I want to create PSSession on remote machine with administrative rights,anyone knows how to do that.
I have notices even i know administrative credentials, and using same while creating a PSSession, don't let me execute some commands on that remote machine.
I have searched, and found even using administrator credentials at PSSession don't create my session as administrator.
any idea how to do that or even how to switch session?
This is a very good question.
Your problem, as you probably know, is caused by having UAC turned on, on the remote machine. This means, that even though you are running PowerShell session as user who is a member of the Administrators group, your PowerShell session is not executed with elevated privileges.
If you execute a script localy on the server, there is a way to automatically elevate privileges within the script. This is explained here.
A self elevating PowerShell script
Unfortunately for you, this still creates a popup prompt for user to accept the privilege elevation. This makes it completely useless for remote execution.
I know that a lot of people will probably disagree, but the best (and possibly only) solution is to turn UAC off on the target machine.
Related
Using PSEXEC and to run a VBS as LocalSystem account, to let the script run with admin rights.
VB script called prompts and GUIs are not visible if a person is connected to the computer via RDP.
You can see the script or GUI as a running process in task manager, but it is not visible.
Windows Security setting preventing this? Limitation of RDP?
Your script is running in an invisible desktop so you cannot run a denial of service attack on the interactive user of the physical computer.
This is normal.
State what your goal is rather than why your solution to an unknown problem doesn't work.
It doesn't matter your intentions.
This question is better suited to https://serverfault.com as you are trying to administer a network by programming rather than how it's designed to be administered.
Normally one uses logon scripts or group policy to set the RunOnce key.
Firstly I want to emphasize that I'm not trying to do anything "nasty" or "hackerish", nor am I trying to hide anything from user here.
During installations (using InstallShield LE) of my application user is prompted by Windows UAC to allow it to run in Administrator mode; If user accepts it - installation continues (standard behavior) and user again can check the option to add this program to autorun list (by adding a registry key to HKLM/../Run). All is fine and normal. But after every Windows restart, when this application starts, UAC kicks in and asks for user permission. Question is, how to avoid it, since it's a bit annoying (yet my app needs Administrator privileges to run)?
I mean user already granted such permissions on installation, so I cannot see a reason why it needs to be prompted on every startup? Moreover, I believe most antivirus software and such, also require elevated permissions to operate, but UAC doesn't prompt for it at Windows Startup.
Thank you for any advises, information, comments or solutions.
Does your application really need to start elevated? Or will it need to elevated access later when the user uses it to perform an action? If you can, drop the later admin task into a separate exe, allowing the main exe to start with no elevation - when you shellexecute the worker process later it will UAC on demand.
At install time, as you have noted, you have elevated the installer. If you want to run elevated code on subsequent runs, automatically, this is the point to install a service - which is what all those other apps you mentioned do.
You can't get around UAC for a process started in an interactive session. You could use a service running as a privileged user but you would be far better off finding a way to do whatever you do without requiring admin rights.
It's not possible for a program to run elevated without prompting. What you want to do is factor those portions of your application that need elevation into a windows service that runs as system. Then your autostarting application can make remoting calls to the service to delgate those activities that the user can't do without elevating.
Not done it but I found this article Selectively disable UAC for your trusted Vista applications that says use 'Application Compatibility Toolkit' from microsoft.
The Compatibility Administrator allows you to create a database of
compatibility fixes that will allow you to run certain applications
without an accompanying UAC.
Run the Compatibility Administrator as admin
select a new database template
Click the Fix button on the toolbar. When you see the Create New Application Fix wizard ... enter details about your app
Select a Compatibility Level
Select RunAsInvoker as the fix
It seems that the last one
Selecting the RunAsInvoker option will allow the application to launch
without requiring the UAC prompt.
Should do what you want provided that the invoker is admin and I think you can do this at start up using the scheduler : Create Administrator Mode Shortcuts Without UAC Prompts in Windows 7 or Vista
As you can see it runs your app in the compatibility mode which may or may not be acceptable for you.
I am looking for away to run batch files in elevated mode (runas administrator) so that it doesn't trip the UAC to prompt for user interaction. We have some registry edits, among other things, that we do in our login scripts which trigger the UAC to prompt for each registry that is run.
I realize that this sort of defeats the purpose of the UAC, but it would be nice if there was some way of running batch files on machines that have UAC enabled.
These batch files need to be able to run without any user interaction (they are mainly login scripts, and some administrative scripts). We are not using an Active Directory domain, so hopefully there is a solution for none AD domains.
The solutions that I have found so far are as follows:
Disable the UAC altogether - We normally do this, but we might be running into some situations where we cannot disable it.
Create a shortcut to the batch file we wish to run in elevated mode. Go to the properties of the shortcut > Shortcut tab > Advaned > Check off "Run as Administrator"
This solution seems to work, however the initial running of the shortcut causes the UAC prompt to come up. All the commands run within the batch file do not cause the UAC prompt. Close to the solution, but it would be nice not to get any prompts.
3.
Running the batch file with the 'runas' command.
I have tried this, however it still doesn't see to achieve the elevation to prevent the UAC from prompting.
Also, using the echo 'password' | runas ..... method to provide the password doesn't seem to work right, so I am always having to type in the password.
The other thing that I was thinking, but I haven't really researched yet is, do powershell scripts run/work better in an environment where the UAC is enabled? Does Windows 'trust' certified powershell scripts and allow them to run unimpeded without triggering the UAC?
From what I have read, these is no way around the UAC other then disabling it. But I just wanted to see if anyone might be able to shed some additional light on this topic.
Thank you,
Cheers
There is no official way to by-pass the UAC prompt for your application. There are a few ways to run a program as administrator if you have the account password (same as the runas approach).
you can use the following Power-Shell script to start your program as administrator without asking the password:
You'll need to save the user password somewhere as a secure string:
$pass = Read-Host -AsSecureString
ConvertFrom-SecureString $pass | out-file pass.txt
Then you can run the file as administrator with the stored password this way:
$pass = import-SecureString (get-content pass.txt)
$startinfo = new-object System.Diagnostics.ProcessStartInfo
$startinfo.UserName = "administrator"
$startinfo.Password = $pass
$startinfo.FileName = "your batch script file name"
$startinfo.UseShellExecute = $true
[System.Diagnostics.Process]::Start($startinfo)
Registry manipulation for which the current user has access will not itself trigger a UAC prompt.
However using an application with a manifest that requires elevation if running as un-elevated administrator will prompt.
Are you trying to use regedit.exe to perform batch operation? If so replace with reg.exe (using cmd.exe) or, better, PowerShell's inbuilt registry support.
Eg.
get-itemproperties 'HKLM:\SOFTWARE\Classes\Folder'
will not require elevation (as that key is readable by everyone), but setting a property on that key will require an elevated PSH session.
An alternative approach, if you are performing operations that require administrative access (need modify access to some object with ACL that limits modification to administrators). Or, something a non-administrator could never do UAC or not, without enter an administrator's account's credentials.
Consider using Task Scheduler: a trigger of on user logon but configured under a specific elevated administrator account.
Summary: really need to know at least one of the things you are doing that triggers UAC in detail.
Setting up a scheduled task that will run elevated needs one consent once when you set it up, and never again. Since you mention these are login scripts, a scheduled task that runs on login should meet your need perfectly.
This question already has answers here:
Disable Vista UAC per-application, or elevate privileges without prompt?
(3 answers)
Closed 9 years ago.
Is there a way to get my .exe file to execute with administrator rights instead of me
killing the LUA at registry or right click file and running as administrator?
When I alter the registry it prompts the user which I don't want. I am only adding the file to kill the LUA to give the user full rights to execute my .exe file.
If I can just get it to execute as administrator it would save me editing the registry. I can't find the source code for the application. It is coded in Delphi so it is a problem to add anything and the .reg file needs to be run with the .exe files on Windows Vista.
How can this issue be resolved?
You can't. If you could do it, any exe could to it and that would defeat the purpose of the UAC (assuming arguendo you believe there is a purpose for UAC). You can manifest your exe to require administrator privileges, but that will not stop the user prompt.
There are two proper ways to do this:
As already noted mark your exe as requiring elevated privilleges - the user will be prompted when starting your program, administrator privilleges and user confirmation are required.
Create a service running as LocalSystem that is allowed to do anything without prompting the user. In this case you have to implement interprocess communication mechanism for the service to communicate with user UI program, which may not be trivial. For this scenario your program has to be installed by administrator, but after that may be used by anyone - this is common for corporate scenarios.
Generally speaking Vista compatibility may not be easy to achieve and depending on your software may require a lot of work.
I'm not able to test this since I've only got XP with me at the moment...
Try creating a batch file with the runas command in it.
Note that the password will still need to be entered but it may save a couple steps.
If you just want to avoid the right-click and run as admin you can rename the exe to something like xyzSetup.exe.
There is (hopefully) no way that you can bypass the prompt, otherwise anyone can do it.
If you are just trying to avoid repeated prompts and don't mind being asked for the password or permission once, you could use runas with the /savecred option.
Generally this problem is solved by installing a Windows service which runs as SYSTEM or an administrator account. Then your application can request the privileged action from this service.
Obviously to not pose a security threat ensure that your service can't run arbitrary code or something which might leave the all users vulnerable to privilege escalation attacks.
WinPcap and most of the other sniffing applications use a similar design to give sniffing access to unprivileged users.
Install your service during the first run (or in the installer, which will require an UAC prompt).
I will have to read up on this but I don't have access to my source so this would be a problem.
I have an app that normal users need to be able to run, but requires administrator privileges to actually function.
I tried to make the shortcut that my users run it with "Run as administrator" but this just causes a UAC prompt whenever they try to run the app.
Is there any way to elevate privileges programatically, without my users needing to go through a UAC prompt and/or knowing an administrator password? From a security standpoint, I understand that most applications shouldn't be allowed to do this, so I'm hoping there is some way to do it if I can provide a valid username/password pair, or something.
The app is written in C#, so a fully managed solution would be preferred, but p/Invoke Black Magic (or even writing an MC++ Wrapper Which We Do Not Speak About) would be more acceptable than disabling UAC entirely.
Generally this problem solved by installing a Windows Service which runs as SYSTEM or an admin account. Then your application can request the privileged action from this service.
Obviously to not pose a security threat ensure that your service can't run arbitrary code or something which might leave the all users vulnerable to privilege escalation attacks.
Winpcap and most of the other sniffing applications use a similar design to give sniffing access to unprivileged users.
Actually, why don't you just create a Task Schedule which runs the app with elevated privileges? As long as you setup the Task under elevation, it will not prompts you for a UAC when it is auto-run during reboot or whatever your trigger is.
Just make sure you set level=requireElevation in your manifest file, and task scheduler will run your app with admin rights without prompting your user for admin rights, as this had already been established when you setup the task with admin privileges.
It's not possible. You cannot decide to suppress UAC prompt.
You have to ask yourself:
What would happen on Windows XP?
The user is a standard user on Windows XP, and the application "needs" to run as an administrator. Are you:
going to refuse to run?
going to crash on startup?
going to show the user access denied error messages?
If the user is simply not allowed to run the application as a standard user on Windows XP, then UAC is your friend: it tells the user that they have to be an administrator.
And it even offers to let them (temporarily) gain administrative privileges.
But you have to ask yourself:
What would happen on Windows Vista?
In order to elevate, the user will need someone from IT to walk from three buildings over, so they can type in their credentials "over the shoulder". Perhaps you can make the user's life easier. Let 99.9% of the application run, and split off that 0.01% to an "administrative" module.