RequireAdmin question

[tweakster2010]

Hey guys,

 

I have a rather large program (in my mind large at this point) that I have written but out of the entire list of links that are access internally only 2 of them need to hit UAC, Policies on the machines are group controlled and on a domain so I am not going to interfere that way. Ideally what I am wanting to do is in the case of accessing Registry Editor and Command prompt, elevated with administrator IDs but only those 2 programs. The rest of them I have accessing just via administrator IDs.

Just a sample of how I have the code right now, but the question is how would i go about forcing only the same said 2 things to require UAC and not hit any other programs the same way? 

Case $CMD
    $iPID = RunAs(GuiCtrlRead($Username), "domain.com", GuiCtrlRead($Pass), 1, "C:\Windows\system32\cmd.exe")
    
Case $Print
    $iPID = RunAs(GuiCtrlRead($Username), "domain.com", GuiCtrlRead($Pass), 1, "mmc C:\Windows\system32\printmanagement.msc -s /computer:\\" & $RemotePCConnectedInsert)
    
Case $AD
    $iPID = RunAs(GuiCtrlRead($Username), "domain.com", GuiCtrlRead($Pass), 0, "mmc C:\Windows\System32\dsa.msc")
    

Case $Reg
    $iPID = RunAs(GuiCtrlRead($Username), "domain.com", GuiCtrlRead($Pass), 4, "C:\windows\regedit.exe")

Now I can use requireadmin at the top of the program but when doing a sharescreen (helping others using the program) i cannot access simple things it calls because all programs it is hitting are elevated and realistically I only want cmd and regedit elevated. I read on other posts and the help file about IsAdmin but I guess what I am missing is how to requireadmin just in those 2 cases. Any help is greatly appreciated

 

Edited July 22, 2015 by tweakster2010
corrected too many code tags

[Jon]

If you have UAC then you absolutely cannot use RunAs to elevate - it won't work (it's a hangover from XP and a few other cases). You need to using shellexecute with a runas verb (this is what #requireadmin simulates). So if you want some parts of the program to be admin and some not then you need multiple scripts. Maybe a normal script that calls a second script (containing #requireadmin). You've probably seen this approach in some installers where they get halfway through before asking for admin rights - they are executing a second installer at this point (effectively).

I should probably update the docs for this because it catches everyone out. 

Edited July 22, 2015 by Jon

[rjframe]

You could either run a second program to run them, like Jon said, or use Ascend4nt's _RunWithReducedPrivileges on all but those two. The first option is better from a security standpoint (if your application doesn't need the rights, you shouldn't give them), but with the second there will only be one UAC dialog.

[tweakster2010]

Many thanks and i did see that was a recommended path i was just hoping i could lock it into just the one.  Still love using Autoit for all my tasks, saves lives and time like crazy!