[Useful Information] Privilege Escalation

[DeltaRocked]

Hello,

In this forum many of you have asked about executing a process with elevated privileges i.e. executing a process as "system".

The most common answer being "execute the process as Service" or Schedule a job.

Dim $time = @HOUR & ':' & @MIN + 2
Run(@ComSpec & ' /c at ' & $time & ' /interactive c:\WINDOWS\system32\calc.exe"', @ScriptDir, @SW_HIDE)

On some systems executing "at" will give access denied. then you will have to consider using

psexec -s -i -d "path_to_calc.exe"

Regards

DeltaRocked

[Mikeman27294]

Another way of executing with elevated privileges is to use the #RequireAdmin command at the beginning of the script. It's not quite system but it is elevated privileges.

[DeltaRocked]

A new addition:

eventtriggers.exe found in almost all systems right from win 2000 .

C:Documents and SettingsTEMP>eventtriggers /create /?

C:Documents and SettingsTEMP>eventtriggers /?

you can also run the task as a system user.

expandcollapse popup

C:Documents and SettingsTEMP>eventtriggers /create /?
EVENTTRIGGERS /Create [/S system [/U username [/P [password]]]]
/TR triggername /TK taskname [/D description]
[/L log] { [/EID id] [/T type] [/SO source] }
[/RU username [/RP [password]]]
Description:
Creates a new Event Trigger that will monitor and act upon the
occurrence of NT Log Events of a given criteria.
NOTE: Using /EID, /T and /SO together act as a series of AND's.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain]user Specifies the user context under which the
command should execute.
/P [password] Specifies the password for the given user
context.
/TR triggername Specifies a unique name to associate with
the new Event Trigger.
/TK taskname Specifies the task to execute when the
Event Trigger conditions are met.
/D description Specifies the description of the Event
Trigger.
/L log Specifies the NT Event Log(s) to monitor.
Valid types include:
Application, System, Security, DNS Server
Log and Directory Log. The wildcard "*"
may be used and the default value is "*".
/EID id Specifies the Event ID that the Event
Trigger should monitor and act upon.
/T type Specifies an Event Type that the trigger
should monitor. Valid values include:
"ERROR", "INFORMATION", "WARNING",
"SUCCESSAUDIT" and "FAILUREAUDIT".
/SO source Specifies the Event Source the Event
Trigger should monitor.
/RU username Specifies the user account under which
the task runs. For the "SYSTEM" account
the value must be "".
/RP [password] Specifies the password for the "run as"
user.
This password will be ignored for the
"SYSTEM" account.
/? Displays this help message.
Examples:
EVENTTRIGGERS /Create /?
EVENTTRIGGERS /Create /TR "Disk Cleanup" /L SYSTEM /T ERROR
/TK C:\Windows\System32\cleanmgr.exe
EVENTTRIGGERS /Create /S system /U user /TR "Low Disk Space"
/EID 99 /SO "WinWord" /T ERROR
/TK srvsharedsk.cmd
EVENTTRIGGERS /Create /S system /U domainuser /P password
/TR "Disk Backup" /EID 4133 /L SYSTEM
/T ERROR /TK systemsharentbackup.exe
EVENTTRIGGERS /Create /RU user /RP password /TR "Disk Backup"
/TK systemsharentbackup.exe /EID 4
/D "This will start disk backup services."

Edited July 3, 2012 by deltarocked

[Graywalker]

I had a tough time when my company converted to Windoze 7 because of this issue. Using psexec is an option if you want to run the program immediatly, but I really didn't want to be that limited and I didn't want to use an external app. Also, the Windows 7 "Do you want to run this" popup is hard to avoid. So, I wrote and have thoroughly tested a script that runs programs with elevated rights on remote Windows 7 computers without a popup - and I just wedged a time adjustment in there yesterday.

It uses schtasks. schtasks is a lot more complicated and a bit more mis-documented than AT, but its also more flexible and powerful - and more appropriate for Windows 7 systems.

Here is the function code that I use :

expandcollapse popup

Func RunProgram($strPCName, $pcc)
Dim $Command, $Results = "", $Line, $et, $TName
$copyfile = FileCopy($program, "" & $strPCName & "c$temp" & $progarray[$last], 9)
$TName = StringTrimRight($progarray[$last], 4)
If $copyfile = 1 Then
  _GetTime()
  $runtime = @MON & "/" & @MDAY & "/" & @YEAR & " " & $time
  ;MsgBox(0, "Run Time", $runtime & @CRLF & $et)
  $Command = 'schtasks /Create /S ' & $strPCName & ' /RU ' & $UserName & ' /RP ' & $Paswrd & ' /SC ONCE /TN ' & _
  $TName & ' /TR "' & $CommandLine & '" /ST ' & $time & ' /RL HIGHEST /F' ; /ST ' & $time & ' /ET ' & $et & '
  ;/ET ' & $et & '
  ;MsgBox(0,"Command",$Command)
  ;FileWriteLine($LogFile,$Command)
  $runAt = Run(@ComSpec & ' /c "' & $Command & '"', "", @SW_HIDE, $STDOUT_CHILD)
  While 1
   $Line = StdoutRead($runAt)
   If @error Then ExitLoop
   If $Line <> "" Then
    $Results = $Results & " " & $Line
   EndIf
  WEnd
  FileWriteLine($LogFile, $strPCName & "," & $time & "," & $Results)
Else
  ;FileWriteLine($LogFile, $strPCName & ",Run Program Results,Error Copying File," & $progarray[$last] & " ,Error:," & $copyfile)
  If FileExists("" & $strPCName & "c$temp" & $progarray[$last]) Then
   _GetTime()
   $runtime = @MON & "/" & @MDAY & "/" & @YEAR & " " & $time
   ;MsgBox(0, "Run Time Else", $runtime & @CRLF & $et)
   $Command = 'schtasks /Create /S ' & $strPCName & ' /RU ' & $UserName & ' /RP ' & $Paswrd & ' /SC ONCE /TN ' & _
   $TName & ' /TR "' & $CommandLine & '" /ST ' & $time & ' /RL HIGHEST /F' ;/ST ' & $time & ' /ET ' & $et & ' /RI 599940
   ;/ET ' & $et & '
   ;MsgBox(0,"Command Else",$Command)
   ;FileWriteLine($LogFile,$Command)
   $runAt = Run(@ComSpec & ' /c "' & $Command & '"', "", @SW_HIDE, $STDOUT_CHILD)
   While 1
    $Line = StdoutRead($runAt)
    If @error Then ExitLoop
    If $Line <> "" Then
     $Results = $Results & " " & $Line
    EndIf
   WEnd
   FileWriteLine($LogFile, $strPCName & "," & $time & "," & $Results)
  Else
   FileWriteLine($LogFile, $strPCName & _
   ",Run Program Results,Scheduled task not created. Could not copy or find file on endpoint.")
  EndIf
EndIf
EndFunc   ;==>RunProgram

; because schtasks is so picky about it's time format...
Func _GetTime()
    If @MIN > 55 Then
        If StringLen(@HOUR) < 2 Then
            If @HOUR = "9" Then
                $Hour = (@HOUR + 1)
            Else
                $Hour = "0" & (@HOUR + 1)
            EndIf
        Else
            $Hour = (@HOUR + 1)
        EndIf
        If $Hour > 23 Then
            $Hour = "01"
        EndIf
        $time = $Hour & ":02"
    Else
        If StringLen(@HOUR) < 2 Then
            $Hour = "0" & @HOUR
        Else
            $Hour = @HOUR
        EndIf
        If StringLen((@MIN + 2)) < 2 Then
            $Minu = "0" & (@MIN + 2)
        Else
            $Minu = (@MIN + 2)
        EndIf
        If $Hour > 23 Then
            $Hour = "01"
        EndIf
        $time = $Hour & ":" & $Minu
    EndIf
; Just spliced this in to be able to schedule the task to run at night... or any time...
    $userTime = InputBox("Run Later?","Run at Time (24hr Format)",$time)
    $time = $userTime
EndFunc   ;==>_GetTime

$TName is a task name. I pull it from the $CommandLine, which is the program to run. So, if the program is installgame.exe the task name is installgame. I select the program to run using :

expandcollapse popup

$program = FileOpenDialog("Select Program to Launch", "c:temp", "Executable Files (*.bat;*.exe;*.msi;*.msp)", 3, "runthis.exe")
Select
Case @error = 1
  MsgBox(0, "Nnnnnnnnttt", "File selection Failed")
  Exit
Case @error = 2
  MsgBox(0, "Nnnnnnnnnntttt", "Bad file filter")
  Exit
EndSelect
$progarray = StringSplit($program, "")
$last = $progarray[0]
$launchfile = FileExists($program)
If $launchfile = 0 Then
MsgBox(0, "File not found", "The program to launch was not found, please check location and try again.")
Exit
;Return 0
EndIf
; Check for any arguements the program needs
$args = InputBox("Arguements", "Any arguements the program needs to run?", "None")
Select
Case StringInStr($progarray[$last], ".msi")
  If $args = "None" Then
   Global $CommandLine = "MsiExec.exe /I c:temp" & $progarray[$last]
  Else
   Global $CommandLine = "MsiExec.exe /I c:temp" & $progarray[$last] & " " & $args
  EndIf
Case StringInStr($progarray[$last], ".msp")
  If $args = "None" Then
   Global $CommandLine = "MsiExec.exe /P c:temp" & $progarray[$last] & " REINSTALL=ALL REINSTALLMODE=amus"
  Else
   Global $CommandLine = "MsiExec.exe /P c:temp" & $progarray[$last] & " " & $args & " REINSTALL=ALL REINSTALLMODE=amus"
  EndIf
Case Else
  If $args = "None" Then
   Global $CommandLine = "c:temp" & $progarray[$last]
  Else
   Global $CommandLine = "c:temp" & $progarray[$last] & " " & $args
  EndIf
EndSelect

I always copy the file to the endpoint, because it is always best to run a program, especially installs, from the local machine. Also, I usually run scripts I've written that put a log file in their folder, so its always easier to check the log file on the endpoint - in the temp directory.

I just used this to schedule updates for Acrobat Standard from the install 9.0 up to patch level 9.4.6 on 10 desktops across three states. ( They all ran and Acrobat is updated this morning, even on the 7 windows 7 machines, so it works. Might not be pretty, but it works. )

Oh, yes, using your user name and password is necessary. Whatever account you use must be an administrator on the computer. AT just used the account you were logged on under as your account, but schtasks doesn't seem to do that. And you have to be sure that the secondary logon service is running on the remote computer before schtasks will work properly. Increased security almost always means decreased functionality and a harder time for Systems Administrators.

Edited January 25, 2012 by Graywalker

[DeltaRocked]

A UDF By wraithdu

[DeltaRocked]

Another great script by PhoeniXL which uses psexec (within autoit script) and combined it with trancexx's runbinary from memory.