Sign in to follow this  
Followers 0
Graywalker

Windows 7 UAC and Systems Administrators

4 posts in this topic

This is a question for Systems Administrators of all kinds - those who manage software on a domain where users have restricted rights - and who have Windows 7 computers in their domain.

How do you get around UAC to install Software or Certificates remotely and without user intervention? ... and without being logged in to the computer. ( There is no such thing as "right click and.." answers. We have over 3000 computers! )

I've tried scheduled tasks (schtasks.exe) with the /RL HIGHEST switch - no good.

I've even looked into PowerShell 2.0 - but it is not what I need.

Even with UAC disabled, some things still need the "Run As Administrator" privileges to actually install properly.

Has Microsoft completely screwed Systems Administrators with this UAC ??

Share this post


Link to post
Share on other sites



It has not been a problem where I work, you just have to have the Win 7 PC setup correctly, RPC services, Remote Registry Service, etc. Some of these is turned off by default, and I have wrote in our imaging script to turn the services on when we finish image a PC. Also, make sure that you have the correct Security Groups under the local Administrator's group, this is also done by the imaging script.

For remote software installations, I usually have it scripted out and use PsExec or BeyondExec to execute it remotely. Almost all my installations are silent. If you have the correct services turned on, and you are a local admin on the PC, your remote process is elevated without issue. I still use ExecutionLevel requireAdministrator on my compiled scripts executed remotely to be on the safe side.

Also, look (#8) for additional info on AutoIt and UAC.

Adam

Share this post


Link to post
Share on other sites

Without using third-party or non-native utilities, there is not much of anything one can do to get around UAC - even when UAC is disabled there are stills some issues.

I have found one sure way using schtasks in Windows 7, but it requires providing a user name and password that is in the Administrators group. Using /U and /P would wait until that user was logged in. Probably need to have Secondary Logon enabled and starting automatically. I copy the program I want to run down to the endpoint first.

; $CommandLine = program to run
; $TName = a name for the task
; $time must be ##:## format. (24hr) 1:03 will give an error. 01:03 is good.
; /SC ONCE rules out using /Z for some reason
$Command = 'schtasks /Create /S ' & $strPCName & ' /RU ' & $UserName & ' /RP ' & $Paswrd & ' /SC ONCE /TN ' & $TName & ' /TR "' & $CommandLine & '" /ST ' & $time & ' /RL HIGHEST /F' ;/ST ' & $time & ' /ET ' & $et & ' /RI 599940
   $runAt = Run(@ComSpec & ' /c "' & $Command & '"', "", @SW_HIDE, $STDOUT_CHILD)
   While 1
    $Line = StdoutRead($runAt)
    If @error Then ExitLoop
    If $Line <> "" Then
     $Results = $Results & " " & $Line
    EndIf
   WEnd
   FileWriteLine($LogFile, $strPCName & "," & $time & "," & $Results)

Share this post


Link to post
Share on other sites

We encountered a similar issue at the school district I work for. To get around installing software on student machines here (we can't give them admin rights), we created a service (as an admin) that launches an exe in Interactive Services mode. This then opens another GUI that puts the user in an isolated envrionment as an admin and they access to what we call an "App Store" (kids are familiar with that term). They can then install updates to all the software needed.

You do need admin rights on the machine in the first place to install the service though, and it is best if this is created on the image. That doesn't sound like a good option for you right now as you have 3000+ machines to work with.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • tcurran
      By tcurran
      Here's a short UDF that will, at least in most cases, detect whether a window can be copied from or pasted to programmatically--for example, by Send()ing ctl-c, ctl-v. This is often disabled when programs (like your AutoIt script) run at a lower UAC integrity level than the application they are trying to operate on.
      #include <WinAPI.au3> Func _WindowIsPasteable($handle) ;accepts window handle; returns true or false whether a window will accept Ctl-C, Ctl-V Local $bCanPaste = True Local $hTestWindowPID = 0 Local $hTestWindowTID = _WinAPI_GetWindowThreadProcessId($handle, $hTestWindowPID) _WinAPI_AttachThreadInput(_WinAPI_GetCurrentThreadId(), $hTestWindowTID, True);attach to window we want to paste into $bCanPaste = _WinAPI_GetFocus() ;Test whether window is paste-able--returns False if it is not _WinAPI_AttachThreadInput(_WinAPI_GetCurrentThreadId, $hTestWindowTID, False);detach from window thread Return $bCanPaste EndFunc Pass it a window handle; it returns true or false whether a window will accept programmatic pasting. The function may not work on the CMD window, since it handles the clipboard uniquely.
      This function works by attaching to the program thread of the window whose handle it receives, then attempting to perform a GetFocus on that thread. In most cases, the attempt will fail if the window will not accept programmatic copy-paste.
    • AutoitMike
      By AutoitMike
      I saw a post dated 2013 about WinSetTitle not working in Win7 64bit. No answer there for me.
      I am trying to set the title of a window, the function returns success and the title is changed for about 50 ms and then reverts back to its original value.
      #RequireAdmin makes no difference in operation.
      I have tried using the handle, the title and the class to define the window. Operation is the same for all three ways.
      EG:
      WinSetTitle("Old Title", "", "New Title")
      WinSetTitle("[Class:Class name]","","New Title")
      WinSetTitle(handle,"","New Title")
      ;=======================================================================================
      All functions report success.
      WinActivate("PxxCXpbHG", "Text")
      WinSetTitle("PxxCXpbHG ", "Text","New title")
      $M1=WinGetTitle("[ACTIVE]","")
      sleep (100)
      $M2=WinGetTitle("[ACTIVE]","")
      MsgBox(0,"", $M1 & "  " & $M2) ;------------------> "New Title"  "PxxCXpbHG"
      If I change Sleep to 50 , then it is "New Title", "New Title" so somewhere between 50 and 100 ms it gets changed back,but by what??
      Thanks for any help in this matter.
       
       
       
       
    • dreivilo47
      By dreivilo47
      When I use the following code I receive an UAC message:
       
      #RequireAdmin RunWait("msiexec /i winzip205-64.msi /quiet") Exit How can I hide (bypass) the UAC message?
    • imitto
      By imitto
      Hello all!
      I was in read-only until today, started to use Autoit 3 weeks ago. It can really make things easy, I really love it
      I have some script now that works and make our job effective, but I have problems with the latest. It works if I open the script's folder and run the exe directly. If I use the shortcut that I created on the desktop, it's not working properly. Activates the window, but not opening/exporting my files, just opens the last msgbox. I use ftp becouse the PC and the destination PC is not on the same network.
      Here's the script:
      #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=..\microsoft_excel.ico #AutoIt3Wrapper_Res_Comment=send file over ftp #AutoIt3Wrapper_Res_Description=send file over ftp for process #AutoIt3Wrapper_Res_Language=1038 #AutoIt3Wrapper_Res_requestedExecutionLevel=requireAdministrator #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.2 Author: imitto Script Function: Rename and put playlist file on ftp #ce ---------------------------------------------------------------------------- #RequireAdmin #include <File.au3> #include <FileConstants.au3> #include <AutoItConstants.au3> #include <MsgBoxConstants.au3> #include <FTPEx.au3> ; Script Start Global $playlistname=@YEAR&@MON&@MDAY&"-playlist.pll" BlockInput($BI_DISABLE) Opt ("WinTitleMatchMode", 2) WinActivate("MAIN SCHED") WinWaitActive("MAIN SCHED") ;Opt ("WinTitleMatchMode", 1) Send("!fo") WinWaitActive("Open") Send("Z:\playlist\"&$playlistname&"{ENTER}") Sleep(2000) Send("!fe") WinWaitActive("MCon") Send("{ENTER}") WinWaitActive("Save") Send("C:\sendFileForXLS\lista.txt{ENTER}") Sleep(500) Send("!fc") BlockInput($BI_ENABLE) Sleep(50) Opt ("WinTitleMatchMode", 1) Local $hOpen = _FTP_Open('MyFTP Control') $ftp=_FTP_Connect($hOpen, "**********", "******", "******") If @error Then MsgBox($MB_SYSTEMMODAL, '_FTP_Connect', 'ERROR=' & @error) Else _FTP_FilePut($ftp, @ScriptDir&"\lista.txt", "/lista.txt") EndIf Local $iFtpc = _FTP_Close($hOpen) FileDelete(@ScriptDir&"\lista.txt") MsgBox(0, "", "Playlist exported", 2) Exit  
    • VIP
      By VIP
      #RequireAdmin #include <WinAPISys.au3> #include <WindowsConstants.au3> _WinAPI_ChangeWindowMessageFilterEx ( $hWnd, $iMsg, $iAction ) ;_WinAPI_ChangeWindowMessageFilterEx( $hWnd, $WM_DROPFILES, $MSGFLT_ALLOW) ;_WinAPI_ChangeWindowMessageFilterEx( $hWnd, $WM_COPYDATA, $MSGFLT_ALLOW) ;_WinAPI_ChangeWindowMessageFilterEx( $hWnd, $WM_COPYGLOBALDATA, $MSGFLT_ALLOW) ; $WM_COPYDATA = 0x004A - $WM_DROPFILES = 0x0233 - $WM_COPYGLOBALDATA = 0x0049 - $MSGFLT_ALLOW = 1 - $MSGFLT_DISALLOW = 2 Example:
      #RequireAdmin Opt("TrayAutoPause", 0) #include <WinAPISys.au3> #include <WindowsConstants.au3> #include <GUIConstantsEx.au3> #include <StaticConstants.au3> #include <ButtonConstants.au3> Global $AppWindows = GUICreate("Dao Van Trong - Trong.CF", 320, 50, -1, -1, BitOR($WS_BORDER, $WS_POPUP), BitOR($WS_EX_ACCEPTFILES, $WS_EX_TOPMOST, $WS_EX_WINDOWEDGE)) Global $AppTitle = GUICtrlCreateLabel("=== Drag and drop UAC ===", 56, 0, 210, 25, $SS_CENTERIMAGE, $GUI_WS_EX_PARENTDRAG) GUICtrlSetState(-1, $GUI_DROPACCEPTED) GUICtrlSetBkColor(-1, $GUI_BKCOLOR_TRANSPARENT) GUICtrlSetFont(-1, 9, 800) Global $AppTask = GUICtrlCreateLabel("Drag and drop files here ", 56, 24, 220, 17, $SS_CENTERIMAGE, $GUI_WS_EX_PARENTDRAG) GUICtrlSetState(-1, $GUI_DROPACCEPTED) GUICtrlSetBkColor(-1, $GUI_BKCOLOR_TRANSPARENT) GUICtrlSetFont(-1, 9, 500) Global $xCLOSE = GUICtrlCreateButton("X", 308, 0, 12, 12, BitAND($BS_MULTILINE, $BS_VCENTER, $BS_FLAT)) GUICtrlSetBkColor(-1, $GUI_BKCOLOR_TRANSPARENT) GUICtrlSetState(-1, $GUI_DROPACCEPTED) GUISetState(@SW_SHOW) _WinAPI_ChangeWindowMessageFilterEx($AppWindows, $WM_DROPFILES, $MSGFLT_ALLOW) _WinAPI_ChangeWindowMessageFilterEx($AppWindows, $WM_COPYDATA, $MSGFLT_ALLOW) _WinAPI_ChangeWindowMessageFilterEx($AppWindows, $WM_COPYGLOBALDATA, $MSGFLT_ALLOW) Global $__aDropFiles GUIRegisterMsg($WM_DROPFILES, "WM_DROPFILES") Local $nMsg While 1 $nMsg = GUIGetMsg() Switch $nMsg Case $GUI_EVENT_DROPPED If $__aDropFiles[0] > 0 Then For $i = 1 To $__aDropFiles[0] ConsoleWrite($__aDropFiles[$i] & @CRLF) GUICtrlSetData($AppTask, $__aDropFiles[$i]) Next EndIf Case $GUI_EVENT_CLOSE, $xCLOSE Exit EndSwitch WEnd Func WM_DROPFILES($hWnd, $iMsg, $iwParam, $ilParam) #forceref $hWnd, $ilParam Switch $iMsg Case $WM_DROPFILES Local $aReturn = _WinAPI_DragQueryFileEx($iwParam) If IsArray($aReturn) Then $__aDropFiles = $aReturn Else Local $aError[1] = [0] $__aDropFiles = $aError EndIf EndSwitch Return $GUI_RUNDEFMSG EndFunc ;==>WM_DROPFILES