I do not recall seeing a way to configure AlwaysUp to run a batch file once a day and not bother about trying to keep the batch file always running.
Did I miss a configuration setting that lets me run a batch file once a day and not restart it when it finishes, until the next scheduled time?
— RF
Hi RF, thanks for getting in touch.
Yes — AlwaysUp can definitely help you run your batch file reliably each day. Here’s how to put that in place.
Step 1: Install your batch file as a 24/7 Windows Service with AlwaysUp
The first thing to do it to install your batch file in AlwaysUp. Our easy to use Application Advisor will help you get you set up in a few minutes.
Please:
In AlwaysUp, click the “magic wand” icon () on the toolbar to launch the Application Advisor.
Advance past the welcome page, choose Batch file from the list of applications, and click Next to proceed:
Enter the full path to your batch file:
Next, enter the password for your Windows account:
Step through the rest of the process and click the Save button to add your batch file to AlwaysUp.
At this point, you have installed a batch file that AlwaysUp will run 24/7 — automatically restarting it if it ever stops for any reason. But that’s not what you want, right? Not to worry — we’ll address that overzealousness in the next step.
Step 2: Adjust your batch file to run once per day, at a set time
AlwaysUp features basic (but convenient) scheduling that allows customers to run programs periodically. You can find the relevant controls on the Restart tab when configuring your application.
To run your batch file once daily — say, at 7 AM, before you get into the office:
Edit your application in AlwaysUp (by selecting Edit/View Application from the Application menu).
Switch to the Restart tab.
Select the Not immediately, but option, select At and enter the time to run your batch file (7 AM):
Save your settings.
Going forward, AlwaysUp will now launch your batch file at 7 every morning.
One more consideration: Should your batch file run immediately when your AlwaysUp service starts?
If your goal is to run your batch file only at 7 AM, we actually have a bit more work to do. Let me explain.
As you probably know, AlwaysUp installed a Windows Service to manage your batch file. That service is will ensure that your batch file runs every morning at 7. But there’s one more time when the service will run your batch file: when the service starts.
For example, let’s say that your server reboots at 4:30 AM. Here’s what would happen:
4:31 AM: Windows starts your AlwaysUp batch file Windows Service.
4:31 AM: The AlwaysUp service starts your batch file.
4:36 AM: Your batch file exits (it ran for 5 minutes).
4:36 AM: The AlwaysUp service notices that your batch file has exited. It queues up the next run for today at 7 AM.
7:00 AM: The AlwaysUp service starts your batch file.
7:05 AM: Your batch file exits (it ran for 5 minutes).
7:05 AM: The AlwaysUp service notices that your batch file has exited. It queues up the next run for tomorrow at 7 AM.
So the question for you is: Is it OK for AlwaysUp to run your batch file when the service starts? Those extra, unscheduled runs can happen at any time — not only at 7 AM.
How to avoid unscheduled runs when the AlwaysUp service starts
If those additional, irregular invocations are unacceptable, then you must make one more change.
Edit your entry in AlwaysUp, return to the Restart tab and check the This delay applies to the first run as well box:
With that change in place, here’s what would happen at our hypothetical reboot at 4:30 AM:
4:31 AM: Windows starts your AlwaysUp batch file Windows Service.
4:31 AM: The AlwaysUp service schedules your batch file to run at 7 AM.
7:00 AM: The AlwaysUp service starts your batch file.
7:05 AM: Your batch file exits (it ran for 5 minutes).
7:05 AM: The AlwaysUp service notices that your batch file has exited. It queues up the next run for tomorrow at 7 AM.
As you can see, the extra run at 4:31 AM wouldn’t happen.
After months of coding and testing, our team published AlwaysUp version 15.5 on October 4, 2024.
Version 15.5 makes it easy to install your PowerShell scripts as services. Beyond that, it delivers timely fixes and improvements to address real-world issues faced by our customers. Indeed, this work is all part of our ongoing commitment to making sure that AlwaysUp runs your applications so smoothly that you forget it’s even there. 🙂
Let’s dig into the details.
Install your PowerShell script as a Windows Service, with ease
We’re pleased to announce that the easy-to-use Application Advisor now supports PowerShell scripts!
To use this new feature, start the Application Advisor (by selecting Application > Advisor from the menu) and choosing PowerShell from the list of applications:
Afterwards, AlwaysUp will ask you to pinpoint the PowerShell script you’d like to run as a service:
Click Next and follow the straightforward prompts to complete the process. In a few seconds, you’ll have a new Windows Service that starts your PowerShell script at boot and runs it continuously in the background.
When installing OneDrive with the Application Advisor, we no longer recommend stopping OneDrive by running the executable with the “/shutdown” flag. It turns out that running that command could lead to an ill-timed (and lengthy) automatic update — just when you want the program to quit quickly.
So with that understanding, it’s best for AlwaysUp to close OneDrive by sending it the standard WM_CLOSE message — as it does for other applications. If you have an existing OneDrive configuration that uses the custom stop command (“OneDrive.exe /shutdown”), please feel free to remove it.
Even though it’s running in the background and you can’t see it, OneDrive may occasionally try to get your attention. And when that happens, OneDrive will probably be stuck, not synchronizing your files.
AlwaysUp 15.5 will try to inform you whenever OneDrive is waiting for your input. For example, if OneDrive forgets your credentials and would like you to sign in again, you may see this message in the activity window:
We’ll continue to improve this kind of detection in future releases — and automatically take action whenever it makes sense.
Other fixes & improvements
AlwaysUp now launches the sanity check on the interactive desktop, to satisfy programs like cscript that won’t run on a non-interactive desktop.
AlwaysUp will wait a bit longer (45 seconds instead of 30) when stopping a Windows Service. This may be impactful if you have a service that takes a while to stop.
The application diagnostics that AlwaysUp collects now includes domain and role information. Those extra details will help us identify and troubleshoot account-related problems.
As usual, please review the release notes for the full list of features, fixes and improvements included in AlwaysUp version 14.5.
Upgrading to AlwaysUp 15.5
If you purchased AlwaysUp version 14 (after November 2022), you can upgrade to version 15.5 for free. Simply download and install “over the top” to preserve your existing applications and all settings. Your registration code will continue to work as well.
If you bought AlwaysUp version 13 or earlier (before November 2022), you will need to upgrade to use version 15.5. Consequently, please purchase upgrades here — at a 50% discount.
How do I run my application in a normal user account with AlwaysUp?
Most Windows Services run in the powerful LocalSystem account. And that’s the default account used by AlwaysUp when you install your application as a service.
Indeed, you can see that preference on the Logon tab when adding your application in AlwaysUp:
As the instructions say, simply leave the checkbox at the top unchecked and Windows will run your application in the LocalSystem account.
However, if the LocalSystem account isn’t appropriate and you’d like to run your program a different account, you must override the default and specify the credentials for another account. You’ll have to enter a user name and its corresponding password:
Why not run in the LocalSystem account?
We’ve identified a couple of reasons why you may want to avoid the LocalSystem account.
Reason #1: Your application may fail outside of the account where it was installed
Many applications run in the LocalSystem account just fine. They start normally and do what they’re supposed to do, without any problems.
But some programs won’t work as LocalSystem for one simple reason: they were never installed in that account.
You see, when you install an application, it may do a lot more than simply copy its files to your hard drive. In fact, there’s a good chance that it will update your system in one or more of these ways:
Save important information in the Windows Registry. For example, it could record an account number under your personal HKEY_CURRENT_USER key.
Create or update environment variables with crucial configuration details. For example, it could append a folder to your PATH variable, to dictate what programs you can run.
Map a network drive, perhaps to give you access to a repository in the cloud.
The trouble is that those changes may only be visible to the person who installed the software. And when you start the software in a different account, it fails because it can’t find those essential settings.
In summary, if your application’s configuration is tied to the user who installed it, that application won’t function properly as LocalSystem. It’s best to run that program in the account where you installed it.
Reason #2: You may improve security by using a less powerful account
LocalSystem is a mighty, administrative user with full control over your computer. An application running in that account can do almost anything it likes.
While that arrangement may be convenient, what happens if the application is compromised by a security attack? Or if it contains a bug that wreaks havoc by deleting system files?
To remove those undesirable possibilities from the table, you should run your application in a normal user account, with ordinary permissions. Doing so will constrain your application, ensuring that it’s limited by the access rights and privileges associated with the account. In that way, your program won’t be able to do maximum damage if an attacker takes control.
Will AlwaysUp accept a domain account?
Yes, you can enter a domain account on the Logon tab. Simply provide the full user name, with the domain.
Note that AlwaysUp supports user names in the two main formats used by Windows. You can enter a down-level logon name (such as DOMAIN\UserName) or a user principal name (like UserName@example.company.com).
And if you rather not type, you can click the … button to the right of the User name field and select the user from the appropriate location:
Are Microsoft Entra ID/Azure Active Directory accounts supported?
Well, you can certainly specify an Entra ID/Azure AD account on the Logon tab. But, unfortunately, your service may not be able to start with those credentials.
While we’ve not been able to reproduce the problem ourselves, a few customers using Azure AD have reported that AlwaysUp failed to start their service and consistently returned a puzzling error:
The message clearly implies that Entra/Azure AD has a dependency on one or more Windows Services. However, the service has no dependencies and Microsoft has not documented any implicit relationships either. A head-scratching situation, to say the least.
Note that the dependency problem has nothing to do with AlwaysUp. In fact, the folks who encountered the issue got the same error when they used the Azure AD account with any Windows Service — without AlwaysUp involved. It’s an Azure AD account thing.
What happens to my AlwaysUp application/service if the account’s password changes?
If you change your password, your AlwaysUp application/service will continue to run normally. Windows won’t stop or interrupt it in any way.
However, once the service stops, you won’t be able to start it again. Windows won’t be able to launch it at boot either.
AlwaysUp will report a logon failure, like this:
While the built-in Services application will throw Error 1069:
And, unsurprisingly, the NET START command will also fail, citing Error 1069:
You’ll have to edit your application in AlwaysUp and supply the new password to fix the problem. Once you do that, AlwaysUp, Services and NET.EXE won’t have any trouble starting the service.
Please keep that in mind for the next time you update your password!
Posted onSeptember 12, 2024 (Revised October 20, 2024)
Recently, customers using AlwaysUp to run OneDrive 24/7 have been reporting a puzzling problem. Even though OneDrive starts as a Windows Service in Session 0, it doesn’t do its job. Files aren’t synchronized and AlwaysUp reports that “OneDrive has no network connections to the cloud”.
Our team jumped in quickly to investigate. Here’s what we’ve learned so far:
The problem seems to be related to newer builds of OneDrive (or a recent Windows update) published after June 2024.
The issue affects customers on Windows Server 2019 and 2022. To date, all the complaints have come from folks running those operating systems.
Not all customers on Windows Server are affected. Some customers on Server 2019 and 2022 continue to run OneDrive in the background just fine.
We’ve not been able to reproduce the network failures. Indeed, OneDrive will run continuously in Session 0 on our Windows Server machines, syncing files for many days:
OneDrive fails only in Session 0. If you start OneDrive in your current session (by selecting “Start in this session” from the “Application” menu), files are synchronized without issue.
Troubleshooting the problem
OneDrive is notoriously difficult to debug. The reality is that Microsoft doesn’t provide any documentation or insight on the inner workings of its flagship file synchronization software. And the sparse release notes aren’t helpful either.
That lack of guidance leaves small, independent developers like us scrambling to understand how the OneDrive works — and trying desperately to figure out exactly what’s changed as the developers in Redmond tinker with the software.
At this point, the technical log files are our primary source of inspiration. Fortunately we were able to examine the files provided by a couple of customers.
A few clues from OneDrive’s log files
One of the log files we examined suggested that OneDrive has trouble automatically signing in when running in Session 0.
From what we can tell, OneDrive tries to log in by calling AcquireCredentialSilently — a function that attempts to authenticate the user. Apparently an appropriate token is found but it needs to be refreshed. And eventually, the function fails without finding credentials in the cache.
This excerpt from the OneDrive logs tells the story:
But we only saw that behavior a couple of times. And unfortunately we don’t yet know how to remedy those authentication problems.
We need your help!
Since OneDrive works perfectly in Session 0 on our servers, we must depend on the benevolence of our knowledgeable customer base to help us troubleshoot. Indeed, here are the top three ways that you can help us figure out the best way forward.
1. Try early, “Insider” releases of OneDrive
Our fervent hope is that Microsoft fixes the problem in their code and restores OneDrive functionality in Session 0. That would be the best outcome for us all.
You see, Microsoft produces an updated version of OneDrive every few days. And you can find those new builds at Hans Brender’s site:
Those “Insider” versions are early, hot off the press releases. They contain the latest changes from Microsoft, which are destined to make it into a “Production Ring” release and ultimately deployed to everyone.
Maybe we’ll get lucky and the logs will highlight how things are failing on your system — and point our development team in the right direction.
3. Allow us to connect to your server remotely to troubleshoot
Experiencing the problem firsthand — and being able to try potential solutions — gives us an excellent opportunity to devise a solution.
If you can, please arrange for someone from our team to access your server remotely. We’re happy to work at a time of your choosing and under your supervision — whatever’s convenient for you.
We’re generally available between 9 AM and 4 PM US Pacific time (GMT-7/8). Contact us here.
A workaround: Setup automatic logon to launch OneDrive in a normal, interactive session
In all our tests, OneDrive works perfectly when it runs in a normal login session. Indeed, if you start OneDrive in your current session (by selecting “Start in this session” from the “Application” menu) from AlwaysUp, your files will be synchronized quickly and completely.
With that adjustment in place, OneDrive will start properly at boot and you won’t have to deal with the peculiarities of the isolated Session 0 anymore. Most importantly, you can stop worrying about OneDrive — and move on to tackle your next, pressing dilemma. 😕
Posted onAugust 6, 2024 (Revised November 11, 2024)
We’ve been deploying AlwaysUp with our products for years. We use it to run as services, many small programs we have developed as simple “stay in the tray area” windows applications.
But lately, my co-workers have been criticizing that approach. They say that what AlwaysUp does is “dirty” because “Windows Services should not have any user interface”. They are afraid that one day Microsoft will want to enforce this by making it impossible to run any application that tries to open a user interface as a service. And then AlwaysUp wouldn’t work for our programs.
Do you think this true or are my colleagues mistaken?
By the way, I’m kinda reluctant to convert all our small programs — developed in Delphi — to proper services because debugging a Windows Service in Delphi is a huge pain and very rarely works (no matter what Embarcadero says). Thanks for creating a pragmatic alternative!
— Carlo
Hi Carlo, thanks for reaching out.
Your colleagues are mostly right when they say “Windows Services should not have any user interface”. Indeed, that’s very common advice given to developers constructing services today.
But in reality, that statement is overly restrictive and misses the mark. A careful reading of Microsoft’s technical articles and documents reveals that interfaces alone aren’t bad. And Microsoft’s actual advice to those developing services is “don’t design a Windows Service that must interact directly with a logged-in user”.
And, in light of that more accurate statement, you’ll be happy to know that there’s no indication that Microsoft will ever prohibit a Windows service from creating an interface. It simply won’t happen.
Let’s dive into the details to understand why.
What are the problems with a Service having a UI?
Back in the ancient days of Windows XP, Microsoft was happy for any Windows Service to present a user interface. It was even encouraged and many, many applications took advantage of that convenient design.
You see, Windows Services run in Session 0 — the session created when your PC boots. And because of that, all windows created by a service show up in Session 0. That’s always been the case — and remains so today.
In XP and before, the user logging in to the console would also be assigned to Session 0. All their desktop applications would run in that shared session too. As a consequence, that user would see any windows created by a service alongside his own, running on his desktop. This picture from Microsoft’s blog illustrates the arrangement:
Unfortunately, that lax architecture created a couple of problems.
Problem #1: Support for multiple simultaneous logins complicated interactive services
The visibility of interactive services was clear when only a single user could log in to Windows. The user who logs in could see any UI elements the services created.
But with the advent of Fast User Switching — where multiple people can log into a PC simultaneously — the situation became murky. Important considerations like these arose:
Why does a service’s UI only show up for only one person at a time?
Why can’t everyone logged in see the windows from an interactive service?
How can we make sure that the “right” user sees the service’s windows?
Unfortunately, there were no good answers for those questions. And as a result, we had strike one against interactive services on modern computers.
Problem #2: Mixing services and regular programs invites misbehavior
Second, and more importantly, the issue of security came to the forefront.
As mentioned before, Windows Services and all the programs launched by the first logged-in user would run in the same session (Session 0). But as it turns out, there are serious shortcomings of that architecture!
In “Exploiting design flaws in the Win32 API for privilege escalation”, Kristin Paget showed how a normal user could gain powerful admin rights by exploiting a Windows Service running interactively on his desktop. The attack was straightforward and Paget easily demonstrated how a virus lurking in an untrusted application could gain full access over your PC and create chaos. Ouch!
After initially downplaying the situation, Microsoft admitted that its flagship operating system was vulnerable. They moved quickly to patch it. And sure enough, the next version of Windows (Vista) eliminated the problem.
Microsoft solved both problems by isolating Session 0
The folks in Redmond negated both the interface and security problems in one fell swoop — by locking down access to Session 0. In no subtle terms, they pledged to reserve Session 0 for Windows Services and prohibit users from logging into that protected area.
In a nutshell, there would be no mixing of secure services and regular, potentially insecure applications in the same session. Services would run in Session 0 and user initiated programs would run in Session 1 and higher.
And with isolation in place, all talk of a service showing a UI has been rendered moot because no user would be able to see that UI.
Kudos to Microsoft for addressing both problems in a simple and effective way!
But Microsoft chose not to outlaw interactive services
Despite all the adjustments, it’s important to note that Microsoft didn’t plug the security hole by preventing a Windows Service from creating a UI.
Even though enforcing such a restriction would have disarmed Paget’s shatter attack, it wouldn’t have addressed the root problem — the dangerous mixing of highly privileged services and untrusted programs in the same security context.
It’s clear that if that risky co-mingling was allowed to persist, it would only be a matter of time before unscrupulous characters found another way to break in to powerful services running in the same session. So Microsoft focused on that problem.
Indeed, the engineers realized the truth — that interactive services pose no danger once they’re protected from untrusted code.
Today, Microsoft has no compelling reason to prevent a Windows Service from having a UI
With the security holes plugged and application developers no longer having to wrestle with the complexities that stem from visually interactive services, Microsoft has zero incentive to prevent services from creating UI elements. There is simply no upside for them.
On the other hand there is tremendous downside from shackling services in that way. Without a doubt, many of today’s services would break, thereby causing unnecessary nightmares for Microsoft and the thousands of independent programmers who’ve written services for the platform.
Furthermore:
All the documentation for Win32 GUI functions would need to be updated to signal that they don’t work in services or Session 0;
Programmers would face increasing complexity, forever burdened with having to understand where API functions work and where they don’t;
New API-level error codes would need to be introduced to signal when the new UI restrictions were violated.
In summary, it would be a significant undertaking to prevent services from creating a UI. And to what end?
Yes, Microsoft is far from perfect. The 2024 CrowdStrike outage reminded us of that. But they’re certainly smart enough to avoid intentionally shooting themselves in the foot for no good reason, which crippling Windows Services would surely do.