Jump to content

Windows 7 UAC and Systems Administrators


Recommended Posts

This is a question for Systems Administrators of all kinds - those who manage software on a domain where users have restricted rights - and who have Windows 7 computers in their domain.

How do you get around UAC to install Software or Certificates remotely and without user intervention? ... and without being logged in to the computer. ( There is no such thing as "right click and.." answers. We have over 3000 computers! )

I've tried scheduled tasks (schtasks.exe) with the /RL HIGHEST switch - no good.

I've even looked into PowerShell 2.0 - but it is not what I need.

Even with UAC disabled, some things still need the "Run As Administrator" privileges to actually install properly.

Has Microsoft completely screwed Systems Administrators with this UAC ??

Link to post
Share on other sites

It has not been a problem where I work, you just have to have the Win 7 PC setup correctly, RPC services, Remote Registry Service, etc. Some of these is turned off by default, and I have wrote in our imaging script to turn the services on when we finish image a PC. Also, make sure that you have the correct Security Groups under the local Administrator's group, this is also done by the imaging script.

For remote software installations, I usually have it scripted out and use PsExec or BeyondExec to execute it remotely. Almost all my installations are silent. If you have the correct services turned on, and you are a local admin on the PC, your remote process is elevated without issue. I still use ExecutionLevel requireAdministrator on my compiled scripts executed remotely to be on the safe side.

Also, look (#8) for additional info on AutoIt and UAC.

Adam

Link to post
Share on other sites
  • 2 weeks later...

Without using third-party or non-native utilities, there is not much of anything one can do to get around UAC - even when UAC is disabled there are stills some issues.

I have found one sure way using schtasks in Windows 7, but it requires providing a user name and password that is in the Administrators group. Using /U and /P would wait until that user was logged in. Probably need to have Secondary Logon enabled and starting automatically. I copy the program I want to run down to the endpoint first.

; $CommandLine = program to run
; $TName = a name for the task
; $time must be ##:## format. (24hr) 1:03 will give an error. 01:03 is good.
; /SC ONCE rules out using /Z for some reason
$Command = 'schtasks /Create /S ' & $strPCName & ' /RU ' & $UserName & ' /RP ' & $Paswrd & ' /SC ONCE /TN ' & $TName & ' /TR "' & $CommandLine & '" /ST ' & $time & ' /RL HIGHEST /F' ;/ST ' & $time & ' /ET ' & $et & ' /RI 599940
   $runAt = Run(@ComSpec & ' /c "' & $Command & '"', "", @SW_HIDE, $STDOUT_CHILD)
   While 1
    $Line = StdoutRead($runAt)
    If @error Then ExitLoop
    If $Line <> "" Then
     $Results = $Results & " " & $Line
    EndIf
   WEnd
   FileWriteLine($LogFile, $strPCName & "," & $time & "," & $Results)
Link to post
Share on other sites

We encountered a similar issue at the school district I work for. To get around installing software on student machines here (we can't give them admin rights), we created a service (as an admin) that launches an exe in Interactive Services mode. This then opens another GUI that puts the user in an isolated envrionment as an admin and they access to what we call an "App Store" (kids are familiar with that term). They can then install updates to all the software needed.

You do need admin rights on the machine in the first place to install the service though, and it is best if this is created on the image. That doesn't sound like a good option for you right now as you have 3000+ machines to work with.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Doniel
      Hi there! ūüėÉ
      I've 2 simple scripts:
      Script 1 starts script 2 Script 1 gets executed with normal user rights (un-elevated) Script 2 contains an #RequireAdmin and therefor can only start elevated I want to read the output of script 2 with script 1 AND have the UAC of script 2 being activated as fullscreen Script 1 (Scripts location is the same as script 2 that I'm running with Run()
      Local $iPID, $sOutput $iPID = Run(@ComSpec & " /c " & "C:\Entwicklung\Autoit\Test\Temp.exe", @ScriptDir, @SW_HIDE, 0x2) ProcessWaitClose($iPID) $sOutput = StdoutRead($iPID) StdioClose($iPID) ConsoleWrite($sOutput) MsgBox(1, 1, 1) Script 2 (compiled as Temp.exe)
      #RequireAdmin ConsoleWrite("Return") MsgBox(1,1,"ADMIN") Now my problems are the following:
      Without the #RequireAdmin I can read the output with no problem, but not with the #RequireAdmin ($sOutput is empty) Using @SW_HIDE in the Run() command makes the UAC always start minimized (see attached picture) and the admin has to always manually click on the icon to enter his credentials since the UAC doesn't start in fullscreen. Here and on a few other sites they explain that the program launching the elevated program NEEDS to be activated in order to directly show the UAC fullscreen and not minimized. Using @SW_SHOW would get rid of the problem, BUT that leaves me with an ugly cmd.exe floating the whole time while the elevated script ist running. And my questions to that I'm seeking an answer for are:
      Problem 1: Is it just not possible to read from an elevated program with an un-elevated user/script? I also get the Access Denied if I press No on the UAC as an Output in $sOutput (Guess since its's still un-elevated) Problem 2: Is there a way to either make the floating black and blank cmd.exe being moved to the background and be non visible to the user OR to somehow bring the minimized UAC to the foreground/fullscreen? What I already tried and what didn't help me:
      $iPID = Run(@ComSpec & " /c " & "C:\Entwicklung\Autoit\Test\Temp.exe", @ScriptDir, @SW_HIDE, 0x2) While Not WinExists("Temp.exe erfordert Ihre Berechtigung") ConsoleWrite(1) WEnd WinActivate("Temp.exe erfordert Ihre Berechtigung") WinSetState("Temp.exe erfordert Ihre Berechtigung", WinGetText("Temp.exe erfordert Ihre Berechtigung"), @SW_SHOW) WinSetState("Temp.exe erfordert Ihre Berechtigung", WinGetText("Temp.exe erfordert Ihre Berechtigung"), @SW_MAXIMIZE) WinSetState("Temp.exe erfordert Ihre Berechtigung", WinGetText("Temp.exe erfordert Ihre Berechtigung"), @SW_ENABLE) The While-Loops helps a lot and also stops after a second or so (‚Ėļ Stops to write ones (1)). That means that the actual "window" of the UAC is found, but all the WinXXX functions don't do anything and the UAC stays minimized. I also tried to minimized/move the cmd.exe to the background with WinActivate() and WinSetState() with no success.
      $iPID = ShellExecute("C:\Entwicklung\Autoit\Test\Temp.exe", "", @ScriptDir, "open", @SW_HIDE) Using ShellExecute() instead of Run() completely solves the UAC to fullscreen problem BUT I haven't found a consistent way to read the output of ShellExecute(). Neither here on the forum nor somewhere else. If I'd be possible to read the output from ShellExecute() then all my problems would be solved at once!
      Also tried a few more things and playing with some parameters but everything with no success.
      I'd really love some help and support here from you.
      Thanks in advance!
       

    • By rudi
      Hi,
      When a non compiled AU3 script is run with #RequireAdmin, then if the UAC prompt can be authorized due to the fact, that the currently loggedon user has local admin rights, then the macro @UserProfileDir correctly reflects the profile dir of the user of the windows logon session.
       
      When the script with #RequireAdmin is started by a "normal user" without local admin rights, and I use a domain admin account to authorize the UAC prompt, then @UserProfileDir reflects the profile dir belonging to the AD-Admin account.
      As the script originally was started using the "regular user" I'm wondering, if there is a chance to "pass" the original user's @UserProfileDir to the UAC elevated script?
       
      As playing around with this feature I realize, that I basically don't know the exact mechanism of the UAC elevation authorization process:
      The script is started by right mouse click, execute script This is invoking e.g. "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" "C:\Users\Rudi\Desktop\test.au3" as by this registy value: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AutoIt3Script\Shell\Run\Command] @="\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3.exe\" \"%1\" %*" But what I honestly don't know is, how does the UAC propt interact in the program startup? I guess, that Autoit3.exe is parsing the AU3 source, is seeing the #RequireAdmin and then "relaunches itself with the AU3 as %1" requesting UAC elevated rights "from windows"??? With Process Explorer I can see, that The commandline then is this one with a "!" before "%1"
      "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3"  It it should be something like this, then it might be possible to pass the original @UserProfileDir to the second, UAC elevated "Startup"??? <edit>
      I just noticed:
      When I use "WIN+R" and then directly use the command line, I see in Process Explorer, ...
      "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3"
      ... then this script with #RequireAdmin is started *WITHOUT* UAC elevation.
      Guessing, that this ! is just reverting #RequireAdmin I tried the "opposite" one as well:
      AU3 script without #RequireAdmin Starting with "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3" does not invoke UAC elevation prompt. So to me it looks like, this ! is a "status flag from Autoit3.exe to Autoit3.exe", that the elevation process was done already? amazing...
      the topic Autoit on Windows Vista is telling no details of  this UAC process...
      </edit>
       
      Regards, Rudi.
    • By lonardd
      Hi,
      I have a very strange problem concerning MouseClick function.
      I need to start Control Panel, navigate it on the Display Section (Adjust screen resolution link), click on it, and from the next Dialog choose Intel Graphic tool tab and navigate into it when it opens. 
      I wasn't using MouseClick() at first when I tried to use Control IDs, but I was fed up with the Autoit Window Info poor and inaccurate info (It flickers and the moment I click on the control the control ID and class disappear) so I ended up choosing the easiest way.
      The code I'm posting worked OK until two weeks ago, the mouse clicks were accurately performed and the Script reached the end with no errors...and I was happy.
      All of a sudden, between one try and the other, I noticed the cursor not flying exactly where it was supposed to, namely to the Control Panel ->Display->Adjust screen resolution link   but it clicked some 30 pixels below and some 30 pixels to the left, choosing obviously and undesired function and from that point it screwed the whole thing up. And from that moment onward, it seems I can no longer regain the mouse to click on that sequence.
      Could it be because my Control Panel ->Display form moved slightly from one test to another and therefore I got that small offside?
      If you believe this is the reason, I should then re position the Control Panel ->Display window to 0,0 and recalculate all the clicks. 
      do you have a suggestion?
       
      Thanks a lot
      Dave
       
       
       
      RotateDisplays.au3
    • By lonardd
      I need to open an INTEL Graphic Tool clicking on a Win7 Tray Icon. This icon is not shown on the Win7 Tray but it is shown once you click on a button that shows a little  arrow-up. This button opens up an extension of the tray and there is my INTEL Graphic Tool Icon. 
      The first ControlClick('[Class:Shell_TrayWnd]', '', 1502 ) at line 26 of my source code (Rotatedisplays.au3) works fine as it clicks on the up-arrow shown on the uparrowfirst Menu.jpg  picture and opens up an extension of the tray. Then I'm trying to click on the INTEL Graphic Tool Icon which is the first blue icon (up-left) of the tray extension but I failed all my attempts. Can somebody help me out?
      Thanks 
      Dave


      RotateDisplays.au3
    • By griefman
      Hi everyone,
      i am writing to you after a very long struggle i had while trying to figure out how to send a simple click inside a virtual machine running in vmware workstation 14.
      i have an autoit script running on my host machine watching for the UAC prompt to be displayed in a running vm. Both the host and the guest OS are Windows 10. This script worked perfectly with virtual box. It recognized the UAC prompt and clicked inside and the UAC was accepted. Since i switched to VMware Workstation 14, the script no longer clicks inside the VM successfully. It acts as if it clicks, but it doesn't. 
      I tried sending key combinations instead of a click, so that the VM can grab the input, but it also did not work. Every attempt that i made to send clicks or keys from the host inside the VM did not work. I tried using:
      MouseClick
      ControlClick
      MouseMove
      _WinAPI_Mouse_Event
      _WinAPI_Keybd_Event
       
      I also noticed that while the cursor moves to the target which has to be cilcked when my vmware worstation window is not focused, it even doesn't do that when i WinActivate the vmware workstation window first.
       
      Did anyone experience such an issue, or maybe could give me a hint, what else i could use to send a key combination or a mouse click in a vmware workstation 14 pro guest window?
       
      here is my code, which works with virtualbox:
       
      #AutoIt3Wrapper_Icon=".\uac.ico" #include <ImageSearchSubrogated.au3> FileInstall(".\ImageSearchDLL.dll", ".\ImageSearchDLL.dll", 0) FileInstall(".\UAC_ginloSetup.bmp", ".\UAC_ginloSetup.bmp", 0) FileInstall(".\UAC_Yes.bmp", ".\UAC_Yes.bmp", 0) ; set global variables for the coordinates, which should be delivered global $x1 = 0, $y1 = 0 global $x2 = 0, $y2 = 0 global $counter1 = 0 global $counter2 = 0 global $sleep = 10000 global $smallSleep = 5000 ; execute the script in a loop, so that it will hopefully recover from some unexpected errors While $counter1 < 1 checkForImage() WEnd #cs ------------ Functions #ce ------------ Func checkForImage() While $counter2 < 1 ; search for the UAC in the entire screen - 2 screens supported local $searchUac = _ImageSearchArea('UAC_ginloSetup.bmp', 1, -2568, -8, 5136, 1440, $x1, $y1, 0) If $searchUac = 1 Then ; if the UAC was found search for the Yes button in a an area 200 x 200 from the middle of the found UAC image local $searchYes = _ImageSearchArea('UAC_Yes.bmp', 1, $x1, $y1, $x1 + 200, $y1 + 200, $x2, $y2, 0) If $searchYes = 1 Then ; if the Yes button was found click it and pause the script for $sleep seconds MouseClick("left", $x2, $y2, 1,0) Sleep($sleep) Else ; if the Yes button was not found retry from the beginning in $smallSleep seconds MsgBox(0, "UAC found error", "UAC was found but the 'Yes' button was not found. Script will retry in " & $smallSleep & " seconds.", $smallSleep) EndIf ; another way to accept the UAC - via shortcut ;Send("{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}") ;Send("!y") Else ; if UAC was not found try again in $sleep seconds Sleep($sleep) EndIf WEnd ; if some error occured which expired the loop, pause the script for $sleep seconds MsgBox(0, "Error", "Some Error expired the timer and the script could not recover. The script will restart in " & $sleep & " seconds.", $sleep) EndFunc  
×
×
  • Create New...