Run command as System User in Powershell - windows

I found several answers on the web, but not really what I was searching for.
The issue is as follows:
When restoring a file with "Networker", the ACLs of the file are the same ones as when the file was backed up, regardles of inheritance in the folder the file is restored to. Meaning the inheritence of ACL does not affect the newly restored file.
This leaves me with the problem that only 3 Accounts have the right to alter the ACL.
The user, the file belongs to
The domain Admins
The system account
To solve the issue I would like to run an automated script fixing the ACL and activating the correct inheritance.
The system user for the script has to be one of the three.
The User is changing and thefore not a valid choice, also I dont want to leave any domain admin credentials nor give domain admin rights to a service account.
This leaves me with the system account to do the job and here comes the question:
How do I execute a task in powershell under system account credentials?
I tried
$username = "NT Authority\System"
$password = ConvertTo-SecureString -String "" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist #($username, $password)
Since the password is an empty I can not really create credentials with it.
The name of the account in all locales is .\LocalSystem. The name,
LocalSystem or ComputerName\LocalSystem can also be used. This account
does not have a password.
https://msdn.microsoft.com/de-de/library/windows/desktop/ms684190(v=vs.85).aspx
So now I am a little bit confused as to how I can get this to work.
Edit:
The file system runs on EMC and is not a real Windows File System, but just kinda hooked onto a Linux system. So there is no local administrator account.
TL;DR
I want to inherit ACL Permissions on files using the system account with powershell, how?

https://github.com/mkellerman/Invoke-CommandAs
Made a function to Invoke-Command against local/remote computer using provided credentials or SYSTEM. Returns PSObjects, handles network interruptions and resolves any Double-Hop issues.
Try it out let me know if this resolves your issues.

If you're ok installing a (very useful) 3rd party program, you can try the following. It's a portable .zip, no real installation.
Run as administrator:
C:\WINDOWS\system32>nircmd.exe elevatecmd runassystem c:\windows\System32\cmd.exe
starts a new cmd window:
Microsoft Windows [Version 10.0.18362.418]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
nt authority\system
C:\WINDOWS\system32>
https://www.nirsoft.net/utils/nircmd.html

Domain Admins get access via the local Administrators group. Local Administrators can take ownership of any local object and subsequently grant new permissions to that object.
Running something like this as an administrator should do what you want:
takeown /f C:\some\file_or_folder /a /r /d:y
icacls C:\some\file_or_folder /reset /t /c /q
Never use the SYSTEM account for things like this.

Related

Acces denied when using psexec

I try to use the psexec program via command line to run program on another pc connected to my local network.
What i try to accomplish?:
I want to code a program that lets user send links ( to ebay auction e.g. ) to chosen pc from local network, for that i want to use psexec as a main component.
What is my problem?:
When i try to dry use psexec ( e.g. psexec \\another-pc cmd ) i got acces denied every time i try this ( no matter what machine is target ).
What i tried?:
So far i tried to fetch login credentials in command line:
psexec \\some-pc -u someuser -p password cmd
I also tried to disable UAC on target PC with this line:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
I think i could do that easily if i knew a passwod for -p part, but none of my pcs have passwords set, all default users are admins,
My question is, does windows set any default password for local network acces like masterkey or smth ?
I'm a bit confused on what shall i do next.
If anyone know what should i do to overcome this obstacle i would be gratefull.
To use psexec remotely you should be an admin on a remote PC. And since Windows does not allow remote connections for admins with an empty password so you'll either need to set a password for your admin user or create a new user.
BTW your question is more suitable for superuser, not stackoverflow.

Batch command tasklist for remote computer

i'm trying to use tasklist command in cmd.exe for list all processes on my remote Windows 10 PC (which is in my home and connected on the same network as my main computer).
But when I type in cmd.exe from my main computer tasklist /s <his IP> /u Lucas /p <Lucas's password> it shows me Error : Incorrect user or password but user Lucas is the local admin for this remote PC and I'm 100% sure it's the right password, I really don't understand.
I have tried to disable firewall for private network, without success.
I have tried to add an exception in the firewall for port 135 (TCP), without success.
Ping command works fine.
I hope you can help me.
Regards.
Solved my problem by doing powershell Invoke-Command -ComputerName <ip of the remote computer> -Credential <his_name>\PC_Guest -ScriptBlock {Get-Process}
with <his_name> the name of the remote PC.
For the explanations PC_Guest was the old name of the admin account that I renamed to Lucas and I think that when we rename administrators accounts, Windows not change completely the name in permissions system, so that is why I had Access Denied or Unknown user or password errors with user Lucas.
Thanks #lit for your answer.

PsExec works only with "runas /netonly", not with -u and -p parameters

What I mean:
If I...
run runas /netonly /user:computername\username cmd
enter the password for the local admin account "username"
then type psexec \\computername cmd
I now have a working shell and can run commands as the local admin user on the remote machine.
However, trying to run this without the runas... and instead with the username and password arguments of psexec returns an access denied error.
Example below:
psexec \\computername -u username -p password cmd
Access Denied
Note: Others seem to also have this issue. My refined questions:
Is this intended behavior?
Why even have the -u and -p?
I have also tried disabling the firewall on both my machine and the target machine, and adding the registry key listed here.
When you initiate a connection with PsExec.exe, it tries to use the credentials you are currently authenticated with to copy the PSEXESVC to the \\$machine\ADMIN$\System32 share VIA SMB, which enables the communication with your PsExec.exe and the $machine's service.
If your currently logged in user account does not have access to \\$machine\ADMIN$\System32 and the ability to install/start services, then this won't work.
I'm assuming if you have access with your user account that this would work.
Here is a very interesting article from 2004 on reverse-engineering of the original implementation. I am pretty sure it has changed in that time with Windows 7 & Windows 10.

User in administrators group cant take ownership of file or grant full access

I am writing a powershell script that creates a list of users on a newly provisioned custom Windows 2012 AMI (Amazon Machine Image).
After the script creates the users, and assigns them to a group, it restricts these users from having access to certain files and folders.
Important - I run the script manually by logging into the environment through RDP as a user that is assigned to the "Administrators" group.
I am getting access denied errors when trying to set another users access level.
When looking at the files "Properties -> Security" the "Administrators" group ONLY has Read/Write access, and DOESN'T own the file.
I tried using the following command:
takeown /f c:\windows\system32\gpedit.msc
And get the following error:
ERROR: The current logged on user does not have ownership privileges on the file (or folder) "c:\windows\system32\gpedit.msc"
I then tried using this command:
icacls c:\windows\system32\gpedit.msc /grant "DOMAIN\UserInAdminGroup"
And get the following error/message:
c:\windows\system32\gpedit.msc
Successfully processed 0 files; Failed processing 1 files
Things Tried That Failed:
Running powershell in elevated mode using "Run As Administrator"
Running command prompt in elevated mode using "Run As Administrator"
Things Tried That Worked
RDPed into the machine as "Administrator"
Used the takeown command on file
Granted FULL access to "Administrators" group on file
RDPed into the machine as previous user (Part of Administrators Group)
Successfully used takeown command on file
Successfully used icacls to restrict permissions on file for another user
QUESTION:
Is there something else I can try, or is the ONLY way to modify this files permissions to first do it using the "TRUE" Administrator account?
EDIT-1
Ran the "whoami /groups" command as the problem user. Screenshot below:

User home folder points to SYSTEM32 folder after runas

I have a problem running runas /USER:testuser cmd or runas /USER:testuser powershell:
If testuser has opened RDP session, %HOMEPATH% points to \Users\testuser
If testuser is logged off, the environment looks strange to me:
PS C:\Windows\system32> echo $env:HOMEPATH
\Windows\system32
PS C:\Windows\system32> echo $env:APPDATA
C:\Users\testuser\AppData\Roaming
PS C:\Windows\system32> echo $env:USERPROFILE
C:\Users\testuser
PS C:\Windows\system32> cd ~
PS C:\Windows\system32> cd $home
PS C:\Windows\system32>
I need a correct %HOMEPATH% for my scheduled script. Is it expected behaviour? What can I do about that?
I've tested it on two Win2008, Win7, Win2012 with the same result.
UPDATE: The initial issue was a hanging scheduled task. When I had tested it with runas, I found that ssh command doesn't see a configuration placed in user directory and asks user for additional info.
Since you mentioned ssh, I'm going to take a stab at an answer, since I just worked through a similar issue. I'm using cwRsync 3.1.0, and the example script that comes packaged with it uses %HOMEPATH% to setup %HOME% for rsync execution. Like you experienced, when using 'runas' with the target user not logged into the host, the script halts to accept a hostid, because Windows\system32.ssh doesn't exist. The HOMEPATH is set to Windows\system32.
When the target user is logged into the host (but runas is run under a distinct user's login), the HOMEPATH is set to user's profile path (Users\), and the .ssh path does resolve.
My solution was to change the script o use %USERPROFILE%, rather than %HOMEPATH%. At https://serverfault.com/questions/29948/difference-between-profile-and-home-path and http://blogs.msdn.com/b/patricka/archive/2010/03/18/where-should-i-store-my-data-and-configuration-files-if-i-target-multiple-os-versions.aspx there is discussion that to my understanding, indicates %HOMEPATH% is for user content, whereas %USERPROFILE% is for settings, etc., and probably better for pointing to .ssh.

Resources