Problem with admin rights using runas on a batch file

[Neutro]

Hey guys,

I'm trying to launch a batch file as an administrator with autoit on windows 8.1.

This batch file is doing several things to automaticly setup new computers in our company, like disableing windows firewall, adding registry keys...

I know i could do this only using autoIT without the batch file but since all the work has already been done in the batch file, it would save me a lot of time if I could make this work without rewriting everything with autoit.

Here is the code i'm using:

#RequireAdmin

if isadmin() == 0 then msgbox("","","no admin rights!")

RunAsWait("userlogin","userdomain", "userpassword", 0, "\\server\path_to_batch\batch.bat")

 

The batch file is launching properly when running the above autoit script but without administrator rights. I'm getting "not enough priviledges" error messages when trying to disable windows firewall using the batch file for example.

When I launch the batch file using right click -> run as administrator when logged as "userlogin", it works without any problems.

Any idea?

Thanks!

[Neutro]

Well I spent hours trying to solve this problem with no luck.

The above code is working properly on Win7 but not on Win8.

Only solution I found is to open C:\Windows\System32\ in explorer, find cmd.exe, make autoit right click on, click "run as administrator" then launch the batch file from there.

Not clean but at least it's working!

Edited January 20, 2014 by Neutro

[AdamUL]

This is due to the RunAs function only running a process as another user.  It does not give the process full admin rights, the admin token, even if the run as user is an admin.  This requires another approach, such as using ShellExcute with the "runas" verb.  

 

Adam

[Neutro]

It does on win7!

The problem only exists on win8.

[AdamUL]

Are you sure?  On Win 7 you tested with, do you have UAC turned off, or changed some Win 7 UAC registry settings with UAC turned on?  I have seen this same issue on Win 7, as well as Win 8 and 8.1, with UAC turned on.    

For your Win 7 and Win 8.1, test boxes, what are the following values for the keys under the following key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem? 

-FilterAdministratorToken

-ConsentPromptBehaviorAdmin

-EnableLUA

 

After a little testin, give the following function a try.  

_ShellExecuteWaitAsAdmin("userlogin","userdomain", "userpassword", 0, "\\server\path_to_batch\batch.bat")

Func _ShellExecuteWaitAsAdmin($sUserName, $sDomain, $sPassword, $iLogonFlag, $sFile, $sParamters = "")

    Local $sCmd = ' /AutoIt3ExecuteLine "ShellExecuteWait(''' & $sFile & ''', ''' & $sParamters & ''', '''', ''runas'')"'
    Return RunAsWait($sUserName, $sDomain, $sPassword, $iLogonFlag, @AutoItExe & $sCmd)

EndFunc

Adam

Edited January 22, 2014 by AdamUL

[Neutro]

Thanks for your answer Adam.

I don't have time to test this further at work right now but will do later

[AdamUL]

Glad I could help.  Let me know if it works for you.  

 

Adam

[teshko]

Hi, I started using autoit few days ago, and I love it.

Unfortunately I believe I've run into the same issue on win 8.1 x64.

My script won't modify/create Registry entries. Niether RegWrite nor Run(@ComSpec & ' /c regedit /s "' works. Also saving files (FileOpen/FileWrite) in protected directories doesn't work, though FileCreateShortcut and FileCopy works fine.

Here's my script (work in progress): http://pastebin.com/3xvRb0zR

I haven't tested it on windows 7 yet.

Edited January 27, 2014 by teshko

[teshko]

Update: http://pastebin.com/AkdqB2cX

I tested fixed script on Windows 7 SP1 32bit and it works fine. On Windows 8.1 registry is not modified. (I had a dumb typo when doing a FileOpen test)

[AdamUL]

Is your script compiled as 64-bit or 32-bit?  Are you sure that the registry is not modified?  Did you look at the keys under the "Wow6432Note"? What are the following values for the keys under the following key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem? 

-FilterAdministratorToken

-ConsentPromptBehaviorAdmin

-EnableLUA

 

Also, for running under a 64-bit system, please look at "Running under Windows 64-bit Edition" from the help file.  

 

 

Adam

[teshko]

Thank you Adam, that was it. I am running 32 bit on 64 bit for compatibility.

My keys were written to: HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftCryptographyCalaisSmartCards instead of HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyCalaisSmartCards

For whatever it means (reg query ...):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA    REG_DWORD    0x1
    ConsentPromptBehaviorAdmin    REG_DWORD    0x5
    FilterAdministratorToken    REG_DWORD    0x0

For reference I fixed with similar to this: 

Local $sRegKey = "\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\SynchrotekID"
If @OSArch = "X64" Then
    $sRegKey = "HKLM64" & $sRegKey
Else
    $sRegKey = "HKLM" & $sRegKey
EndIf

RegWrite($sRegKey)
RegWrite($sRegKey, "80000001", "REG_SZ", $InstallDir & "\opensc-minidriver.dll")
RegWrite($sRegKey, "ATR", "REG_BINARY", Binary("0x3BF81800008031FE450073C8401000900091"))
RegWrite($sRegKey, "ATRMask", "REG_BINARY", Binary("0xffffffffffffffffffffffffffffffffffff"))
RegWrite($sRegKey, "Crypto Provider", "REG_SZ", "Microsoft Base Smart Card Crypto Provider")
RegWrite($sRegKey, "Smart Card Key Storage Provider", "REG_SZ" ,"Microsoft Smart Card Key Storage Provider")

[AdamUL]

Your welcome, glad I could help.  

Since you was thinking it was an admin rights issue, I wanted to see what your UAC settings were, and they are located under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem.  

 

Adam