Jump to content
Sign in to follow this  

Windows 7 UAC and Systems Administrators

Recommended Posts

This is a question for Systems Administrators of all kinds - those who manage software on a domain where users have restricted rights - and who have Windows 7 computers in their domain.

How do you get around UAC to install Software or Certificates remotely and without user intervention? ... and without being logged in to the computer. ( There is no such thing as "right click and.." answers. We have over 3000 computers! )

I've tried scheduled tasks (schtasks.exe) with the /RL HIGHEST switch - no good.

I've even looked into PowerShell 2.0 - but it is not what I need.

Even with UAC disabled, some things still need the "Run As Administrator" privileges to actually install properly.

Has Microsoft completely screwed Systems Administrators with this UAC ??

Share this post

Link to post
Share on other sites

It has not been a problem where I work, you just have to have the Win 7 PC setup correctly, RPC services, Remote Registry Service, etc. Some of these is turned off by default, and I have wrote in our imaging script to turn the services on when we finish image a PC. Also, make sure that you have the correct Security Groups under the local Administrator's group, this is also done by the imaging script.

For remote software installations, I usually have it scripted out and use PsExec or BeyondExec to execute it remotely. Almost all my installations are silent. If you have the correct services turned on, and you are a local admin on the PC, your remote process is elevated without issue. I still use ExecutionLevel requireAdministrator on my compiled scripts executed remotely to be on the safe side.

Also, look (#8) for additional info on AutoIt and UAC.


Share this post

Link to post
Share on other sites

Without using third-party or non-native utilities, there is not much of anything one can do to get around UAC - even when UAC is disabled there are stills some issues.

I have found one sure way using schtasks in Windows 7, but it requires providing a user name and password that is in the Administrators group. Using /U and /P would wait until that user was logged in. Probably need to have Secondary Logon enabled and starting automatically. I copy the program I want to run down to the endpoint first.

; $CommandLine = program to run
; $TName = a name for the task
; $time must be ##:## format. (24hr) 1:03 will give an error. 01:03 is good.
; /SC ONCE rules out using /Z for some reason
$Command = 'schtasks /Create /S ' & $strPCName & ' /RU ' & $UserName & ' /RP ' & $Paswrd & ' /SC ONCE /TN ' & $TName & ' /TR "' & $CommandLine & '" /ST ' & $time & ' /RL HIGHEST /F' ;/ST ' & $time & ' /ET ' & $et & ' /RI 599940
   $runAt = Run(@ComSpec & ' /c "' & $Command & '"', "", @SW_HIDE, $STDOUT_CHILD)
   While 1
    $Line = StdoutRead($runAt)
    If @error Then ExitLoop
    If $Line <> "" Then
     $Results = $Results & " " & $Line
   FileWriteLine($LogFile, $strPCName & "," & $time & "," & $Results)

Share this post

Link to post
Share on other sites

We encountered a similar issue at the school district I work for. To get around installing software on student machines here (we can't give them admin rights), we created a service (as an admin) that launches an exe in Interactive Services mode. This then opens another GUI that puts the user in an isolated envrionment as an admin and they access to what we call an "App Store" (kids are familiar with that term). They can then install updates to all the software needed.

You do need admin rights on the machine in the first place to install the service though, and it is best if this is created on the image. That doesn't sound like a good option for you right now as you have 3000+ machines to work with.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • By lonardd
      I have a very strange problem concerning MouseClick function.
      I need to start Control Panel, navigate it on the Display Section (Adjust screen resolution link), click on it, and from the next Dialog choose Intel Graphic tool tab and navigate into it when it opens. 
      I wasn't using MouseClick() at first when I tried to use Control IDs, but I was fed up with the Autoit Window Info poor and inaccurate info (It flickers and the moment I click on the control the control ID and class disappear) so I ended up choosing the easiest way.
      The code I'm posting worked OK until two weeks ago, the mouse clicks were accurately performed and the Script reached the end with no errors...and I was happy.
      All of a sudden, between one try and the other, I noticed the cursor not flying exactly where it was supposed to, namely to the Control Panel ->Display->Adjust screen resolution link   but it clicked some 30 pixels below and some 30 pixels to the left, choosing obviously and undesired function and from that point it screwed the whole thing up. And from that moment onward, it seems I can no longer regain the mouse to click on that sequence.
      Could it be because my Control Panel ->Display form moved slightly from one test to another and therefore I got that small offside?
      If you believe this is the reason, I should then re position the Control Panel ->Display window to 0,0 and recalculate all the clicks. 
      do you have a suggestion?
      Thanks a lot
    • By lonardd
      I need to open an INTEL Graphic Tool clicking on a Win7 Tray Icon. This icon is not shown on the Win7 Tray but it is shown once you click on a button that shows a little  arrow-up. This button opens up an extension of the tray and there is my INTEL Graphic Tool Icon. 
      The first ControlClick('[Class:Shell_TrayWnd]', '', 1502 ) at line 26 of my source code (Rotatedisplays.au3) works fine as it clicks on the up-arrow shown on the uparrowfirst Menu.jpg  picture and opens up an extension of the tray. Then I'm trying to click on the INTEL Graphic Tool Icon which is the first blue icon (up-left) of the tray extension but I failed all my attempts. Can somebody help me out?

    • By griefman
      Hi everyone,
      i am writing to you after a very long struggle i had while trying to figure out how to send a simple click inside a virtual machine running in vmware workstation 14.
      i have an autoit script running on my host machine watching for the UAC prompt to be displayed in a running vm. Both the host and the guest OS are Windows 10. This script worked perfectly with virtual box. It recognized the UAC prompt and clicked inside and the UAC was accepted. Since i switched to VMware Workstation 14, the script no longer clicks inside the VM successfully. It acts as if it clicks, but it doesn't. 
      I tried sending key combinations instead of a click, so that the VM can grab the input, but it also did not work. Every attempt that i made to send clicks or keys from the host inside the VM did not work. I tried using:
      I also noticed that while the cursor moves to the target which has to be cilcked when my vmware worstation window is not focused, it even doesn't do that when i WinActivate the vmware workstation window first.
      Did anyone experience such an issue, or maybe could give me a hint, what else i could use to send a key combination or a mouse click in a vmware workstation 14 pro guest window?
      here is my code, which works with virtualbox:
      #AutoIt3Wrapper_Icon=".\uac.ico" #include <ImageSearchSubrogated.au3> FileInstall(".\ImageSearchDLL.dll", ".\ImageSearchDLL.dll", 0) FileInstall(".\UAC_ginloSetup.bmp", ".\UAC_ginloSetup.bmp", 0) FileInstall(".\UAC_Yes.bmp", ".\UAC_Yes.bmp", 0) ; set global variables for the coordinates, which should be delivered global $x1 = 0, $y1 = 0 global $x2 = 0, $y2 = 0 global $counter1 = 0 global $counter2 = 0 global $sleep = 10000 global $smallSleep = 5000 ; execute the script in a loop, so that it will hopefully recover from some unexpected errors While $counter1 < 1 checkForImage() WEnd #cs ------------ Functions #ce ------------ Func checkForImage() While $counter2 < 1 ; search for the UAC in the entire screen - 2 screens supported local $searchUac = _ImageSearchArea('UAC_ginloSetup.bmp', 1, -2568, -8, 5136, 1440, $x1, $y1, 0) If $searchUac = 1 Then ; if the UAC was found search for the Yes button in a an area 200 x 200 from the middle of the found UAC image local $searchYes = _ImageSearchArea('UAC_Yes.bmp', 1, $x1, $y1, $x1 + 200, $y1 + 200, $x2, $y2, 0) If $searchYes = 1 Then ; if the Yes button was found click it and pause the script for $sleep seconds MouseClick("left", $x2, $y2, 1,0) Sleep($sleep) Else ; if the Yes button was not found retry from the beginning in $smallSleep seconds MsgBox(0, "UAC found error", "UAC was found but the 'Yes' button was not found. Script will retry in " & $smallSleep & " seconds.", $smallSleep) EndIf ; another way to accept the UAC - via shortcut ;Send("{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}") ;Send("!y") Else ; if UAC was not found try again in $sleep seconds Sleep($sleep) EndIf WEnd ; if some error occured which expired the loop, pause the script for $sleep seconds MsgBox(0, "Error", "Some Error expired the timer and the script could not recover. The script will restart in " & $sleep & " seconds.", $sleep) EndFunc  
    • By tcurran
      Here's a short UDF that will, at least in most cases, detect whether a window can be copied from or pasted to programmatically--for example, by Send()ing ctl-c, ctl-v. This is often disabled when programs (like your AutoIt script) run at a lower UAC integrity level than the application they are trying to operate on.
      #include <WinAPI.au3> Func _WindowIsPasteable($handle) ;accepts window handle; returns true or false whether a window will accept Ctl-C, Ctl-V Local $bCanPaste = True Local $hTestWindowPID = 0 Local $hTestWindowTID = _WinAPI_GetWindowThreadProcessId($handle, $hTestWindowPID) _WinAPI_AttachThreadInput(_WinAPI_GetCurrentThreadId(), $hTestWindowTID, True);attach to window we want to paste into $bCanPaste = _WinAPI_GetFocus() ;Test whether window is paste-able--returns False if it is not _WinAPI_AttachThreadInput(_WinAPI_GetCurrentThreadId, $hTestWindowTID, False);detach from window thread Return $bCanPaste EndFunc Pass it a window handle; it returns true or false whether a window will accept programmatic pasting. The function may not work on the CMD window, since it handles the clipboard uniquely.
      This function works by attaching to the program thread of the window whose handle it receives, then attempting to perform a GetFocus on that thread. In most cases, the attempt will fail if the window will not accept programmatic copy-paste.
    • By AutoitMike
      I saw a post dated 2013 about WinSetTitle not working in Win7 64bit. No answer there for me.
      I am trying to set the title of a window, the function returns success and the title is changed for about 50 ms and then reverts back to its original value.
      #RequireAdmin makes no difference in operation.
      I have tried using the handle, the title and the class to define the window. Operation is the same for all three ways.
      WinSetTitle("Old Title", "", "New Title")
      WinSetTitle("[Class:Class name]","","New Title")
      WinSetTitle(handle,"","New Title")
      All functions report success.
      WinActivate("PxxCXpbHG", "Text")
      WinSetTitle("PxxCXpbHG ", "Text","New title")
      sleep (100)
      MsgBox(0,"", $M1 & "  " & $M2) ;------------------> "New Title"  "PxxCXpbHG"
      If I change Sleep to 50 , then it is "New Title", "New Title" so somewhere between 50 and 100 ms it gets changed back,but by what??
      Thanks for any help in this matter.
  • Create New...