colombeen

Windows + UAC + RunAS

13 posts in this topic

#1 ·  Posted (edited)

Hi guys

has anyone here had this problem : UAC is enabled on your Win7 machine, you need to run an application as a different user, but since UAC is enabled the popup for elevation doesn't appear and so... nothing happens... I'm wondering if it could be fixed with autoit script (instead of just using runas.exe from MS)

 

I'd like to create a script that uses startup params (passthrough) so that I could provide user, pass, app and make it start elevated.

anyone who has made something like this already? is it even possible? like say starting a HTA file under a different account but also elevated (without the right click, run as different user)

 

thx

colombeen

 

with other words, i'd like to make a working replacement for Microsoft their RunAs.exe app

Edited by colombeen

Share this post


Link to post
Share on other sites



@colombeen If you need to pass params at launch, you can always do the two-script hop, something like this:

 

#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <MsgBoxConstants.au3>

    $hGUI = GUICreate("Run External App as Different Users", 600, 370)
        GUISetState(@SW_SHOW)
        GUISetFont(14, 400, Default, "Arial")

    $lblUser = GUICtrlCreateLabel("UserName", 10, 5, 100, 20)
        GUICtrlSetFont($lblUser, 11, 600, Default, "Arial")
    $inpUser = GUICtrlCreateInput("", 10, 25, 580, 40)

    $lblDomain = GUICtrlCreateLabel("Domain", 10, 85, 100, 20)
        GUICtrlSetFont($lblDomain, 11, 600, Default, "Arial")
    $inpDomain = GUICtrlCreateInput(@LogonDomain, 10, 105, 580, 40)

    $lblPassword = GUICtrlCreateLabel("Password", 10, 165, 100, 20)
        GUICtrlSetFont($lblPassword, 11, 600, Default, "Arial")
    $inpPass = GUICtrlCreateInput("", 10, 180, 580, 40, $ES_PASSWORD)

    $lblFile = GUICtrlCreateLabel("Choose file to run", 10, 245, 180, 20)
        GUICtrlSetFont($lblFile, 11, 600, Default, "Arial")
    $inpFile = GUICtrlCreateInput("", 10, 260, 580, 40)

    $btnLaunch = GUICtrlCreateButton("Browse", 10, 320, 80, 40)
    $btnGo = GUICtrlCreateButton("Run", 510, 320, 80, 40)

    While 1
        Switch GUIGetMsg()
            Case $GUI_EVENT_CLOSE
                Exit
            Case $btnLaunch
                $sFile = FileOpenDialog("Browse for File", @ScriptDir, "Exe (*.exe)")
                GUICtrlSetData($inpFile, $sFile)
            Case $btnGo
                If $inpFile <> "" Then
                    RunAs(GUICtrlRead($inpUser), GUICtrlRead($inpDomain), GUICtrlRead($inpPass), 0, GUICtrlRead($inpFile))
                Else
                    MsgBox($MB_SYSTEMMODAL, "Run External App", "Please specify the file first")
                EndIf
        EndSwitch
    WEnd

 


When you're dead, you don't know you're dead - it's only difficult for those that know you. It's the same way when you're stupid...

My Scripts: SCCM UDFInclude Source with Compiled Script, Windows Firewall UDF

Share this post


Link to post
Share on other sites
22 minutes ago, JLogan3o13 said:

@colombeen If you need to pass params at launch, you can always do the two-script hop, something like this:

 

expandcollapsepopup
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <MsgBoxConstants.au3>

    $hGUI = GUICreate("Run External App as Different Users", 600, 370)
        GUISetState(@SW_SHOW)
        GUISetFont(14, 400, Default, "Arial")

    $lblUser = GUICtrlCreateLabel("UserName", 10, 5, 100, 20)
        GUICtrlSetFont($lblUser, 11, 600, Default, "Arial")
    $inpUser = GUICtrlCreateInput("", 10, 25, 580, 40)

    $lblDomain = GUICtrlCreateLabel("Domain", 10, 85, 100, 20)
        GUICtrlSetFont($lblDomain, 11, 600, Default, "Arial")
    $inpDomain = GUICtrlCreateInput(@LogonDomain, 10, 105, 580, 40)

    $lblPassword = GUICtrlCreateLabel("Password", 10, 165, 100, 20)
        GUICtrlSetFont($lblPassword, 11, 600, Default, "Arial")
    $inpPass = GUICtrlCreateInput("", 10, 180, 580, 40, $ES_PASSWORD)

    $lblFile = GUICtrlCreateLabel("Choose file to run", 10, 245, 180, 20)
        GUICtrlSetFont($lblFile, 11, 600, Default, "Arial")
    $inpFile = GUICtrlCreateInput("", 10, 260, 580, 40)

    $btnLaunch = GUICtrlCreateButton("Browse", 10, 320, 80, 40)
    $btnGo = GUICtrlCreateButton("Run", 510, 320, 80, 40)

    While 1
        Switch GUIGetMsg()
            Case $GUI_EVENT_CLOSE
                Exit
            Case $btnLaunch
                $sFile = FileOpenDialog("Browse for File", @ScriptDir, "Exe (*.exe)")
                GUICtrlSetData($inpFile, $sFile)
            Case $btnGo
                If $inpFile <> "" Then
                    RunAs(GUICtrlRead($inpUser), GUICtrlRead($inpDomain), GUICtrlRead($inpPass), 0, GUICtrlRead($inpFile))
                Else
                    MsgBox($MB_SYSTEMMODAL, "Run External App", "Please specify the file first")
                EndIf
        EndSwitch
    WEnd

 

And will this work when the app you try to run requires elevation (=> UAC is enabled and needs to stay enabled)?

Share this post


Link to post
Share on other sites

Does the user that you are trying to run the application under have permissions to request elevation (Admin Token) e.g in the local Administrations group?  If not, this would not be possible without doing some workaround, such as:  Add the user to the local Admin group, run the application requesting the Admin Token as the user, remove the user from the local Admin group when the application is closed.  To do all this, would require an Admin account to initially run the script.  A local Admin account would be the preferred method.  

Also, for the admin accounts to not be prompted by a UAC login, ConsentPromptBehaviorAdmin would need to be set to $UAC_ELEVATE_WITHOUT_PROMPTING (0).  Without this being set, the script will not run correctly, and you will have a UAC prompt waiting.  Have a look at my UAC UDF for reading and changing UAC settings.  

 

Here is an example using re-execution to get a script to have the Admin Token.  I could be reworked to do what you are trying to do.  You could then add ShellExecute or Run to the end of it to start what ever you would like.  

 

 

Adam

 

 

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

You can use PAEXEC to start a process as the system user (with elevated permissions) and run it on the user's session.  They would not be able to interact with it though.

I recently created a little app that does what I just mentioned, and there is another non elevated app that just runs in the systray, that can communicate (file transfers) to the elevated app.  That way, the user can 'interact' with it (start jobs).  The elevate app can then still see all the handles on the users session.

Edited by jdelaney

IEbyXPATH-Grab IE DOM objects by XPATH IEscriptRecord-Makings of an IE script recorder ExcelFromXML-Create Excel docs without excel installed GetAllWindowControls-Output all control data on a given window.

Share this post


Link to post
Share on other sites

in my case i normally use a shortcut that uses runas to start our active directory (C:\Windows\System32\dsa.msc)

but ever since UAC was enabled it doesn't work anymore. i need to shift + right click on the app directly and click on run as a different user.

that's my issue with alot of apps ever since the UAC change and I was hoping that there was a fix for that

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

On 3-5-2016 at 5:46 PM, AdamUL said:

...

 

Hi Adam, i'm just wondering... if I call a bat file from an elevated autoit script, will the bat file also be elevated of will it still need it's own UAC elevation?

Edited by colombeen

Share this post


Link to post
Share on other sites

Please don't quote the whole post, just to add one line of text. just use the "Reply to this topic" button, or reply in the editor box at the bottom. We already know what the other person wrote, so there's no need to repeat the whole thing.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

The BAT file will be run under elevation of the current user, if they have the rights to request elevation, that ran the script.  Do you have an idea of what you would like to try?  

Adam

 

 

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

23 hours ago, AdamUL said:

The BAT file will be run under elevation of the current user, ...

one of the things that I'd like to make work again is:
I created a replacement app for Active Directory that also has some extra buttons to directly access computer management, printer management, ...
The AD app requires a different account then the current logged on user, so that app is started as a different user, the app is also elevated for UAC shizzle.
When I try to start the computermanagement msc it won't start anymore ever since UAC was enabled, because it requires it's own elevation and with that other account it just can't pop-up the notification.

another one is this :

I have an autoit script that now dynamically shows scripts placed in a specific directory (network location). the app is elevated.
Most of the scripts that it shows are bat or vbs files that change settings in the registry, stop/start/restart services on the system, ... (which requires elevation as well)
I need to know how to fix that when my bat/vbs files are called they won't fail because of the UAC elevation notice not popping up.
the usage of bat files etc is so that everyone of my co-workers can add stuff to it without needing to change the GUI (autoit script that only shows the files and starts them)...
in this case no other user required

i could give more examples but i think this will suffice :)

Edited by colombeen

Share this post


Link to post
Share on other sites

#11 ·  Posted

So what's the problem...you either tried it, and know it works, or you tried it and have a specific question because it didn't work.

The question posted is more a call for someone to test for you.


IEbyXPATH-Grab IE DOM objects by XPATH IEscriptRecord-Makings of an IE script recorder ExcelFromXML-Create Excel docs without excel installed GetAllWindowControls-Output all control data on a given window.

Share this post


Link to post
Share on other sites

#12 ·  Posted

@jdelaney: at this point I've tried fixing the second part on my last post (batch files/vbs files called from elevated autoit script) but at this point I can't find a way to elevate whatever I call that doesn't ask for elevation by itself (like a bat file)

that's the most important one at this point

Share this post


Link to post
Share on other sites

#13 ·  Posted

Is the account that the AD tools run under in the local Administrators group on the PC that you are running them on?  If not, that is why it will not work.  Windows will not allow elevation on an account this is not a local admin.  Please read up on UAC.  

If you are just running the script under your account, and not another account.  To cause the script to be elevated, you need to have one of the following at the top of your script.  Remember any account that you want to run a process elevated, it must be in the local Administrators group on the PC, either explicitly or in a group.  

;Re-executes the script, requesting elevation on the script's first run.  Script can be compiled or not compiled. 
#RequireAdmin

;Adds a request for elevation in to the EXE manifext when the script is compiled using Aut2EXE.
#pragma compile(ExecLevel, requireAdministrator)

;Adds a request for elevation in to the EXE manifext when the script is compiled using AutoIt3Wrapper installed with SciTE4AutoIt3.
#AutoIt3Wrapper_Res_requestedExecutionLevel=requireAdministrator

Also, you can make a process request elevation using ShellExecute or ShellExecuteWait with the "runas" verb from a non-elevated script.  This will run under the user that started the script.  If the user is not allowed to request elevation, it will prompt for credentials.  Here's some examples.  

;Elevated Command Prompt.
ShellExecute(@SystemDir & "\CMD.exe", "/k", "", "runas", @SW_SHOW)

;Elevated ADUC.
ShellExecuteWait(@SystemDir & "\dsa.msc", "", "", "runas", @SW_SHOW)

;Elevated BAT file.
ShellExecuteWait("C:\BAT Files\File.bat", "", "", "runas", @SW_SHOW)
ShellExecute("\\server\share\BAT Files\File.bat", "", "", "runas", @SW_SHOW)

Hope that helps.

 

Adam

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now