# New-ElevatedTask.ps1
# <summary>Creates a new "On Demand Only" scheduled task to run an "Elevated" application on Vista</summary>
# <remarks>This MUST be run from an elevated prompt, so by default it just uses the current user ID</remarks>
param(
    $application
  , $arguments = ""
  , $startIn = $(Split-Path $application)
  , $friendlyName = $(Split-Path $application -leaf)
  , $taskname = $("Elevated $friendlyName")
  , $user=$null
  , $password = $null
  , [System.Management.Automation.PSCredential]$credential = $null
  )
  
$xml = @"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2007-09-20T09:32:26.3036</Date>
    <Author>{4}</Author>
    <Description>Run {0} "As Administrator"</Description>
  </RegistrationInfo>
  <Triggers />
  <Principals>
    <Principal id="Author">
      <UserId>{4}</UserId>
      <LogonType>{5}</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>{1}</Command>
      <Arguments>{2}</Arguments>
      <WorkingDirectory>{3}</WorkingDirectory>
    </Exec>
  </Actions>
</Task>
"@ 

$xFile = "$([IO.Path]::GetTempFileName())"

# if they specify a user name, assume they want to do password authentication
if($user -ne $null -and $password -ne $null)  {
  $xml -f $friendlyName, $application, $arguments, $startin, $user, "Password" | set-content $xFile
  C:\Windows\system32\schtasks.exe /Create /XML $xFile /TN $taskname /RU $user /RP $password

  # if they didn't include a password, prompt them for one ...
} elseif($user -ne $null -and $password -eq $null)  {
  $xml -f $friendlyName, $application, $arguments, $startin, $user, "Password" | set-content $xFile
  C:\Windows\system32\schtasks.exe /Create /XML $xFile /TN $taskname /RU $user /RP

  # if they supplied credentials instead, use that
} elseif($credential -ne $null) {
  $xml -f $friendlyName, $application, $arguments, $startin, $user, "Password" | set-content $xFile

  $BSTR = [System.Runtime.InteropServices.marshal]::SecureStringToBSTR($credential.Password);
  C:\Windows\system32\schtasks.exe /Create /XML $xFile /TN $taskname /RU $credential.UserName /RP ([System.Runtime.InteropServices.marshal]::PtrToStringAuto($BSTR))
  [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($BSTR);

} else {
  # if they suppplied neither user nor credentials, lets assume they want the "current" user
    $user = ([Security.Principal.WindowsIdentity]::GetCurrent().Name)

  # if they passed a password, use that
  if($password -ne $null) {
    $xml -f $friendlyName, $application, $arguments, $startin, $user, "Password" | set-content $xFile
    C:\Windows\system32\schtasks.exe /Create /XML $xFile /TN $taskname /RU $user /RP $password
  
  # otherwise, there are no special credentials needed, "Interactive" means only "this" user can run it.
  } else {
    $xml -f $friendlyName, $application, $arguments, $startin, $user, "InteractiveToken" | set-content $xFile
    C:\Windows\system32\schtasks.exe /Create /XML $xFile /TN $taskname
  }
}