Jump to content
AmbientMike

Run as Elevated Admin from Standard User Account

Recommended Posts

AmbientMike

Guys,

I know there has been many topics about running apps as an elevated admin whilst logged in as a standard user and there has been no real way to do it but then I found this application which can run something as SYSTEM and offer GUI to the logged in user...

http://www.robotronic.de/runasroben.html

This app is free for personal use but not for business and I would really like a free, working solution to use at work on a system where we just can't disable UAC (which I'd normally do to run scripts elevated without prompts) in order to run some development software.

It seems that in order to run the app it has to have a service running as Session0 and then creates a child process as SYSTEM but in the user session to offer a GUI.

I found a good example of such a setup here...

http://www.codeproject.com/Articles/35773/Subverting-Vista-UAC-in-Both-32-and-64-bit-Archite

So my question to the scripters here is is there any way to replicate that in my favourite language (AutoIt ofc)?

Mike

Share this post


Link to post
Share on other sites
AmbientMike

No.

RunAs() does not elevate the script - simply runs it as a different user. If UAC is turned on then it runs as the user in the administrator group that you select but is not elevated. If the program needs to be "run as administrator" and UAC is enabled (Windows 8 has to have UAC enabled even if notifications are turned off for Modern UI apps to function) then you get a username / password prompt that my users won't have the credentials to fill in.

As such if you just RunAs() it runs as a different user but does not elevate it.

Adding #RequireAdmin does also not help as it just makes the script check that it's admin.

Trust me - I've tried everything and the RunAsRob app is the only thing that I've found that enables an app / script with a GUI to work for a standard user and seemingly give them admin rights for running given applications.

EDIT - so just to outline what seems to happen with the application that does what I want...

1 - There is a service running as SYSTEM (Session 0 that cannot show anything to the console user) that seems to wait for triggers.

2 - You then launch another application that the service seems to detect as a trigger and the service creates a child process under the session of the console user (Session 1 for example) so that the user that caused the trigger can see and interact with any GUI's.

The trigger could be something as simple as creating a blank text file in a folder which the service would detect and continue to spawn a child process that the console user can interact with.

It's easy enough to create a service running as SYSTEM with SRVANY.exe so I thought this little project wouldn't be such a massive undertaking - but it's just out of my league so I was hoping that some brighter minds than my own might find a few spare minutes to figure it out...

Edited by AmbientMike

Share this post


Link to post
Share on other sites
AmbientMike

Maybe that indeed - seems to be exactly the case in point.

I swear I've been going through these (and many many other) forums looking for this info for days...

EDIT - actually - like that, very nearly that but not quite like that.

I believe that script is designed to have an administrator bypass the UAC prompt as the script needs admin credentials to run (it installs the service only temporarily) rather than have a standard user run something as SYSTEM and bypass UAC.

Maybe I can modify it to perform my needs but it all looks a bit complex...

Edited by AmbientMike

Share this post


Link to post
Share on other sites
AmbientMike

Well the utility RunAsRob that I linked to manages to do it in a round-a-bout sort of way as I described earlier. The user is not really running as admin but invokes a service running as SYSTEM to do pre-determined things based on pre-set triggers in the user's session ID.

An administrator basically installs a service that watches for triggers by a standard user (dropping a text file in a certain directory for example) and then when a user causes a trigger it runs an app as SYSTEM but in the session ID of the current console user so that it is able to show GUI's - much the same as wraithdu's script that you linked to in your previous post.

The only difference is that wraithdu's script installs the service very briefly in order to run as SYSTEM rather than it being ever-present so it has to be run by an admin which kind of makes no sense for the script as far as I can see but I'm probably missing something.

RunAsRob can do it - I have tested it out and it works. wraithdu's script can most likely be modified to do what I want but I'm worried it's beyond me :(

EDIT - and as a nice dirty work-around I think I've managed to do what I wanted...

With a little edit to the bottom of wraithdu's script from...

; =============================
; ELEVATED MAIN SCRIPT HERE
; =============================
; !!! if passing command line parameters, your params now start at $CmdLine[3] !!!
; $CmdLine[1] = '-run', $CmdLine[2] = PID of service
TraySetState()
MsgBox(0, "Elevated Process", "Here I am!" & @CRLF & @LogonDomain & "\" & @UserName)
_ImpersonateUserStart()
MsgBox(0, "Elevated Process", "Impersonating:" & @CRLF & @LogonDomain & "\" & @UserName)
_ImpersonateUserEnd()
MsgBox(0, "Elevated Process", "Reverted:" & @CRLF & @LogonDomain & "\" & @UserName)
MsgBox(0, "_CreateProcessAsUser", "Launching notepad as currently logged on user when you press OK...")
_CreateProcessAsUser("notepad.exe", "explorer.exe")

Exit

to

=============================
; ELEVATED MAIN SCRIPT HERE
; =============================
While 1
If FileExists ("c:\Temp\test.txt") Then
MsgBox(0, "Elevated Process", "Here I am!" & @CRLF & @LogonDomain & "\" & @UserName)
EndIf
sleep(100)
WEnd

So that the service never exits and keeps looking for triggers.

When compiled and set as a scheduled task to run at system startup - whenever a user creates a text file called test.txt in c:temp they get a MsgBox (or run an application) run as the SYSTEM. All I need to do now is make some tiny scripts to create and delete text files for users to run and setup some more triggers in the main service and I think that'll do it!

Cheers John for pointing me in the right direction - that's probably just saved me some spends!

Edited by AmbientMike

Share this post


Link to post
Share on other sites
KaFu
AmbientMike

I appreciate your reply but that post has nothing to do with what I have asked.

That post is about how UAC works with ADMIN accounts. I have clearly stated that I am working with standard user accounts and need to find a way to run some apps elevated whilst bypassing all UAC prompts.

Previously the only way I'd found to do it is with RunAsRob which doesn't actually elevate the current user but runs a service that is running as a higher account that can run an app in the same session as the standard user's console session - the mechanics of which can be found here...

http://www.codeproject.com/Articles/35773/Subverting-Vista-UAC-in-Both-32-and-64-bit-Archite

All over the forums here people quite rightly say that you cannot run an app as a standard user but elevate it and bypass UAC - doing this would open all all manner of security holes inside of Windows.

What you can do, as shown in the above link, is have the SYSTEM account running a process / service and spawn a new process as the standard user's session ID which runs with the highest privileges and does not encounter UAC prompts.

Obviously this has some drawbacks as it's running as SYSTEM it doesn't have access to, for example, the standard user's network drives if required - but for my purposes the scripts from wraithdu with a minor alteration from myself and creating a scheduled task allows my to get my standard users running a script / program as SYSTEM without being hindered by a UAC prompt / admin password request.

Edited by AmbientMike

Share this post


Link to post
Share on other sites
KaFu
AmbientMike

How about this workaround using the taskmanager?

It requires to be logged in with an administrative account

Again.. I appreciate you taking the time to look and reply but this clearly (after 10 seconds of looking) doesn't do what I want.

As I stated - a normal user cannot be elevated to admin rights and bypass UAC with however many scripts you like - this is by design by Microsoft. The solution I mentioned earlier based on wraithdu's work does exactly what I wanted it to do. I have it signed off by the end-user so it's all good.

What I wanted to do when I started this thread was to find some AutoIt scripts that mimic RunAsRob as I linked to and to some examples of code on the Code Project site.

AutoIt (or anything else) can not raise a normal user to admin and bypass UAC - this is well documented (trust me I've been through all the threads about it). If there is a SYSTEM process running it can, however, impersonate the console user and run apps, scripts etc which for a lot of situations make it look like a user has full admin rights and bypasses UAC.

Edited by AmbientMike

Share this post


Link to post
Share on other sites
BrewManNH

It appears that RunAsRob needs the user to have local admin rights, at least for running the application, or am I misreading the documentation of it?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
JohnOne

It appears that RunAsRob needs the user to have local admin rights, at least for running the application, or am I misreading the documentation of it?

I think so, it is also required to show the UAC prompt at least once, so whatever the endgame of the OP, it could easily be done by just disabling UAC.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
AmbientMike

I think so, it is also required to show the UAC prompt at least once, so whatever the endgame of the OP, it could easily be done by just disabling UAC.

If you read above - UAC really shouldn't (and in my case can't) be disabled in Windows 8 (on which I am wanting to apply this to) because that breaks all Metro (Windows Store) apps completely as they need to run in the virtual space UAC provides. Disabling UAC means they can't run the projects they are trying to build in Visual Studio or any other native Windows 8 apps.

RunAsRob requires that an administrator setup the system and shortcuts to applications ahead of time (using RunAsRob's service mode) but then any standard user can run an app elevated to an account specified by the administrator without hitting the UAC prompt or credentials prompt. Much the same as I have done with wraithdu's modified scripts.

I am a desktop admin and I am setting the systems up so that our users can perform tasks requiring admin rights, UAC prompt and admin credential prompts.

Edited by AmbientMike

Share this post


Link to post
Share on other sites
Javik

I am a desktop admin and I am setting the systems up so that our users can perform tasks requiring admin rights, UAC prompt and admin credential prompts.

Ah yes I believe I understand completely now, as I am a desktop admin also. There is no automatic self-update for Java, Firefox, Flash, Shockwave, Open Office, etc etc etc.

These are all "hey there's an udpate! do you want to install? Oooooh, you need UAC elevation, too bad!"

This isn't a problem we should have to solve. The companies that make these many different programs need to get off their collective a$$es and design a backchannel self-updater mechanism that installs as a service during the initial administrative install process, and can self-update themselves on a preset schedule without user interaction or UAC elevation.

Or they could suck it up and ask Microsoft to distribute updates for them through the already established Windows Update / Microsoft Update mechanism.

A kludged way around it is that if you install the free WSUS update management system, you can generate your own Windows Update MSI packages with a free add-on tool that will apply updates via your local WSUS distribution server.

If you've got some money you can shell out a few thousand for Microsoft SCCM and there are people selling automatic 3rd party updater packages for SCCM that auto-update Firefox, Open Office, etc, for a price of say $4000 a year...

Share this post


Link to post
Share on other sites
AmbientMike

We have SCCM and a WSUS server - in which case you'll ask my why the f*ck am I trying to resolve this task in this manner... Don't ask...

I'll spell it out completely so nobody can misunderstand what I am doing and what I initially asked.

Our Compute Science department have an upcoming module learning to code Windows Store & Phone 8 apps. For this you need Windows 8, Visual Studio 2012 and Windows Phone 8 SDK. Microsoft also state that you need admin rights.

There are two pre-requisites here - our students CANNOT have admin rights as our ISP demands it. So disconnect the PC's from the network - easy!!! No! The PC's need network access in order to register a developer account on the PC and the user needs admin rights to perform this. You cannot code a Windows Store app in VS2012 unless you have a registered account (any Live account will do). We also have to have UAC enabled for the virtual environment for Windows Store apps to run in.

Therefore - as I've stated (and already fixed) our students need to run application(s) as administrator without UAC or requests for admin credentials getting in the way to install and remove their developer accounts to the PC just so that we can enable a course to be taught where Microsoft really don't want to be helpful and allow a user to register the developer account for their login only but for the whole computer.

Outside of that VS2012 seems to work perfectly happily as a standard user once an account has been registered with the PC.

Edited by AmbientMike

Share this post


Link to post
Share on other sites
Javik

Wow, that reminds me of Microsoft Kodu, a game development system "designed for children" that refuses to run without admin privileges.

We eventually ditched Kodu as a potential educational tool for teaching programming to high school students, due to the forced demand that users have admin privileges just to run it without crashing.

Share this post


Link to post
Share on other sites
Javik

Also, I would recommend trying to probe exactly what is going on in the background on the system while registering a new VS2012 user account, using the free Microsoft Process Monitor tool.

The logs generated by Process Monitor will be ridiculously huge, tens of thousands of lines, but generally you are looking for any writes to HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, or writes to the local hard drive outside of C:Users(username)

Also you can usually exclude generic unrelated processes from Process Monitor before starting the logging, like "iTunesUpdater", "svchost", "jucheck", "lsass" .... try not to exclude anything that may possibly be directly involved in creating the VS2012 user account.

You may be able to get the registration process to proceed for students without UAC elevation by finding those specific keys or hard drive locations, and enable writing by either Everyone, or for a special domain security group assigned only to these particular programming students.

This way the writes to normally protected areas will succeed without any UAC elevation, and the user does not need to be given full local admin rights to do absolutely anything.

Unfortunately, Process Monitor is not very user friendly, and this is likely to take a few irritating hours of trying to dig through and interpret the log. It's possible you won't be able to figure out what needs UAC elevation and what specific local security needs to be loosened up to not need elevation.

Edited by Javik

Share this post


Link to post
Share on other sites
AmbientMike

Well as I've said - I've already got the PowerShell script that does the registering of accounts running as SYSTEM and interacting with the desktop with a modified script linked to somewhere above and also I've made an unregister script during the login process so that one student's account isn't misused by another student. It works pretty much seamlessly - I just don't want to have to rely on this moving forward - although at least we don't have any plans on rolling out Windows 8 to anywhere else but this one lab for a loooong time to come.

I should also say that we don't currently have SCCM 2012 so we can't manage Windows 8 machines with that otherwise I suppose we could have created an SCCM advert that students could run to register an account and that could have run with highest privileges.

EDIT - adding a developer account has an online check so I don't think just catching the registry and disk read / writes would cut it in order to bypass elevation.

Edited by AmbientMike

Share this post


Link to post
Share on other sites
jazzyjeff

AmbientMike. Are you in a domain environment trying to run an application on an end users machine as an admin?

I may have something that can help.

Edited by jazzyjeff

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×