Jump to content
Sign in to follow this  
Jon

PowerShell script to self-elevate

Recommended Posts

I'm writing a set of PowerShell scripts/library for Windows 10 builds. One thing I often want to do is to browse to the location of a script that is part of a larger group of scripts and run it manually to do an install or make a one off change. So I like all my scripts to work well whether run from a task sequence or double-clicked in explorer.

Most of my build scripts rely on having admin rights so I like to make them able to self-elevate if required - or at least give an error message. In PowerShell 4.0 (Windows 8.1) they added the #Requires -RunAsAdministrator statement but this won't do it for you - it just causes the script to abort if not admin. 

Below is a PowerShell script that does the following:

  • Checks for admin rights using the Test-IsAdmin function
  • If not admin:
    • Get the full script path and working directory using the Get-UNCFromPath function
    • If the paths are mapped drives then get the UNC version (drive mappings are lost when elevating from user to admin in most configurations)
    • Execute PowerShell.exe with the UNC path of the script and the RunAs verb to trigger elevation. ExecutionPolicy is also set to Bypass on the command line. The working directory is also set to the UNC path version.
    • Waits for the new process to finish, and captures its return code
    • Exits using the same return code

Script is as follows:

# Test if admin
function Test-IsAdmin() 
{
    # Get the current ID and its security principal
    $windowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
    $windowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($windowsID)
 
    # Get the Admin role security principal
    $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator
 
    # Are we an admin role?
    if ($windowsPrincipal.IsInRole($adminRole))
    {
        $true
    }
    else
    {
        $false
    }
}


# Get UNC path from mapped drive
function Get-UNCFromPath
{
   Param(
    [Parameter(Position=0, Mandatory=$true, ValueFromPipeline=$true)]
    [String]
    $Path)

    if ($Path.Contains([io.path]::VolumeSeparatorChar)) 
    {
        $psdrive = Get-PSDrive -Name $Path.Substring(0, 1) -PSProvider 'FileSystem'

        # Is it a mapped drive?
        if ($psdrive.DisplayRoot) 
        {
            $Path = $Path.Replace($psdrive.Name + [io.path]::VolumeSeparatorChar, $psdrive.DisplayRoot)
        }
    }

    return $Path
 }


# Relaunch the script if not admin
function Invoke-RequireAdmin
{
    Param(
    [Parameter(Position=0, Mandatory=$true, ValueFromPipeline=$true)]
    [System.Management.Automation.InvocationInfo]
    $MyInvocation)

    if (-not (Test-IsAdmin))
    {
        # Get the script path
        $scriptPath = $MyInvocation.MyCommand.Path
        $scriptPath = Get-UNCFromPath -Path $scriptPath

        # Need to quote the paths in case of spaces
        $scriptPath = '"' + $scriptPath + '"'

        # Build base arguments for powershell.exe
        [string[]]$argList = @('-NoLogo -NoProfile', '-ExecutionPolicy Bypass', '-File', $scriptPath)

        # Add 
        $argList += $MyInvocation.BoundParameters.GetEnumerator() | Foreach {"-$($_.Key)", "$($_.Value)"}
        $argList += $MyInvocation.UnboundArguments

        try
        {    
            $process = Start-Process PowerShell.exe -PassThru -Verb Runas -Wait -WorkingDirectory $pwd -ArgumentList $argList
            exit $process.ExitCode
        }
        catch {}

        # Generic failure code
        exit 1 
    }
}


# Relaunch if not admin
Invoke-RequireAdmin $script:MyInvocation

# Running as admin if here
$wshell = New-Object -ComObject Wscript.Shell
$wshell.Popup("Script is running as admin", 0, "Done", 0x1) | Out-Null

 

Edited by Jon

Share this post


Link to post
Share on other sites

Well :: is used for static methods/properties in PHP, though I have to admit it's like a mixture of everything in there.


UDF List:

 
_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_ArrayFilter/_ArrayReduce_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 22/04/2018

Share this post


Link to post
Share on other sites

There appears to be a module in Windows 10 Powershell called AutoItX that includes Assert-AU3IsAdmin.  It returns 1 if run as administrator and 0 if not.  At least on my machine.  YMMV.


David Nuttall
Nuttall Computer Consulting

An Aquarius born during the Age of Aquarius

AutoIt allows me to re-invent the wheel so much faster.

I'm off to write a wizard, a wonderful wizard of odd...

Share this post


Link to post
Share on other sites

Hey, don't know if you are still looking for a solution, but if you past the following code at the beginning of your powershell script, it will elevate it for you

function Use-RunAs 
{    
    # Check if script is running as Adminstrator and if not use RunAs 
    # Use Check Switch to check if admin 
     
    param([Switch]$Check) 
     
    $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()` 
        ).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") 
         
    if ($Check) { return $IsAdmin }     
 
    if ($MyInvocation.ScriptName -ne "") 
    {  
        if (-not $IsAdmin)  
        {  
            try 
            {  
                $arg = "-file `"$($MyInvocation.ScriptName)`"" 
                Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList $arg -ErrorAction 'stop'  
            } 
            catch 
            { 
                Write-Warning "Error - Failed to restart script with runas"  
                break               
            } 
            exit # Quit this session of powershell 
        }  
    }  
    else  
    {  
        Write-Warning "Error - Script must be saved as a .ps1 file first"  
        break  
    }  
} 
 
 
 
 
 
 
# Example 
Use-RunAs

(Rest of code goes here)

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By rudi
      Hi,
      When a non compiled AU3 script is run with #RequireAdmin, then if the UAC prompt can be authorized due to the fact, that the currently loggedon user has local admin rights, then the macro @UserProfileDir correctly reflects the profile dir of the user of the windows logon session.
       
      When the script with #RequireAdmin is started by a "normal user" without local admin rights, and I use a domain admin account to authorize the UAC prompt, then @UserProfileDir reflects the profile dir belonging to the AD-Admin account.
      As the script originally was started using the "regular user" I'm wondering, if there is a chance to "pass" the original user's @UserProfileDir to the UAC elevated script?
       
      As playing around with this feature I realize, that I basically don't know the exact mechanism of the UAC elevation authorization process:
      The script is started by right mouse click, execute script This is invoking e.g. "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" "C:\Users\Rudi\Desktop\test.au3" as by this registy value: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AutoIt3Script\Shell\Run\Command] @="\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3.exe\" \"%1\" %*" But what I honestly don't know is, how does the UAC propt interact in the program startup? I guess, that Autoit3.exe is parsing the AU3 source, is seeing the #RequireAdmin and then "relaunches itself with the AU3 as %1" requesting UAC elevated rights "from windows"??? With Process Explorer I can see, that The commandline then is this one with a "!" before "%1"
      "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3"  It it should be something like this, then it might be possible to pass the original @UserProfileDir to the second, UAC elevated "Startup"??? <edit>
      I just noticed:
      When I use "WIN+R" and then directly use the command line, I see in Process Explorer, ...
      "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3"
      ... then this script with #RequireAdmin is started *WITHOUT* UAC elevation.
      Guessing, that this ! is just reverting #RequireAdmin I tried the "opposite" one as well:
      AU3 script without #RequireAdmin Starting with "C:\Program Files (x86)\AutoIt3\AutoIt3.exe" !"C:\Users\Rudi\Desktop\test.au3" does not invoke UAC elevation prompt. So to me it looks like, this ! is a "status flag from Autoit3.exe to Autoit3.exe", that the elevation process was done already? amazing...
      the topic Autoit on Windows Vista is telling no details of  this UAC process...
      </edit>
       
      Regards, Rudi.
    • By Exit
      For my next project I would like to send files with "alternate data streams" by email in ZIP format.
      I can not use any external program like 7-Zip or WinRAR. (They would fit😥)
      Who knows how to create a ZIP file with "alternate data streams" included with the Powershell command "Compress-Archive"? 
      Here a test script:  (save as "ADSTester.cmd")
      @rem Try to create a zip file with alternate data streams (ADS) included @rem Housekeeping @cls @del ADSTester.zip >nul: @RD /S /Q Extracted >nul: @del ADSTester.txt >nul: @rem End of Housekeeping echo This is the ADSTester.txt file >ADSTester.txt echo This is the ADSTester.txt:Part1 file >ADSTester.txt:Part1 echo This is the ADSTester.txt:Part2 file >ADSTester.txt:Part2 dir /r ADSTester.txt @rem See the 3 files @rem **************************************************************** @rem **************************************************************** @rem Please alter the next lines to include the alternate data streams. powershell Compress-Archive -Path .\ADSTester.txt -Update -DestinationPath ADSTester.zip powershell Expand-Archive -Path ADSTester.zip -DestinationPath .\Extracted\ dir /r Extracted\ADSTester.txt @rem Only one file left :-( pause  
    • By ur
      Which Powershell command in the PowerCLI module for VMware ESX used to interact with UI apps?
       
      When I launch any exe/any exeutable using powercli on guest VM using powercli command.
      Invoke-VMScript, I am able to run them in the background but not in the foreground.
       
      i.e., UI apps are not launching but showing the background as running in the task manager.
       
      We need our UI Automation scripts to execute in the VM, but it is not working.
       
      We are able to do in virtualbox and hyper-v but not in vmware esx using powercli.
       
      Please suggest.
    • By ambad4u
      Hello and Good Day to All!
      I am trying to install .NET 3.5 on Windows 10 x64bit via autoit (via ShellExecuteWait + PowerShell).
      If I run this line, it will runs without issues:
      ShellExecuteWait('PowerShell.exe', '-executionpolicy Bypass -File "' & @ScriptDir & '\OJP83BU523.ps1' & '"') "OJP83BU523.ps1" contains: DISM /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\sxs /LimitAccess
      However, since I won't know in advance the drive letter of the "sources" folder, I created a script to generate a PowerShell Script to give a correct path for it.
      With the modified script below, PowerShell only blinks and nothing happens
      ShellExecuteWait('PowerShell.exe', '-executionpolicy Bypass -File "' & @ScriptDir & '\' & $filename & '"') or
      ShellExecuteWait('PowerShell.exe', '-executionpolicy Bypass -File "' & $filename & '"')  
      I wish I know the difference with "$filename" and "\OJP83BU523.ps1" usage, as for me, it should be the same.
      Attached is my entire autoit script.
      any help is appreciated!, many thanks in advance!
      test.au3
    • By JLogan3o13
      There are a number of posts on the forum regarding use of Selenium in AutoIt. I recently had a go at using the PowerShell Selenium module, and was amazed at how easy it is. Thought I would post an example here; if anyone is interested this could probably be incorporated into AutoIt code pretty easily. 
      Pre-Req - The true star of this script is the ChroPath extension, available for Edge, Chrome and FireFox. With it installed, you just click on the element, select Inspect, and then ChroPath generates the XPath to the element for you. Here is an example based on a simple form I created on one of my sites.
      $myForm = Start-SeChrome -StartURL "http://logancomputerser.com/Appointment.html" -Maximized $firstName = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_First']" $lastName = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_Last']" $address = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_Street1']" $city = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_City']" $zip = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_Zip']" $state = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//select[@id='formElement_State']" $phoneDay = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_DaytimePhone']" $phoneNight = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_EveningPhone']" $email = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_liamE']" $user = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_48564']" $pw = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='formElement_f403c']" $submit = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='wstForm_Contact_Submit']" $reset = Find-SeElement -Driver $myForm -Timeout 30 -XPath "//input[@id='wstForm_Contact_Reset']" Send-SeKeys -Element $firstName -Keys "Joe" Send-SeKeys -Element $lastName -Keys "Blow" Send-SeKeys -Element $address -Keys "111 S. Main St." Send-SeKeys -Element $city -Keys "AnyCity" Send-SeKeys -Element $zip -Keys "90210" Send-SeKeys -Element $state -Keys "CA" Send-SeKeys -Element $phoneDay -Keys "555.867.5309" Send-SeKeys -Element $phoneNight -Keys "555.888.1212" Send-SeKeys -Element $email -Keys "1Adam12@gmail.com" Send-SeKeys -Element $user -Keys "JBlow" Send-SeKeys -Element $pw -Keys "MyPassword" Start-Sleep 1 Invoke-SeClick -Element $submit Stop-SeDriver -Driver $myForm  
      As mentioned, this is just another way to skin the cat, but I found it a pretty fast way to initiate some easy testing in Selenium, and have used it a couple of times in projects now, both straight through PowerShell and wrapped in AutoIt.
×
×
  • Create New...