So What I need is for when cmd.exe is open run a MsgBox and close cmd.exe
such as:
' Code for when cmd.exe loads
MsgBox("Command Prompt Disabled")
' closes command prompt
Thanks!
I need actual code
Don't use a vbscript to do this.... use a GPO.. because if someone disables that script your security control is broken.
If you're editing for a single user/single machine...
It might be faster to write a registry vb script or batch file with your control instead of using a GPO for each user you don't want using it. Create the system key if system does not exist in the Windows Key. The Caveat, is you have other controls that won't prevent disabling this with about 5-minutes of Google Searching.
reg add "HKCU\Software\Policies\Microsoft\Windows\System"
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /t REG_DWORD /v DisableCmd /d 2
Using Gpedit or OU-Level assigned policies for Non-Admins
User configuration\Administrative Templates\System\Prevent access to the command prompt
Other policies to consider adding to Non-Admin User groups.
User configuration\Administrative Templates\System\Prevent access to registry editing tools
User configuration\Administrative Templates\System\Don't run specified Windows Applications
Related
This is more of a pet project, as I like to try my best to batch script whatever I feel like without using a 3rd party app. I understand it would be easier that way, but I want to just try this for the heck of it. I understand the basic issue might just be the way the shell executes explorer, as I know it was NOT intended to run like this.
I have a standard user account and a batch script:
#echo OFF
FOR /F "usebackq" %%i IN (`hostname`) DO SET COMPNAME=%%i
ECHO Computer %COMPNAME%
TASKKILL /F /IM explorer.exe
runas /user:"%COMPNAME%"\ADMIN "C:\Windows\System32\cmd.exe"
Echo.
Echo Press Enter once you are finished
Pause
TASKKILL /F /IM explorer.exe
explorer.exe
Exit
Basically each computer's name is the hostname of the computer, so I created a variable to process that. Then I have it kill explorer, then run CMD as the admin account. (I can replace this with Explorer as well.) Then when CMD opens I type explorer.exe and it opens the admin account with full access. The script runs fine, no issues at all with the script. But in regards to the environment, there are 2 issues I am running into.
Windows 7 everything works fine, every program I open is ADMIN, even the start menu user profile title at the top right of the start menu says ADMIN, until I open Administrative tools, then every application I open from there uses the standard user, such as computer management. I assume explorer processes the command off of the local user environment which is why. I know I can just use compmgmt as an admin to solve that, but I want to know the specific reason why Explorer is swapping, is it as simple as the shell uses the local environment and that is just how it is?
On Windows 10, the script process successfully, but Explorer runs extremely slow. Every other program runs fine, cmd, compmgmt, regedit, Firefox, etc... But Explorer is slow, I'm talking 5 minutes to open the favorites window, and the start menu will not open at all. I checked process explorer and nothing takes it up, except the standard get resolution and other graphic handles. I assume it might be just the way this Shell operates.
Anyway, I understand this is not ideal, and that there are far easier ways to do it, and that Explorer.exe was never intended to be run like this. I just wanted to try for my own personal creativity. Any help would be greatly appreciated.
Thanks,
I know you can use tsdiscon.exe and tscon.exe to connect to a user account via the command line.
I want to write a simple batch file to accomplish this, so I can have a shortcut on my desktop that will quickly and easily login to another user account on this system.
I share this computer with my in-laws, and they are not very computer literate. Currently there are many steps in switching to their account, and I want to make it more streamlined for them.
It's been awhile since I've written a batch file, but I am sure there is a way to run a simple IF/THEN statement, that would check to see if the user is logged in, then either log them in with the given credentials, or switch to that users profile.
I want to know the syntax to make this happen, so I can put the .bat file on the desktop for them to click on.
Is this possible?
Logging out to your account? Suppose impossible.
Suppose your user is usr1 and you save your batch file to, say, your desktop.
Then, by running this batch file, you run it as usr1.
If your batch file contains the log out statement, it therefore ends the user account, therefore terminating the batch file, thus not being able to run the batch file successfully.
However, switching to a different account could be possible.
Try this out, if it works.
Essentially, you're doing the following:
#echo off
taskkill /IM explorer.exe /F
runas /user:COMPUTERNAME\ACCOUNTNAME explorer.exe
(Replace COMPUTERNAME and ACCOUNTNAME with the current computer name and account name (i.e. C:\Users\ACCOUNTNAME) of your in-laws account)
If that's not what you wish, then, sorry, I can't help you.
The batch script I previously mentioned here
Just give your machine a simple name customise one line in script. Test from command prompt:
fus
If it works with win10 you should be able to create two shortcuts with commands:
fus.bat 1
and
fus.bat 2
Suppose I have a script that needs to read information from places that normal user is not permitted to read (e.g. other users' folders).
Currently all I can do is complain about not being run as a "superuser" and quit, but I would rather like the script to ask for elevation itself.
According to MSDN and PerlMonks, you can try:
Win32::FileOp::ShellExecute( runas => 'yourprogram.exe' )
or
Win32::FileOp::ShellExecute( runasuser => 'yourprogram.exe' )
These should (not tested) ask you for elevation when it is needed. (Works on Windows 7 only).
Related: Requesting Administrator privileges during runtime
If you're ok with launching through a shortcut, you can use the following:
Create a shortcut to perl.exe
Edit the shortcut.
On the Shortcut tab, change "Target" to
"c:...\bin\perl.exe" "c:...\script.pl"
[Optional] On the Shortcut tab, change "Start in" to the path of the directory in which your script resides.
On the Shortcut tab, click "Advanced", then check "Run as Administrator".
There's a tool called "runas", but I can't seem to get it to work without asking you for Administrator's password.
Tired of having no good answer to this question in my own work, I wrote Win32::RunAsAdmin. All it does is call the Windows Shell via OLE with "runas" as the verb, but it packages it conveniently so all you have to do is stick the following at the beginning of your code:
use Win32::RunAsAdmin qw(force);
During the import step, it will check for elevated privileges, and return silently if you're already running in elevated mode. Otherwise, it restarts the script in elevated mode with a UAC popup.
No matter how I open it, cmd.exe always opens with admin privileges. How can I open it without? Is there some registry setting missing? Even if I open it directly from the run dialog or by double clicking in the system32 folder it still opens with admin privs.
Thanks.
Found out I was missing a registry key. In HKEY_CLASSES_ROOT\Directory\shell\cmd I was missing the String Value "Extended". Added this back in and restarted the machine got rid of the defaulting to admin privileges.
EDIT: I had UAC turned off for my profile (to stop incessant "are you sure you want to open this .exe" warnings), and turning that back on has stopped cmd always running with greater privileges.
After some unclear actions (switch UAC on/off ?) I ended up in the same situation as described above:
Cmd.exe always starts in Adminstration mode.
Linking in VS failed with the message:
Project : error PRJ0003 : Error spawning 'C:\windows\system32\cmd.exe'.
The Properties | Compatibility tab is greyed out, so switching this off seems impossible (Compatibility modes cannot be set on this program because it is part of this version of Windows).
To recover from this situation you have to edit the registry to remove the RUNASADMIN preferences that is associated with cmd.exe.
The 'RUNASADMIN' preference is stored in these registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Delete the values named c:\windows\system32\cmd.exe and you are back in business !
Kees
Right click on the cmd.exe, select properties and check the compatibility tab. Is the Run this program as an administrator checkbox checked?
This is only happening because you're logged in as a user with administrative privileges.
Since doing so defeats the entire Windows security model, you shouldn't be doing that in the first place. Create a standard user account and log in with that, instead. The command prompt should then not open with administrative privileges since you don't have administrative privileges.
If, as a standard user, you need to open a command prompt with administrative privileges, you'll need to right-click on the shortcut and select the "Run as Administrator" option (just look for the UAC shield). You'll need to provide sufficient credentials to authenticate yourself as an administrator, and then you'll have the authority to wreak whatever havoc you wish.
Found a way to run as a specific user even when UAC is turned off from http://www.sevenforums.com/general-discussion/235987-run-cmd-exe-given-user-administrator-command-line.html
This is the way to start cmd.exe as any user. Replace "username" with the correct one:
cmd.exe> runas /user:username "cmd.exe"
Right click on the cmd shortcut, navigate to properties, select advanced options and uncheck the 'Run as admin' option.
Check this video for better understanding - https://www.youtube.com/watch?v=3Mxh5TNSIl8&list=PLg8CURsOKswrzPs9fMhnmdy9TP7AkOOX1&index=1
I'm trying to document a work flow with a series of screen shots. At one point in the flow, a UAC prompt appears, and I'd like to grab a bitmap of it to make my storyboard complete. Because UAC prompts are on a virtual desktop (or something like that), the usual Alt+PrintScreen doesn't work. Any suggestions?
This method using the group policy editor should do the job:
1) Run gpedit.msc 2) Under Computer
Configuration\Windows
Settings\Security Settings\Local
Policies\SecurityOptions:
Change “User Account Control: Switch
to the secure desktop when prompting
for elevation” to disabled
Undo this change after the screenshot, because it makes the system less secure!
Change your UAC settings to disable the secure desktop, and then you can take the screenshot. In Windows 7, this is one of the options on the UAC slider, in Vista, I believe you need to configure the Security Policy.
Alternatively, run Windows in a VM and take a screenshot of that.
You can also remote desktop to the Windows 7 machine and run the screenshotter (or video capture) on the other machine. I've used this very successfully.
A step by step Guide
Step 1. Right click on the Program that you want to install and choose 'Run as administrator'.
Step 2. Now when the UAC Prompt appears, click on 'Change when these notifications appear'.
Step 3. Take the security Bar one-step down. Be sure to find that 'do not dim my desktop' is in the description. Now click on 'OK'.
Click on 'yes' when the UAC ask for permission.
Step 4. Now close all UAC Prompt dialog box. Again start from the beginning. You are now able to take a screenshot of the UAC Prompt dialog box with keyboard's print screen button or ms snipping tool.
Note that it will make your system less secure. So, make the security level as previous after the completion of your need.
Alternative to Michael Goldshteyns answer
You can more quickly achieve the same by copying the first registry command below and pasting it into an elevated command prompt, then hit enter.
To turn off PromptOnSecureDesktop:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /V "PromptOnSecureDesktop" /T "REG_DWORD" /D "0x00000000" /F 1>NUL
This will turn off SecureDesktop, leaving the computer vulnerable, but you will be able to screenshot the UAC prompts.
All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
To turn on PromptOnSecureDesktop:
This will turn on SecureDesktop.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /V "PromptOnSecureDesktop" /T "REG_DWORD" /D "0x00000001" /F 1>NUL
All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
⚠ Important: After you are done, make sure you revert the command by turning PromptOnSecureDesktop off.
Simple method: Use windows accessory SnippingTool from MS. It just works!