@Username issue and temp access

[31290]

Hi everyone, 

I'm writing a tool that will help my technician adding a user in the local admin group. 

1- As the user, at first, is not part of the group, launching the .exe file ask for admin credentials. Thing is, whereas I'm using 

RunWait(@ComSpec & ' /c ' & 'Net LocalGroup Administrators' & @username & ' /add' ,"")

The @username macro is taking the admin user account in the variable instead of the current logged user one.

Do you know how can I face this and have the "real" username value returned?

2- do you guys think it's possible to give the admin access temporary? Maybe something to write in the reg? task scheduler? compare dates and execute a .exe? etc...?

Thanks in advance

-31290

[JLogan3o13]

There are a lot of ways to go about this; I am sure you'll get suggestions on 10 different ways to skin this particular cat. You could always parse the hivelist in the registry for the currently logged in user:

HKLM\SYSTEM\CurrentControlSet\Control\hivelist

You have to weed out the system profiles logged in, but it will leave you with the username of the currently logged in person:

\Registry\User\S-1-5-21-121076320-351217325-940726084-118988

-value-

\Device\HarddiskVolume2\Users\LoganJe\NTUSER.DAT

 

[31290]

Thanks for the reply.

Unfortunately, the user does not have access to regedit. When I login with my admin account, I don't even see his profile in the list. 
Attacking the registry via a "runas" would require too much time in the process. 

I found this:

#RequireAdmin

MsgBox(0, 0, @UserName)
MsgBox(0, 0, _GetUsername())

Func _GetUsername()
    Local $aResult = DllCall("Wtsapi32.dll", "int", "WTSQuerySessionInformationW", "int", 0, "dword", -1, "int", 5, "dword*", 0, "dword*", 0)
    If @error Or $aResult[0] = 0 Then Return SetError(1, 0, 0)
    Local $sUsername = BinaryToString(DllStructGetData(DllStructCreate("byte[" & $aResult[5] & "]", $aResult[4]), 1), 2)
    DllCall("Wtsapi32.dll", "int", "WTSFreeMemory", "ptr", $aResult[4])
    Return $sUsername
EndFunc   ;==>_GetUsername

But it totally screws up my script :/

[AutoBert]

59 minutes ago, 31290 said:

The @username macro is taking the admin user account in the variable instead of the current logged user one.

I can't ack this. Test this small script:

#RequireAdmin
MsgBox(64,'User',@username)

on my Win10 x64 i get the real username.

15 minutes ago, 31290 said:

Attacking the registry via a "runas" would require too much time in the process.

Why attacking? Has your Admin no rights to do this?

[BrewManNH]

Get the @Username into a variable BEFORE trying to use the user name in the command line.

[pluto41]

; This
Local $WSHNetwork = ObjCreate("Wscript.Network")
Local $sUsername = $WSHNetwork.UserName
ConsoleWrite ( $sUsername )


#cs or this script
; Or this (script i had in my repository, not written by me )
#include <Array.au3>

$un = _GetUsername()
;~ $un = StringLeft($un, stringlen($un) - 1)           ; <-- The solution

For $i = 1 To StringLen($un)
    $char = StringMid($un, $i, 1)
    ConsoleWrite(Asc($char) & " : >" & $char & "<" & @CRLF)
Next

$thing = StringLen($un) & " - 123" & String($un) & "456"

ConsoleWrite(@CRLF & $thing & @CRLF)

Func _GetUsername()
    Local $sUsername = ""
    Local $aResult = DllCall("Wtsapi32.dll", "int", "WTSQuerySessionInformationW", "int", 0, "dword", -1, "int", 5, "dword*", 0, "dword*", 0)
    If @error Or $aResult[0] = 0 Then Return SetError(1, 0, 0)
    Local $sUsername = BinaryToString(DllStructGetData(DllStructCreate("byte[" & $aResult[5] & "]", $aResult[4]), 1), 2)
    DllCall("Wtsapi32.dll", "int", "WTSFreeMemory", "ptr", $aResult[4])
    Return $sUsername
EndFunc   ;==>_GetUsername
#ce

Perhaps its not such a good practise to "temporary" add a user to the local admin group.. Anyway hope this code helps.

[JLogan3o13]

@pluto41 The first snippet you have will have the same problem; unless done before the RunAs it will show the elevated username.

The dllCall returns the correct user session, whether RunAs an elevated user or SYSTEM, but may be a bit of a kludge for what the OP is trying to accomplish.

[31290]

Hi Guys, 

Thanks for your answers but:

15 hours ago, BrewManNH said:

Get the @Username into a variable BEFORE trying to use the user name in the command line.

Thing is that Windows is asking for an elevated user account just to launch the software and take this user into account. The @Username macro take that account.
For example, the target username is "John Doe" and my admin account is "31290_a". @Username = "31290_a" for the entire execution.

15 hours ago, AutoBert said:

#RequireAdmin MsgBox(64,'User',@username)

Same story. Windows asks for admin credentials and the msgbox returns "31290_a"

 

15 hours ago, AutoBert said:

15 hours ago, 31290 said:

Attacking the registry via a "runas" would require too much time in the process.

Why attacking? Has your Admin no rights to do this?

My admin account has rights to do that but again, when launching regedit.exe windows asks for admin credentials and I can't see the user's hive and profile in the registry.

Of course, this is the same thing for all other macros > @DesktopDir / @AppdataDir / etc.

The only one that is showing the good path is @WorkingDir. Here, I have the username as :"C:\Users\USERNAME\Google Drive\..."
Thing is, the username is not the same and it's length is variable but always contained after "C:\Users\" and before "\Google Drive" (or "\Desktop"). I was thinking about _StringBetween but how to handle the username properly? Is it reliable?

Thanks

 

[AutoBert]

2 minutes ago, 31290 said:

Same story. Windows asks for admin credentials and the msgbox returns "31290_a"

Then you need 3 scripts: 1. writing @username in ini etc. and starts 2. this uses runas for evelator and the 3. read the username from ini and execute the real job using this variable.

[31290]

26 minutes ago, AutoBert said:

Then you need 3 scripts: 1. writing @username in ini etc. and starts 2. this uses runas for evelator and the 3. read the username from ini and execute the real job using this variable.

Thanks but this won't work as well. Anything I'll execute on the user profile will ask for admin credentials and the @username macro will be set to my admin account...

[AutoBert]

11 minutes ago, 31290 said:

Thanks but this won't work as well. Anything I'll execute on the user profile will ask for admin credentials and the @username macro will be set to my admin account...

Users can't write to @AppDataCommonDir or any other place?

[31290]

1 minute ago, AutoBert said:

Users can't write to @AppDataCommonDir or any other place?

No sir :/ the only way to work on that is:

58 minutes ago, 31290 said:

The only one that is showing the good path is @WorkingDir. Here, I have the username as :"C:\Users\USERNAME\Google Drive\..."
Thing is, the username is not the same and it's length is variable but always contained after "C:\Users\" and before "\Google Drive" (or "\Desktop"). I was thinking about _StringBetween but how to handle the username properly? Is it reliable?

but not sure this would be easy considering that the user name can be at least 4 characters.

Thanks

[JLogan3o13]

3 hours ago, 31290 said:

My admin account has rights to do that but again, when launching regedit.exe windows asks for admin credentials and I can't see the user's hive and profile in the registry.

I guess I am not understanding this piece. If you run an application as another user, be it an admin or even the System account, you can still see the logged in user's hive in the registry. You are looking under HKEY_USERS, not HKEY_CURRENT_USER, right?

[31290]

1 hour ago, JLogan3o13 said:

I guess I am not understanding this piece. If you run an application as another user, be it an admin or even the System account, you can still see the logged in user's hive in the registry. You are looking under HKEY_USERS, not HKEY_CURRENT_USER, right?

Of Course  HKCU is my admin account

I'm starting to think about the  _StringBetween thing... I think that as long the tech launch the script from the user's desktop, it can be fine.
If you have any clue on that one, I'll take

Thanks

[31290]

Sorry for double post but I managed to find the solution

For the record, I did:

#include <Array.au3>
#include <String.au3>
#RequireAdmin

$Username = @WorkingDir

Local $aArray = _StringBetween(@WorkingDir, "C:\Users\", "\")

Msgbox (0,"",$aArray[0])

When compiling it and running it from the non-admin user's desktop, the msgbox now gives me the correct user name even when Windows asks me for admin credentials to run it. 

Now, have to find how to delete the user from the admin group 24/48h later without any tech intervention... Gonna be fun I think  If you guys have ideas, please share

Thanks!

-31290