tweakster2010

RequireAdmin question

4 posts in this topic

#1 ·  Posted (edited)

Hey guys,

 

I have a rather large program (in my mind large at this point) that I have written but out of the entire list of links that are access internally only 2 of them need to hit UAC, Policies on the machines are group controlled and on a domain so I am not going to interfere that way. Ideally what I am wanting to do is in the case of accessing Registry Editor and Command prompt, elevated with administrator IDs but only those 2 programs. The rest of them I have accessing just via administrator IDs.

Just a sample of how I have the code right now, but the question is how would i go about forcing only the same said 2 things to require UAC and not hit any other programs the same way? 

Case $CMD
    $iPID = RunAs(GuiCtrlRead($Username), "domain.com", GuiCtrlRead($Pass), 1, "C:\Windows\system32\cmd.exe")
    
Case $Print
    $iPID = RunAs(GuiCtrlRead($Username), "domain.com", GuiCtrlRead($Pass), 1, "mmc C:\Windows\system32\printmanagement.msc -s /computer:\\" & $RemotePCConnectedInsert)
    
Case $AD
    $iPID = RunAs(GuiCtrlRead($Username), "domain.com", GuiCtrlRead($Pass), 0, "mmc C:\Windows\System32\dsa.msc")
    

Case $Reg
    $iPID = RunAs(GuiCtrlRead($Username), "domain.com", GuiCtrlRead($Pass), 4, "C:\windows\regedit.exe")

Now I can use requireadmin at the top of the program but when doing a sharescreen (helping others using the program) i cannot access simple things it calls because all programs it is hitting are elevated and realistically I only want cmd and regedit elevated. I read on other posts and the help file about IsAdmin but I guess what I am missing is how to requireadmin just in those 2 cases. Any help is greatly appreciated :)

 

Edited by tweakster2010
corrected too many code tags

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

If you have UAC then you absolutely cannot use RunAs to elevate - it won't work (it's a hangover from XP and a few other cases). You need to using shellexecute with a runas verb (this is what #requireadmin simulates). So if you want some parts of the program to be admin and some not then you need multiple scripts. Maybe a normal script that calls a second script (containing #requireadmin). You've probably seen this approach in some installers where they get halfway through before asking for admin rights - they are executing a second installer at this point (effectively).

I should probably update the docs for this because it catches everyone out. 

Edited by Jon

Share this post


Link to post
Share on other sites

You could either run a second program to run them, like Jon said, or use Ascend4nt's _RunWithReducedPrivileges on all but those two. The first option is better from a security standpoint (if your application doesn't need the rights, you shouldn't give them), but with the second there will only be one UAC dialog.

Share this post


Link to post
Share on other sites

Many thanks and i did see that was a recommended path i was just hoping i could lock it into just the one. :( Still love using Autoit for all my tasks, saves lives and time like crazy!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now