InvokeSystems.RestrictedTask
Create restricted scheduled tasks that non-administrator users can execute with hash verification security.
Installation
Copy-Item -Path .\InvokeSystems.RestrictedTask -Destination "$env:ProgramFiles\WindowsPowerShell\Modules" -Recurse
Import-Module InvokeSystems.RestrictedTask
Quick Start
Admin creates the task:
New-InvTask -TaskName 'My Task' -AllowedPrincipals 'DOMAIN\HelpDesk' -PayloadSourcePath 'C:\Scripts\MyScript.ps1'
User runs the task:
Invoke-InvTask -TaskName 'My Task'
Output:
Starting task: \InvokeSystems\My Task
========================================
TASK COMPLETED
========================================
Duration: 5.2 seconds
Exit Code: 0
LOG OUTPUT
----------------------------------------
[2024-12-31 14:30:01] [INFO] === TASK STARTED ===
[2024-12-31 14:30:05] [INFO] Task completed successfully
----------------------------------------
Functions
| Function | Audience | Description |
|---|---|---|
Get-InvTask | End User | Lists tasks you can run |
Invoke-InvTask | End User | Runs task and displays log output |
New-InvTask | Admin | Creates a restricted task |
Remove-InvTask | Admin | Removes task and cleans up files |
Update-InvTask | Admin | Re-hashes payload after editing |
Get-InvTaskPrincipal | Admin | Lists users with execute permission |
Set-InvTaskPrincipal | Admin | Add/remove task principals |
For End Users
List Available Tasks
Get-InvTask
Run a Task
Invoke-InvTask -TaskName 'My Task'
The command will:
- Start the scheduled task
- Wait for completion
- Display the log output
- Return success/failure status
Options
# Show all log lines (default: last 50)
Invoke-InvTask -TaskName 'My Task' -TailLines -1
# Custom timeout (default: 120 seconds)
Invoke-InvTask -TaskName 'My Task' -TimeoutSeconds 300
For Administrators
Use a Template (Recommended)
Ready-to-use templates are in the Templates/ folder:
| Template | Description |
|---|---|
Restart-Service.ps1 | Restart one or more Windows services |
Restart-Computer.ps1 | Initiate system restart with countdown |
Clear-TempFiles.ps1 | Clean system temp directories |
Flush-DnsCache.ps1 | Clear DNS resolver cache |
Stop-Process.ps1 | Kill stuck or unresponsive processes |
Run-Executable.ps1 | Run any program or installer as SYSTEM |
# Deploy a template directly
New-InvTask -TaskName 'Restart-Spooler' `
-AllowedPrincipals 'DOMAIN\HelpDesk' `
-PayloadSourcePath '.\Templates\Restart-Service.ps1'
# Edit the deployed script to set your service name
notepad 'C:\Program Files\InvokeSystems\Tasks\Restart-Spooler\Restart-Spooler-Payload.ps1'
# Update the hash after editing
Update-InvTask -TaskName 'Restart-Spooler'
Create a Task with Existing Script
New-InvTask -TaskName 'Daily Cleanup' -AllowedPrincipals 'DOMAIN\HelpDesk' -PayloadSourcePath 'C:\Scripts\Cleanup.ps1'
Create a Skeleton Task (Edit Later)
# Step 1: Create task with template script
New-InvTask -TaskName 'My Task' -AllowedPrincipals 'DOMAIN\HelpDesk'
# Step 2: Edit the script at C:\Program Files\InvokeSystems\Tasks\My-Task\My-Task-Payload.ps1
# Step 3: Update the hash after editing
Update-InvTask -TaskName 'My Task'
# Step 4: Run the task
Invoke-InvTask -TaskName 'My Task'
Manage Principals
# View current principals
Get-InvTaskPrincipal -TaskName 'My Task'
# Add a user
Set-InvTaskPrincipal -TaskName 'My Task' -Add 'DOMAIN\NewUser'
# Remove a user
Set-InvTaskPrincipal -TaskName 'My Task' -Remove 'DOMAIN\FormerEmployee'
# Replace all principals
Set-InvTaskPrincipal -TaskName 'My Task' -Replace @('DOMAIN\NewTeam')
Remove a Task
# Remove task and script files (keeps logs)
Remove-InvTask -TaskName 'My Task'
# Remove task but keep script files
Remove-InvTask -TaskName 'My Task' -KeepFiles
# Remove everything including logs
Remove-InvTask -TaskName 'My Task' -KeepLogs:$false
Configuration
Copy config.sample.ps1 to config.ps1 and customize:
cp config.sample.ps1 config.ps1
notepad config.ps1
# config.ps1
$script:OrgName = 'MyCompany' # Your organization name
$script:EnableEventLogByDefault = $true # Event logging on by default
All paths derive from $script:OrgName automatically. The module warns on import if config.ps1 is missing.
File Structure
C:\Program Files\InvokeSystems\
├── Tasks\
│ └── My-Task\
│ ├── My-Task-Payload.ps1
│ └── My-Task-Verification.ps1
└── Logs\
└── My-Task.log
Security Model
- Task runs as SYSTEM - Full privileges for the operation
- Hash verification - Payload script integrity checked before execution
- Restricted triggers - Only designated users can start the task
- File ACLs - Task files protected from modification
- Audit logging - All executions logged with timestamps
Event Log
Events are written to the Application log (source: InvokeSystems-Task):
Get-EventLog -LogName Application -Source 'InvokeSystems-Task' -Newest 20
| Event ID | Description |
|---|---|
| 1000 | Task started |
| 1001 | Task completed successfully |
| 1002 | Task completed with failures |
| 9001 | Hash verification failed (security alert) |
Requirements
- Windows PowerShell 5.1 or PowerShell 7.x
- Administrator rights (for task creation)
- Windows Task Scheduler service running