Jump to content
Sign in to follow this  
Graywalker

Windows 7 UAC and Systems Administrators

Recommended Posts

Graywalker

This is a question for Systems Administrators of all kinds - those who manage software on a domain where users have restricted rights - and who have Windows 7 computers in their domain.

How do you get around UAC to install Software or Certificates remotely and without user intervention? ... and without being logged in to the computer. ( There is no such thing as "right click and.." answers. We have over 3000 computers! )

I've tried scheduled tasks (schtasks.exe) with the /RL HIGHEST switch - no good.

I've even looked into PowerShell 2.0 - but it is not what I need.

Even with UAC disabled, some things still need the "Run As Administrator" privileges to actually install properly.

Has Microsoft completely screwed Systems Administrators with this UAC ??

Share this post


Link to post
Share on other sites
AdamUL

It has not been a problem where I work, you just have to have the Win 7 PC setup correctly, RPC services, Remote Registry Service, etc. Some of these is turned off by default, and I have wrote in our imaging script to turn the services on when we finish image a PC. Also, make sure that you have the correct Security Groups under the local Administrator's group, this is also done by the imaging script.

For remote software installations, I usually have it scripted out and use PsExec or BeyondExec to execute it remotely. Almost all my installations are silent. If you have the correct services turned on, and you are a local admin on the PC, your remote process is elevated without issue. I still use ExecutionLevel requireAdministrator on my compiled scripts executed remotely to be on the safe side.

Also, look (#8) for additional info on AutoIt and UAC.

Adam

Share this post


Link to post
Share on other sites
Graywalker

Without using third-party or non-native utilities, there is not much of anything one can do to get around UAC - even when UAC is disabled there are stills some issues.

I have found one sure way using schtasks in Windows 7, but it requires providing a user name and password that is in the Administrators group. Using /U and /P would wait until that user was logged in. Probably need to have Secondary Logon enabled and starting automatically. I copy the program I want to run down to the endpoint first.

; $CommandLine = program to run
; $TName = a name for the task
; $time must be ##:## format. (24hr) 1:03 will give an error. 01:03 is good.
; /SC ONCE rules out using /Z for some reason
$Command = 'schtasks /Create /S ' & $strPCName & ' /RU ' & $UserName & ' /RP ' & $Paswrd & ' /SC ONCE /TN ' & $TName & ' /TR "' & $CommandLine & '" /ST ' & $time & ' /RL HIGHEST /F' ;/ST ' & $time & ' /ET ' & $et & ' /RI 599940
   $runAt = Run(@ComSpec & ' /c "' & $Command & '"', "", @SW_HIDE, $STDOUT_CHILD)
   While 1
    $Line = StdoutRead($runAt)
    If @error Then ExitLoop
    If $Line <> "" Then
     $Results = $Results & " " & $Line
    EndIf
   WEnd
   FileWriteLine($LogFile, $strPCName & "," & $time & "," & $Results)

Share this post


Link to post
Share on other sites
jazzyjeff

We encountered a similar issue at the school district I work for. To get around installing software on student machines here (we can't give them admin rights), we created a service (as an admin) that launches an exe in Interactive Services mode. This then opens another GUI that puts the user in an isolated envrionment as an admin and they access to what we call an "App Store" (kids are familiar with that term). They can then install updates to all the software needed.

You do need admin rights on the machine in the first place to install the service though, and it is best if this is created on the image. That doesn't sound like a good option for you right now as you have 3000+ machines to work with.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • griefman
      By griefman
      Hi everyone,
      i am writing to you after a very long struggle i had while trying to figure out how to send a simple click inside a virtual machine running in vmware workstation 14.
      i have an autoit script running on my host machine watching for the UAC prompt to be displayed in a running vm. Both the host and the guest OS are Windows 10. This script worked perfectly with virtual box. It recognized the UAC prompt and clicked inside and the UAC was accepted. Since i switched to VMware Workstation 14, the script no longer clicks inside the VM successfully. It acts as if it clicks, but it doesn't. 
      I tried sending key combinations instead of a click, so that the VM can grab the input, but it also did not work. Every attempt that i made to send clicks or keys from the host inside the VM did not work. I tried using:
      MouseClick
      ControlClick
      MouseMove
      _WinAPI_Mouse_Event
      _WinAPI_Keybd_Event
       
      I also noticed that while the cursor moves to the target which has to be cilcked when my vmware worstation window is not focused, it even doesn't do that when i WinActivate the vmware workstation window first.
       
      Did anyone experience such an issue, or maybe could give me a hint, what else i could use to send a key combination or a mouse click in a vmware workstation 14 pro guest window?
       
      here is my code, which works with virtualbox:
       
      #AutoIt3Wrapper_Icon=".\uac.ico" #include <ImageSearchSubrogated.au3> FileInstall(".\ImageSearchDLL.dll", ".\ImageSearchDLL.dll", 0) FileInstall(".\UAC_ginloSetup.bmp", ".\UAC_ginloSetup.bmp", 0) FileInstall(".\UAC_Yes.bmp", ".\UAC_Yes.bmp", 0) ; set global variables for the coordinates, which should be delivered global $x1 = 0, $y1 = 0 global $x2 = 0, $y2 = 0 global $counter1 = 0 global $counter2 = 0 global $sleep = 10000 global $smallSleep = 5000 ; execute the script in a loop, so that it will hopefully recover from some unexpected errors While $counter1 < 1 checkForImage() WEnd #cs ------------ Functions #ce ------------ Func checkForImage() While $counter2 < 1 ; search for the UAC in the entire screen - 2 screens supported local $searchUac = _ImageSearchArea('UAC_ginloSetup.bmp', 1, -2568, -8, 5136, 1440, $x1, $y1, 0) If $searchUac = 1 Then ; if the UAC was found search for the Yes button in a an area 200 x 200 from the middle of the found UAC image local $searchYes = _ImageSearchArea('UAC_Yes.bmp', 1, $x1, $y1, $x1 + 200, $y1 + 200, $x2, $y2, 0) If $searchYes = 1 Then ; if the Yes button was found click it and pause the script for $sleep seconds MouseClick("left", $x2, $y2, 1,0) Sleep($sleep) Else ; if the Yes button was not found retry from the beginning in $smallSleep seconds MsgBox(0, "UAC found error", "UAC was found but the 'Yes' button was not found. Script will retry in " & $smallSleep & " seconds.", $smallSleep) EndIf ; another way to accept the UAC - via shortcut ;Send("{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}") ;Send("!y") Else ; if UAC was not found try again in $sleep seconds Sleep($sleep) EndIf WEnd ; if some error occured which expired the loop, pause the script for $sleep seconds MsgBox(0, "Error", "Some Error expired the timer and the script could not recover. The script will restart in " & $sleep & " seconds.", $sleep) EndFunc  
    • tcurran
      By tcurran
      Here's a short UDF that will, at least in most cases, detect whether a window can be copied from or pasted to programmatically--for example, by Send()ing ctl-c, ctl-v. This is often disabled when programs (like your AutoIt script) run at a lower UAC integrity level than the application they are trying to operate on.
      #include <WinAPI.au3> Func _WindowIsPasteable($handle) ;accepts window handle; returns true or false whether a window will accept Ctl-C, Ctl-V Local $bCanPaste = True Local $hTestWindowPID = 0 Local $hTestWindowTID = _WinAPI_GetWindowThreadProcessId($handle, $hTestWindowPID) _WinAPI_AttachThreadInput(_WinAPI_GetCurrentThreadId(), $hTestWindowTID, True);attach to window we want to paste into $bCanPaste = _WinAPI_GetFocus() ;Test whether window is paste-able--returns False if it is not _WinAPI_AttachThreadInput(_WinAPI_GetCurrentThreadId, $hTestWindowTID, False);detach from window thread Return $bCanPaste EndFunc Pass it a window handle; it returns true or false whether a window will accept programmatic pasting. The function may not work on the CMD window, since it handles the clipboard uniquely.
      This function works by attaching to the program thread of the window whose handle it receives, then attempting to perform a GetFocus on that thread. In most cases, the attempt will fail if the window will not accept programmatic copy-paste.
    • AutoitMike
      By AutoitMike
      I saw a post dated 2013 about WinSetTitle not working in Win7 64bit. No answer there for me.
      I am trying to set the title of a window, the function returns success and the title is changed for about 50 ms and then reverts back to its original value.
      #RequireAdmin makes no difference in operation.
      I have tried using the handle, the title and the class to define the window. Operation is the same for all three ways.
      EG:
      WinSetTitle("Old Title", "", "New Title")
      WinSetTitle("[Class:Class name]","","New Title")
      WinSetTitle(handle,"","New Title")
      ;=======================================================================================
      All functions report success.
      WinActivate("PxxCXpbHG", "Text")
      WinSetTitle("PxxCXpbHG ", "Text","New title")
      $M1=WinGetTitle("[ACTIVE]","")
      sleep (100)
      $M2=WinGetTitle("[ACTIVE]","")
      MsgBox(0,"", $M1 & "  " & $M2) ;------------------> "New Title"  "PxxCXpbHG"
      If I change Sleep to 50 , then it is "New Title", "New Title" so somewhere between 50 and 100 ms it gets changed back,but by what??
      Thanks for any help in this matter.
       
       
       
       
    • dreivilo47
      By dreivilo47
      When I use the following code I receive an UAC message:
       
      #RequireAdmin RunWait("msiexec /i winzip205-64.msi /quiet") Exit How can I hide (bypass) the UAC message?
    • imitto
      By imitto
      Hello all!
      I was in read-only until today, started to use Autoit 3 weeks ago. It can really make things easy, I really love it
      I have some script now that works and make our job effective, but I have problems with the latest. It works if I open the script's folder and run the exe directly. If I use the shortcut that I created on the desktop, it's not working properly. Activates the window, but not opening/exporting my files, just opens the last msgbox. I use ftp becouse the PC and the destination PC is not on the same network.
      Here's the script:
      #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=..\microsoft_excel.ico #AutoIt3Wrapper_Res_Comment=send file over ftp #AutoIt3Wrapper_Res_Description=send file over ftp for process #AutoIt3Wrapper_Res_Language=1038 #AutoIt3Wrapper_Res_requestedExecutionLevel=requireAdministrator #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.2 Author: imitto Script Function: Rename and put playlist file on ftp #ce ---------------------------------------------------------------------------- #RequireAdmin #include <File.au3> #include <FileConstants.au3> #include <AutoItConstants.au3> #include <MsgBoxConstants.au3> #include <FTPEx.au3> ; Script Start Global $playlistname=@YEAR&@MON&@MDAY&"-playlist.pll" BlockInput($BI_DISABLE) Opt ("WinTitleMatchMode", 2) WinActivate("MAIN SCHED") WinWaitActive("MAIN SCHED") ;Opt ("WinTitleMatchMode", 1) Send("!fo") WinWaitActive("Open") Send("Z:\playlist\"&$playlistname&"{ENTER}") Sleep(2000) Send("!fe") WinWaitActive("MCon") Send("{ENTER}") WinWaitActive("Save") Send("C:\sendFileForXLS\lista.txt{ENTER}") Sleep(500) Send("!fc") BlockInput($BI_ENABLE) Sleep(50) Opt ("WinTitleMatchMode", 1) Local $hOpen = _FTP_Open('MyFTP Control') $ftp=_FTP_Connect($hOpen, "**********", "******", "******") If @error Then MsgBox($MB_SYSTEMMODAL, '_FTP_Connect', 'ERROR=' & @error) Else _FTP_FilePut($ftp, @ScriptDir&"\lista.txt", "/lista.txt") EndIf Local $iFtpc = _FTP_Close($hOpen) FileDelete(@ScriptDir&"\lista.txt") MsgBox(0, "", "Playlist exported", 2) Exit  
×