Run script on Windows Container as administrator - windows

I am writing a Dockerfile on top of mcr.microsoft.com/windows/servercore which is supposed to run a script in administrator mode and then start CMD. The CMD shell should not be elevated. How do I achieve the same?
If I add USER ContainerAdministrator to my Dockerfile, the first script is run without any issues but the CMD shell is then elevated.
The other option might have been to use USER ContainerAdministrator and then spawn CMD with runas /user:ContainerUser, but runas needs password to be entered via a prompt (or using /savecred but that won't work here), so it's not possible either.
Thanks in advance!

Related

Run bat file at lower privilege level

I have a script which has to run from an administrator level powershell/cmd prompt
Why? Because it has to use logman to get windows counters
Problem: The software for which I want to log the windows counters for has to be started with regular user level rights.
I've seen that there are lots of examples on how to run as Administrator
I don't see any on running as Regular User
Launch exe file
Start Logman (Admin level)
Run Bat File to Open Program
Bat File should run with regular user level priv's
I had a look at using RUNAS but that requires password entry, which I don't want.
Is there some other way on windows to delevate?
you could use psexec
psexec -l powershell.exe -executionpolicy unrestricted -noexit -file c:\temp\checkelevated.ps1
-l : Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity.

Runas savecred resets after each login

I have a program set to launch automatically via a runas savecred command and would like to make it so that it doesn't prompt me for the password for each login
On Windows 10, I have a command shortcut in startup to launch a program as a different user than I am logging into the computer with. With the runas savecred switch, it still prompts for the password at each login in the commmand prompt
C:\Windows\System32\runas.exe /savecred /user:DOMAIN\USERNAME "mmc %windir%\system32\dsa.msc"
I would like for it to simply launch the application every time I log into windows. It currently prompts me for the password when the command runs. Does the savecred credentials get deleted when you log out of Windows?
This is old, but try adding /persistent:yes

Windows: Batch File: Only Run as Administrator

I have a batch file to start an application as a Windows service. It is called start.bat
#ECHO off
START c:\Ruby193\bin\ruby c:\Ruby193\bin\thin start -R c:\coolapp\config.ru -p 4321 -a localhost -e production
My challenge is that this program only runs properly if it is "Run as Administrator" with admin privileges. So, I would like to add a line to check if this script is actually run with administrative privileges, and only execute if it is being run as administrator.
How can I do that from within the script?
Something like this might be what you need:
set isadmin=0
whoami /all | findstr /c:" S-1-16-12288 ">nul && set isadmin=1
That should result in the %isadmin% variable being either 1 or 0 depending on whether the shell was run as administrator or not.
This assumes the existance of the whoami utility which won't necessarily be available on older versions of Windows - I believe it was included from Windows Vista onwards though.
Two options:
Provoke elevation from a WSH script, like documented in the blog post Scripting Elevation on Vista.
Use an external executable that provokes the UAC prompt, such as Elevate32.exe/Elevate64.exe.
For your scenario, #2 may be preferable because you can detect whether the elevation prompt was canceled (exit code 1223) and you can also wait for the launched executable to finish before continuing (-w parameter).
Bill
It would probably be easier to convert the script to VBScript, then you can more easily check for Admin privileges and even elevate the script to Admin.
See here for how to do the check in VBScript: VBScript: Check if the script has administrative permissions

How do I run a shell command inside a rake task as administrator?

I have a short .cmd file which I would like to run as part of my deployment process. Unfortunately the .cmd file requires administrator privileges. Is it possible to get administrator permission from within rake, or do I need to start the shell as admin?
You can try the runas command. I don't know what your rake task looks like, but if you're running Kernel#system, try
task :foo do
system "runas /profile /user:#{ENV["COMPUTERNAME"]}/Administrator mybatchfile.cmd"
end
Only trouble is, runas prompts for credentials right there in the shell. So, you'd have to be interactive.
irb > system "runas ..."
Enter the password for FOOBAR/Administrator:
There's this nasty looking batch/WSH answer from another question on SO. I don't know where you put your command, this looks interactive, as well.
You might try the PowerShell Start-Process cmdlet that supports showing a UAC prompt.
PS> Start-Process mybatchfile.cmd -Verb runas
Or, in Rake
task :foo do
system "powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -command \"Start-Process mybatchfile.cmd -Verb runas\""
end
But that will also launch a UAC dialog. The whole process is going to need to be interactive. You can't have an interactive build script. Your only choice is allowing your build server to run with UAC off... then, you don't have to do anything, because all your prompts will be Admin by default.

How can I write to a program after executing it in a .bat file?

I need to build a bat file to run the Runas command.
Here is my command
Runas /user:Administrator "psexec \\\\***.***.***.*** -accepteula -i -u **** -p **** \"C:\\Program Files\\****\\setup.bat\""
When this is ran I am prompt for the password in the command line.
Enter the password for Administrator:
How can I write a bat file that enters the password: password into the prompt?
From Why doesn't the RunAs program accept a password on the command line?
The RunAs program demands that you type the password manually. Why
doesn't it accept a password on the command line?
This was a conscious decision. If it were possible to pass the
password on the command line, people would start embedding passwords
into batch files and logon scripts, which is laughably insecure.
In other words, the feature is missing to remove the temptation to use
the feature insecurely.
In short, your batch program will not be able to do it easily. There are third party utilities that will actually assert themselves to a higher level of authentication and then call your scripts, essentially running them as administrator.
Some cost money, some are free, I don't have enough experience with any of them to tell you either way on their quality.

Resources