Running from the Windows Task Scheduler

I’ve been struggling to get Restic running on Windows, using the Task Scheduler to automatically run periodic backups, but so far without luck. It looks like others have backups running on Windows, presumably also using some kind of scheduler. Can you share how you set this up?

Here’s what I’ve ran into so far:

• Running a backup manually from the terminal seems to work with an SFTP target (openssh was previously installed, I suspect it is using that). I haven’t run a full backup yet, and I get a ton of “in use” errors, AFAIU this would need a VSS snapshot to work. I found a [powershell script] (http:github.com/restic/restic/issues/340#issuecomment-307636386) for this, and the [DiskShadow script interpreter] (https:docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc772172(v%3dws.11)) also looks promising. I remember reading about a utility that (looked like it) offers a single binary to wrap a backup run (e.g. call vsssomething.exe restic backup ...). I can’t quite find it anymore, though.
• Creating a task that should run restic as the SYSTEM user would, when manually triggered from the commandline, do nothing at all. After figuring out how to enable task history (in the right panel of the main Task Scheduler window), I could see a small log in the task properties window. This showed a failure, without any useful error message.
• I found this post suggesting that the scheduler would only work for users with the “Log On As Batch Job” group policy permission. Switching to a newly created “Restic” user added to the “Backup Operators” group (which seemed appropriate and has this permission) removed the error, but still nothing happened. If this is really required, why did the error message not tell me (or even more, why did the GUI not tell me when I selected the user?)…
• I could not figure out how to get log output from a background task. I tried wrapping restic in a cmd script that redirects to a logfile and run that instead, but I could not get the log file to appear when run from the task scheduler (worked fine running manually). There might be permission problems here, even though I think I had the permissions ok.
• I put the restic binary, as well as the cache, SSH key and password file in C:\Program Files\Restic, which seemed to make sense. I’ve struggled with permissions on that directory, though. At one point the “Effective permissions” GUI said my “Restic” user had Full Control, but a terminal running as that user (started with runas /user:Restic cmd) could not create a file in that directory. I now wonder if this was related to UAC (running in low privilege mode) or something.
• I’ve fiddled with the “Run with highest privileges” checkbox a bit. It seemed good to have that turned on, but I switched it off when things were not working (thinking it might not succeed in getting more privileges). I’ve later learned that this checkbox is applicable to regular users with admin access and matches the “Run as administrator” GUI element you normally have. See this post. Now, I think this checkbox should just be checked, I do not think it will hurt if it does not apply.
• I’ve got no idea where to start debugging when the “history” tab shows no errors, but things are not working. I’m even wondering if the builtin Task Scheduler is even the right tool here?

So, I’m wondering how other have set this up. I’m usually more of a Linux guy (settings this up on Windows for a friend), so I’m also interested in best practices wrt file locations, permissions, etc.

(some links in this post are intentionally broken, since new users can only post 2 links…)

So far I have only used the Task Scheduler to create tasks running as the current user to backup my own data files. And only when logged in.

My conditions:

• at 6am (or whenever conditions are first met)
• when logged in
• when on AC power (is a laptop)
• not when the previous run is still active

I believe if you want to save the output then you need to write it to a file yourself or send yourself an email. At the moment I am just executing restic directly.

I built restic from source after installing Go so my restic binary was in Go\bin\restic.exe in my home directory.

I am hoping that @matt will appear before too long with his commercial wrapper for restic and fixes all our issues and is at a price I am willing to pay. @matt, I am still available as an early tester and am able to write up detailed bug reports and feedback.

I’m starting restic from the task scheduler with a batch script to simplify things and add a timestamp to the logfile. Owner of the restic binary is my local user (with admin privileges), and the binary is located at:
C:\Program Files\restic\restic.exe

The batch script is located in my users home directory and looks something like this:

REM %HOMEPATH%\restic\restic-backup.bat

@echo off

set YEARMONTH=%DATE:~6,4%-%DATE:~3,2%
set DATETIME=%DATE:~6,4%-%DATE:~3,2%-%DATE:~0,2% %TIME:~0,2%:%TIME:~3,2%:%TIME:~6,2%
set LOGFILE=%HOMEPATH%\restic\restic-backup_%YEARMONTH%.log

echo ------>> %LOGFILE%
echo Date/Time: %DATETIME% >> %LOGFILE%
restic -r rclone:repo-name:/restic -p %HOMEPATH%\restic\restic-password.txt backup --tag tagname --exclude-caches --exclude-file=%HOMEPATH%\restic\restic-excludes.txt D:\Data >> %LOGFILE%
echo ------>> %LOGFILE%

The task scheduler runs daily with local user privileges and even when no user is logged in. Note, that I’m not backing up any system files. That’s why I didn’t mess with user privileges (which I’m too stupid to understand anyways).

What’s missing is some notification in case of an error. I know in theory how this can be done but was too lazy to test it.

Thanks Wayne – do you want to help us test on Windows this or next week? I’ll send you a DM in a bit.

You shouldn’t need any special privileges to run restic via Task Scheduler. Are you backing up to/from network drives? This could cause remote authentication problems.

Sounds like you need to go back to basics and start with the error codes you’re getting (Last Run Result column in Task Scheduler) and find out what they mean; diagnose before trying to repair. Run the task with a user account that is a member of the Administrators group. Try “Enable All Tasks History” in the Task Manager right-hand sidebar, then look into the task’s History tab.

Run Sysinternals’ Process Monitor and set a filter with “Process and thread activity” and “File System Activity” the only Activities set, then set it running and “Run” from the Task Scheduler context menu. See exactly what’s going on, when it fails and why.

n.b. when I tested backing up VSS shadow copies I found that restic cannot restore them due to a bug.

I’ve had success with the linked powershell script in creating volume shadow copies and back up with restic. My restore tests were also successful. It’s quite straightforward.

I’m with @ProactiveServices that special permissions shouldn’t be necessary, as long as the logged-in user is in the admin group, and the scheduled task is run with highest privileges.

I don’t recommend putting all restic files in C:\Program Files\.
This directory is supposed to be read-only (except during installation), which explains your permission problems. Application data is typically written to one of
%AppData% (user specific)
%LocalAppData% (user specific)
%ProgramData% (machine wide)
Actually, the default location that restic uses is already good enough. Is there any reason you want to use a custom location?

Thanks for all your comments. That gives me some context for having another try soon.

You shouldn’t need any special privileges to run restic via Task Scheduler. Are you backing up to/from network drives? This could cause remote authentication problems.

I was thinking it should not run as a non-privileged user, but I guess I forgot that a normal user is actually privileged on Windows (e.g. in the Administrators group), just not by default. Checking the “highes privileges” checkbox should indeed work just fine.

Actually, the default location that restic uses is already good enough. Is there any reason you want to use a custom location?

At one point I put the cache there, since that would possibly allow running restic from different users manually than in the Task Scheduler. Probably a bad idea, of course, but I don’t think I actually got far enough to make this a problem.

I don’t recommend putting all restic files in C:\Program Files\ .

Would putting the binary and config files (password, excludes) there make sense, just not the cache? Or would you put all of this in a user-specific dir?

The binary can either stay in C:\Program Files or be moved to %AppData%, both are fine.

Anything that might change during normal use of the program typically shouldn’t be in C:\Program Files. So both config files and cache should move out. They can be put in either a user specific directory (%AppData% or %LocalAppData%) or a system wide fixed directory (%ProgramData%), although a user specific directory should give you the least amount of troubles regarding permissions.

@ProactiveServices does this bug still exist? Was it captured anywhere in a GitHub issue?