that require administrative operations (mounting drives, modifying system settings, writing to protected directories) will fail if the Run with highest privileges checkbox is not enabled. Even when the task runs under an Administrator account, UAC filters the token and removes administrative privileges unless this option is explicitly set. The task appears to run but returns error code 0x80070005 (Access Denied) or exits silently with non-zero codes.

Symptoms

  • Task shows Last Run Result: 0x80070005 (Access Denied)
  • Task History shows Task Scheduler successfully completed task but no output produced
  • Script works when run manually in elevated PowerShell but fails as scheduled task
  • Event Viewer shows Access is denied for file or registry operations
  • Task runs but operations requiring admin rights are silently skipped

Common Causes

  • Task created without Run with highest privileges checkbox enabled
  • UAC is enabled and filters the administrator token
  • Task needs to write to C:\Windows, Program Files, or registry HKLM
  • Script calls net, sc, or other commands requiring elevation
  • Task runs under a standard user account that is not in Administrators group

Step-by-Step Fix

  1. 1.Check task configuration in PowerShell:
  2. 2.```powershell
  3. 3.Get-ScheduledTask -TaskName "MyBackupTask" | Select-Object -ExpandProperty Settings | Select-Object RunLevel
  4. 4.# RunLevel: Limited = not elevated, Highest = elevated
  5. 5.`
  6. 6.Enable Run with highest privileges via PowerShell:
  7. 7.```powershell
  8. 8.$task = Get-ScheduledTask -TaskName "MyBackupTask"
  9. 9.$task.Settings.RunLevel = "Highest"
  10. 10.Set-ScheduledTask -InputObject $task
  11. 11.`
  12. 12.Alternatively, modify via GUI:
  13. 13.- Open Task Scheduler (taskschd.msc)
  14. 14.- Right-click the task and select Properties
  15. 15.- On the General tab, check Run with highest privileges
  16. 16.- Click OK and enter credentials if prompted
  17. 17.Verify the account has necessary permissions:
  18. 18.```powershell
  19. 19.# Check task principal
  20. 20.Get-ScheduledTask -TaskName "MyBackupTask" | Select-Object -ExpandProperty Principal
  21. 21.# Ensure UserId is an account with appropriate rights
  22. 22.`
  23. 23.Test the task manually:
  24. 24.```powershell
  25. 25.Start-ScheduledTask -TaskName "MyBackupTask"
  26. 26.# Wait and check result
  27. 27.Get-ScheduledTask -TaskName "MyBackupTask" | Select-Object State, LastRunTime, LastTaskResult
  28. 28.`
  29. 29.If using a service account, grant Log on as a batch job right:
  30. 30.```powershell
  31. 31.# Open Local Security Policy
  32. 32.secpol.msc
  33. 33.# Navigate to: Local Policies > User Rights Assignment > Log on as a batch job
  34. 34.# Add the service account
  35. 35.`

Prevention

  • Always enable Run with highest privileges for tasks that modify system state
  • Use dedicated service accounts with least-privilege permissions for specific tasks
  • Test scheduled tasks by running them as the configured user with schtasks /Run
  • Monitor task results with Get-ScheduledTask LastTaskResult in automated health checks
  • Document task requirements including elevation needs in a task inventory