need to get users to start an elevated command prompt

[aleph01]

This script doesn't seem to be doing it:

#include <Misc.au3>

Local $1 = 0

$1 = MsgBox (4,"Restart Service", "Do you wish to restart the RFID service?")
If $1 = 6 Then
    RunAs ("administrator", @ComputerName, "password", 2, "C:\Windows\system32\cmd.exe", "", @SW_MAXIMIZE)
    WinWait ("cmd.exe")
    Send ("net start ewSystemMonitor {ENTER}")
    Send ("net start Envisionware RFIDLink {ENTER}")
    Sleep (301)
    Send ("Exit {ENTER}")
Else
    Exit
EndIf

The above script apparently runs the command prompt without elevating it.  Does anyone have a simple helpful tip for me?

 

Thanks,

[Jos]

Why are you using option 2 for the 4th parameter in stead of 0?

Jos

[AspirinJunkie]

ShellExecute("cmd.exe", "", @WorkingDir, "runas")

but instead of trying to control the cmd-window with Send() you can do something like this:

ShellExecute(@ComSpec, "/c net start ewSystemMonitor & net start Envisionware RFIDLink", @WorkingDir, "runas")

Or you give your script and all programs which get run by it admin privileges with #RequireAdmin  

Edited September 21, 2017 by AspirinJunkie

[aleph01]

Jos,

Option 2 is a left-over remnant of when I was trying to get it to run with network admin credentials.  Is 0 the preferred option?

AspirinJunkie,  your solution pops up a UAC prompt with or without #RequireAdmin.

The RFID service crashes from time to time for no apparent reason.  I've tried an infinite loop of net start commands, but couldn't get it to work consistently on our staff computers.

[Jos]

13 minutes ago, aleph01 said:

Is 0 the preferred option?

Not 100% sure but sounds logical with a local account. Did you try?

Jos

[aleph01]

Yes, I've tried all the options.

[Jos]

There is probably a mixup between running it with an different userid (the Administrator account) and running with #RequireAdmin.

Jos

Edited September 22, 2017 by Jos

[aleph01]

I believe there is a GPO that will allow me to let users toggle services.  I can let them toggle the RFID service through a script on their desktops, so they don't even need to know they have access to services. 

Is this a flaw with RunAs?  It would be better to not have to enable access to services for my users.

[Jos]

3 hours ago, aleph01 said:

Is this a flaw with RunAs? 

Don't think so. RunAs() runs the program under the different credentials but that doesn't mean it runs the program Elevated. Normally the program's requestedExecutionLevel resource indicates the level it needs to be executed on. 

Look at AutoIt3Wrapper.au3 where I use the FUNC RunReqAdminDosCommand() to ensure it is elevated in case this is required.

Jos

Edited September 23, 2017 by Jos

[aleph01]

Thanks, Jos.  I'll try that function when I get a chance, probably tomorrow.  If I have trouble with it, I'll post back for advice.  If successful, I'll post my working code.

[aleph01]

Thanks for the try, Jos, but Func RunReqAdminDosCommand leaves me scratching my head.  It looks like a bunch of FileWriteLines with some FileDeletes thrown in.  I can't make the connection that will let me see how it can help me.

Still searching for code that will allow a standard user to start a service when they are normally not able to start or stop services.

[Jos]

What it does is pretty strait forward: It makes a temp scriptfile with a script that has @RequireAdmin in it to ensure it is running under at Administrator level.
You get the UAC prompt in case it isn't yet assuming UAC is enabled.

Jos

 

[aleph01]

Rethinking my approach, I've found a way to make this work.  I couldn't seem to get an elevated command prompt, so I run an elevated .bat flie.

#include <Misc.au3>

_Singleton("startRFIDServiceBat.exe", 0)

Opt("MustDeclareVars", 1)
Opt("WinTitleMatchMode", -2)

Local $1 = 0

$1 = MsgBox (4,"Restart Service", "Do you wish to restart the RFID service?")
If $1 = 6 Then
    RunAs ("administrator", @ComputerName, "password", 0, "C:\startRFID.bat", "", @SW_MAXIMIZE)
Else
    Exit
EndIf

and the .bat file is simplicity:

net start "ewSystemMonitor"
net start "EnvisionWare RFIDLink"
exit

I stopped the RFID service at one of our Ask Us Desk stations and the user there was able to restart it using the compiled script.

This problem is history.

Thanks,

[orbs]

@aleph01,

Windows permissions settings are extremely granular. you can even allow a specific user to perform only a specific action on a specific service. google "set permissions on a specific service" to get an options galore of doing so. the simplest approach (to my taste) might be using the command line tool subinacl.exe - look at the bottom of this article. this is a MS Resource Kit utility, which is also officially available for individual download here. i would definitely advise against banging your head against the elevation wall - especially when a much simpler solution exists.

[aleph01]

Thanks, orbs.  I'll look at subinacl.exe.  Right now I have it working with running an elevated .bat file.  To suggest a change now that it's been rolled out and is working would be a non-starter.  It might even get me into hot water working on an already approved solution, since I'm not supposed to work on any scripts off company time and we've got a solution in place.

I appreciate yours and all the other responses.  I still need to wrap my head around Jos' code.  I think I looked at it fleetingly, and didn't see how it was helping my issue.

Thanks to all.  May you all code more elegantly than ever before.   I know I am, thanks to y'all.  (SE US, got to use the vernacular.)

_aleph_