aleph01

need to get users to start an elevated command prompt

15 posts in this topic

This script doesn't seem to be doing it:

#include <Misc.au3>

Local $1 = 0

$1 = MsgBox (4,"Restart Service", "Do you wish to restart the RFID service?")
If $1 = 6 Then
    RunAs ("administrator", @ComputerName, "password", 2, "C:\Windows\system32\cmd.exe", "", @SW_MAXIMIZE)
    WinWait ("cmd.exe")
    Send ("net start ewSystemMonitor {ENTER}")
    Send ("net start Envisionware RFIDLink {ENTER}")
    Sleep (301)
    Send ("Exit {ENTER}")
Else
    Exit
EndIf

The above script apparently runs the command prompt without elevating it.  Does anyone have a simple helpful tip for me?

 

Thanks,


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

ShellExecute("cmd.exe", "", @WorkingDir, "runas")

but instead of trying to control the cmd-window with Send() you can do something like this:

ShellExecute(@ComSpec, "/c net start ewSystemMonitor & net start Envisionware RFIDLink", @WorkingDir, "runas")

Or you give your script and all programs which get run by it admin privileges with #RequireAdmin  

Edited by AspirinJunkie

Share this post


Link to post
Share on other sites

Jos,

Option 2 is a left-over remnant of when I was trying to get it to run with network admin credentials.  Is 0 the preferred option?

AspirinJunkie,  your solution pops up a UAC prompt with or without #RequireAdmin.

The RFID service crashes from time to time for no apparent reason.  I've tried an infinite loop of net start commands, but couldn't get it to work consistently on our staff computers.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites
13 minutes ago, aleph01 said:

Is 0 the preferred option?

Not 100% sure but sounds logical with a local account. Did you try?

Jos


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Yes, I've tried all the options.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

There is probably a mixup between running it with an different userid (the Administrator account) and running with #RequireAdmin.

Jos

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

I believe there is a GPO that will allow me to let users toggle services.  I can let them toggle the RFID service through a script on their desktops, so they don't even need to know they have access to services. 

Is this a flaw with RunAs?  It would be better to not have to enable access to services for my users.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

3 hours ago, aleph01 said:

Is this a flaw with RunAs? 

Don't think so. RunAs() runs the program under the different credentials but that doesn't mean it runs the program Elevated. Normally the program's requestedExecutionLevel resource indicates the level it needs to be executed on. 

Look at AutoIt3Wrapper.au3 where I use the FUNC RunReqAdminDosCommand() to ensure it is elevated in case this is required.

Jos

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Thanks, Jos.  I'll try that function when I get a chance, probably tomorrow.  If I have trouble with it, I'll post back for advice.  If successful, I'll post my working code.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

Thanks for the try, Jos, but Func RunReqAdminDosCommand leaves me scratching my head.  It looks like a bunch of FileWriteLines with some FileDeletes thrown in.  I can't make the connection that will let me see how it can help me.

Still searching for code that will allow a standard user to start a service when they are normally not able to start or stop services.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

What it does is pretty strait forward: It makes a temp scriptfile with a script that has @RequireAdmin in it to ensure it is running under at Administrator level.
You get the UAC prompt in case it isn't yet assuming UAC is enabled.

Jos

 


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Rethinking my approach, I've found a way to make this work.  I couldn't seem to get an elevated command prompt, so I run an elevated .bat flie.

#include <Misc.au3>

_Singleton("startRFIDServiceBat.exe", 0)

Opt("MustDeclareVars", 1)
Opt("WinTitleMatchMode", -2)

Local $1 = 0

$1 = MsgBox (4,"Restart Service", "Do you wish to restart the RFID service?")
If $1 = 6 Then
    RunAs ("administrator", @ComputerName, "password", 0, "C:\startRFID.bat", "", @SW_MAXIMIZE)
Else
    Exit
EndIf

and the .bat file is simplicity:

net start "ewSystemMonitor"
net start "EnvisionWare RFIDLink"
exit

I stopped the RFID service at one of our Ask Us Desk stations and the user there was able to restart it using the compiled script.

This problem is history.

Thanks,


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

@aleph01,

Windows permissions settings are extremely granular. you can even allow a specific user to perform only a specific action on a specific service. google "set permissions on a specific service" to get an options galore of doing so. the simplest approach (to my taste) might be using the command line tool subinacl.exe - look at the bottom of this article. this is a MS Resource Kit utility, which is also officially available for individual download here. i would definitely advise against banging your head against the elevation wall - especially when a much simpler solution exists.

Share this post


Link to post
Share on other sites

#15 ·  Posted

Thanks, orbs.  I'll look at subinacl.exe.  Right now I have it working with running an elevated .bat file.  To suggest a change now that it's been rolled out and is working would be a non-starter.  It might even get me into hot water working on an already approved solution, since I'm not supposed to work on any scripts off company time and we've got a solution in place.

I appreciate yours and all the other responses.  I still need to wrap my head around Jos' code.  I think I looked at it fleetingly, and didn't see how it was helping my issue.

Thanks to all.  May you all code more elegantly than ever before.   I know I am, thanks to y'all.  (SE US, got to use the vernacular.)

_aleph_


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now