Jump to content
Sign in to follow this  
kajuberdut

runas error

Recommended Posts

kajuberdut

Hi,

I wrote a little script to watch for common USB flash drives with infected files and invoke a .bat to remove them if they exist. The problem is I'm using windows taskscheduler to make it runas administrator when a normal user logs on. The script works great if its run as whatever user is logged in (assuming they have permissions), but seems to do nothing if its run as administrator when a different user is logged in. I "borrowed" the section to check for USB devices from another script, so I dont really understand this section:

$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
$colEvents = $objWMIService.ExecNotificationQuery _
    ("Select * From __InstanceOperationEvent Within 5 Where " _
        & "TargetInstance isa 'Win32_LogicalDisk'")

While 1
     $objEvent = $colEvents.NextEvent
    If $objEvent.TargetInstance.DriveType = 2 Then
        Select
            Case $objEvent.Path_.Class()="__InstanceCreationEvent"oÝ÷ Ù8^Â%zÇ+_¢YhÂËajy,v½©Üyú+¶¡zZZºÚ"µÍÕÈØÜØZ]ÈÜHTÐÚ]HÈH]XÝYÙXÚÈH]HÜÙZ[[ËÛÈHÙ[Y[ÝÙY^XÝ]ÈH]È[[ÝHØZY[ËÕHÛÛ[ÈÙ^H]ÚØÜHØØ]Y[ÛÛ[Y[È]HÝÛKÕH^XÝY[YH[ØØ][ÛÙ]ØÜ]Ú]Y^]ÛÎÔÙÜ[H[ËÕTÐØ]ÚË]]Ú]Ù]Ü[Û ][ÝÝ^ZXÛÛYI][ÝËJHØÚ[ÙHÈÈÈXZÙHH]]Ú]XÛÛÚXH[È^XÝ][ÛÛØ[   ÌÍÙ]XÙHH    ][ÝÉ][ÝÂÛØ[   ÌÍÛX[ÛÛXÚÙH  ][ÝÉ][ÝÂÛØ[   ÌÍÔÔÕH ][ÝÉ][ÝÂÛØ[   ÌÍÛ]ÙÛH    ][ÝÉ][ÝÂÛØ[   ÌÍÚY^ÜHH    ][ÝÉ][ÝÂÛØ[   ÌÍØHH    ][ÝÉ][ÝÂÛØ[   ÌÍÜÞÝ[HH   ][ÝÉ][ÝÂÛØ[   ÌÍÜ][ÛH ][ÝÉ][ÝÂÛØ[   ÌÍÚX
XHH ][ÝÉ][ÝÂÛØ[   ÌÍÜÝÚÜÝH ][ÝÉ][ÝÂÛØ[   ÌÍØ]]Ü[H    ][ÝÉ][ÝÂÛØ[   ÌÍØ[ÝÙH    ][ÝÉ][ÝÂÌÍÜÝÛÛ]H  ][ÝË][ÝÂÌÍÛØÓRTÙXÙHHØÙ]
    ][ÝÝÚ[YÛ]ÎÌLÉÌLÉ][ÝÈ [È ÌÍÜÝÛÛ]   [È ][ÝÉÌLÜÛÝ ÌLØÚ[]][ÝÊB[ÈÛX
HÐÛXHÝÙ[XÝY[ÈHXXBÛØ[    ÌÍÛX[ÛÛXÚÙH  ][ÝÉ][ÝÂÛØ[   ÌÍÔÔÕH ][ÝÉ][ÝÂÛØ[   ÌÍÛ]ÙÛH    ][ÝÉ][ÝÂÛØ[   ÌÍÚY^ÜHH    ][ÝÉ][ÝÂÛØ[   ÌÍØHH    ][ÝÉ][ÝÂÛØ[   ÌÍÜÞÝ[HH   ][ÝÉ][ÝÂÛØ[   ÌÍÜ][ÛH ][ÝÉ][ÝÂÛØ[   ÌÍÚX
XHH ][ÝÉ][ÝÂÛØ[   ÌÍÜÝÚÜÝH ][ÝÉ][ÝÂÛØ[   ÌÍØ]]Ü[H    ][ÝÉ][ÝÂ[[Â[È[PÚXÚÊ
NØÚXÚÜÈÜÝÜXÚ[ÝÈ[ÂRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÐ]]Ü[[][ÝÊH[BIÌÍØ]]Ü[H  ][ÝÐ]]Ü[[][ÝÂQ[YRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÓ]ÈÛ^I][ÝÊH[BIÌÍÛ]ÙÛH ][ÝÛ]ÙÛ^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÜÝÚÜÝ^I][ÝÊH[BIÌÍÜÝÚÜÝH   ][ÝÜÝÚÜÝ^I][ÝÂQ[YRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÒX
XI][ÝÊBU[BIÌÍÚX
XHH ][ÝÚX
XI][ÝÂQ[YRY[Q^ÝÊ    ÌÍÙ]XÙH [È ][ÝÔ][Û^I][ÝÊH[BIÌÍÜ][ÛH   ][ÝÔ][Û^I][ÝÂQ[YRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÜÞÝ[K^I][ÝÊH[BIÌÍÜÞÝ[HH   ][ÝÜÞÝ[K^I][ÝÂQ[YRY[Q^ÝÊ    ÌÍÙ]XÙH [È ][ÝÐKÉ][ÝÊH[BIÌÍØHH ][ÝØKÉ][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÒY^ÜKÉ][ÝÊH[BIÌÍÚY^ÜHH ][ÝÒY^ÜKÉ][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÓ]×ÑÛ^I][ÝÊH[BIÌÍÛ]ÙÛH   ][ÝÛ]ÙÛ^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÔÜÝ^I][ÝÊH[BIÌÍÔÔÕH   ][ÝÔÜÝ^I][ÝÂQ[YRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÔPÖPÓT][ÝÊH[BIÌÍÛX[ÛÛXÚÙH   ][ÝÓX[ÐÛÛXÚÙ][ÝÂQ[YRY[Q^ÝÊ   ÌÍÙ]XÙH [È ][ÝÔXÞXÛY   ][ÝÊH[BIÌÍÛX[ÛÛXÚÙH    ][ÝÓX[ÐÛÛXÚÙ][ÝÂQ[Y[[Â[ÈÙÛ

BBBRY   ÌÍÛX[ÛÛXÚÙH  ][ÝÓX[ÐÛÛXÚÙ][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÔÔÕH ][ÝÔÜÝ^I][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÛ]ÙÛH    ][ÝÛ]ÙÛ^I][ÝÈ[BBBBP[ÝÙ
BBBQ[ÙRY   ÌÍÚY^ÜHH    ][ÝÒY^ÜKÉ][ÝÈ[BBBBP[ÝÙ
BBBQ[ÙRY   ÌÍØHH    ][ÝØKÉ][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÜÞÝ[HH   ][ÝÜÞÝ[K^I][ÝÈ[BBBBP[ÝÙ
BBBQ[ÙRY   ÌÍÜ][ÛH ][ÝÔ][Û^I][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÚX
XHH ][ÝÚX
XI][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÜÝÚÜÝH ][ÝÜÝÚÜÝ^I][ÝÈ[BBBP[ÝÙ
BBBQ[Y[[Â[ÈZ
BBBRY   ÌÍØ[ÝÙH
[BBBBTÚ[^XÝ]UØZ]
    ][ÝÐÎÌLÔÙÜ[H[ÉÌLÕTÐØ]Ú ÌLÑÚ]Q^] ][ÝË  ][ÝÉ][ÝË    ÌÍÙ]XÙK ][ÝÛÜ[][ÝËÕ×ÒQJBBBBBQ[UÜ]S[J   ][ÝÐÎÌLÔÙÜ[H[ÉÌLÕTÐØ]Ú ÌLÕTÐØ]ÚÙË   ][ÝË  ÌÍÙ]XÙH [È ][ÝÈZYÙ  ][ÝÈ  [È ÌÍÛX[ÛÛXÚÙ   [È ][ÝÈ  ][ÝÈ  [È ÌÍÔÔÕ  [È ][ÝÈ  ][ÝÈ  [È ÌÍÛ]ÙÛ [È ][ÝÈ  ][ÝÈ  [È ÌÍÚY^ÜH [È ][ÝÈ  ][ÝÈ  [È ÌÍØH [È ][ÝÈ  ][ÝÈ  [È ÌÍÜÞÝ[H    [È ][ÝÈ  ][ÝÈ  [È ÌÍÜ][Û  [È ][ÝÈ  ][ÝÈ  [È ÌÍÚX
XH  [È ][ÝÈ  ][ÝÈ  [È ÌÍÜÝÚÜÝ  [È ][ÝÈ  ][ÝÈ  [È ÌÍØ]]Ü[ [È ][ÝÈÝXÙÜÙ[    ][ÝÈ  [ÈÔBBBBB[ÙØÞ
    ][ÝÔZY    ][ÝË  ][ÝÕ[È[ÝK[Ý]XÙHÈYHÛÝÚ[È[È[[ÝY  ][ÝÈ  [ÈÔ   [È ÌÍÛX[ÛÛXÚÙ   [ÈÔ   [È ÌÍÔÔÕ  [ÈÔ   [È ÌÍÛ]ÙÛ [ÈÔ   [È ÌÍÚY^ÜH [ÈÔ   [È ÌÍØH [ÈÔ   [È ÌÍÜÞÝ[H    [ÈÔ   [È ÌÍÜ][Û  [ÈÔ   [È ÌÍÚX
XH  [ÈÔ   [È ÌÍÜÝÚÜÝ  [ÈÔ   [È ÌÍØ]]Ü[ [ÈÔ   [È ][ÝÒY[ÝH[[ÝÚ]H[XÝYÙ[[ÝÛÛ]X^HH[XÝYXÙH[HÈØØ[][ÝÈ [ÈÔ   [ÈÔ   [ÈÔ   [È ][ÝÕTÐØ]ÚÈÜ][H
Ú[È]]Ú]ËI][ÝÊBBBBIÌÍÙ]XÙHH    ][ÝÉ][ÝÂBBBPÛX
BBBBNÒYÙHHÝÙ]È[K[ÝXYZ[ÈYYÈH[[Ý[ÙH]XÙKHÈHÜÜÚX[]H]HÙXÛÛÚ]HÚ[HÜÝ[YYÈH[XÝY]ÈYÙÙY[Ú[HHÝÈÝ[Ù[BBBBBBQ[ÙRY ÌÍØ[ÝÙH
È[BBB[ÙØÞ
    ][ÝÔXÙHÛÛXÝ[Ý]ÛÜÈYZ[Ý]Ü][ÝË   ][ÝÓÝØ[ÈÈHÚYÛYXØ[Ø[HÚ]È[XÝ[ÛÈ[ÙYHTÐÚ]KY[ÝHHÙZ[[ÝHÈÝÚÚÈ[[ÝHÙH[Î ][ÝÈ  [ÈÔ   [È ÌÍÛX[ÛÛXÚÙ   [È ][ÝÈ  ][ÝÈ  [È ÌÍÔÔÕ  [È ][ÝÈ  ][ÝÈ  [È ÌÍÛ]ÙÛ [È ][ÝÈ  ][ÝÈ  [È ÌÍÚY^ÜH [È ][ÝÈ  ][ÝÈ  [È ÌÍØH [È ][ÝÈ  ][ÝÈ  [È ÌÍÜÞÝ[H    [È ][ÝÈ  ][ÝÈ  [È ÌÍÜ][Û  [È ][ÝÈ  ][ÝÈ  [È ÌÍÚX
XH  [È ][ÝÈ  ][ÝÈ  [È ÌÍÜÝÚÜÝ  [È ][ÝÈ  ][ÝÈ  [È ÌÍØ]]Ü[ [È ][ÝÈ  ][ÝÈ  [ÈÔ   [ÈÔ   [È ][ÝÔXÙHÛÛXÝH]ÛÜÈYZ[Ý]ÜÈ][HÛÝÈÚKY[ÝH]HÚ[ÙY[ÝZ[XÙHØY[H[[ÝK[Z[Ù    ][ÝÈ  [È ÌÍÙ]XÙH [ÈÔ   [ÈÔ   [È ][ÝÈKU[È[ÝK][ÝÈ   [ÈÔ   [ÈÔ   [ÈÔ   [È ][ÝÕTÐØ]ÚÈÜ][H
Ú[È]]Ú]ËI][ÝÊBBBBIÌÍÙ]XÙHH    ][ÝÉ][ÝÂBBBPÛX
BBBQ[Y[[Â[È[ÝÙ
BÌÍØ[ÝÙHÙÐÞ
    ][ÝÕÈØØ[][ÝË ][ÝÕHÛÝÚ[È[ÈÛÚ]H   ][ÝÈ  [È ÌÍÙ]XÙH [È ][ÝÈ]HY[]XÝYÈØXHÙÎ   ][ÝÈ  [ÈÔ   [È ÌÍÛX[ÛÛXÚÙ   [ÈÔ   [È ÌÍÔÔÕ  [ÈÔ   [È ÌÍÛ]ÙÛ [ÈÔ   [È ÌÍÚY^ÜH [ÈÔ   [È ÌÍØH [ÈÔ   [È ÌÍÜÞÝ[H    [ÈÔ   [È ÌÍÜ][Û  [ÈÔ   [È ÌÍÚX
XH  [ÈÔ   [È ÌÍÜÝÚÜÝ  [ÈÔ   [È ÌÍØ]]Ü[ [ÈÔ   [È ][ÝÔXÙHÛXÚÈYÈÈ[ÝÈÙH[ÈÈH[[ÝY[ÝÛÛ[[ÈÚÝ[ÝHYXÝY][ÝÈ [ÈÔ   [ÈÔ   [ÈÔ   [È ][ÝÈUY[][ÝÊB[[ÂBB  ÌÍØÛÛ][ÈH ÌÍÛØÓRTÙXÙK^XÓÝYXØ][Û]YHÂ
    ][ÝÔÙ[XÝ
ÛH×Ò[Ý[ÙSÜ][Û][Ú][
HÚH    ][ÝÈ    [È ][ÝÕÙ][Ý[ÙHØH ÌÎNÕÚ[ÌÓÙÚXØ[ÚÉÌÎNÉ][ÝÊBÚ[HB   ÌÍÛØ][H ÌÍØÛÛ][Ë^][Y  ÌÍÛØ][Ù][Ý[ÙK]UHH[Ù[XÝØÙH    ÌÍÛØ][]ËÛÜÊ
OI][Ý××Ò[Ý[ÙPÜX][Û][    ][Ý  ÌÍÙ]XÙHH    ÌÍÛØ][Ù][Ý[ÙK]XÙRY  [È ][ÝÉÌLÉ][ÝÈÝÚ[H]XÙHÈÙ[YH[YHÈÙ]HÚ[ÝÜÈ[HXXH  ÌÍÙ]XÙHØ[HÙHÈY[ÙH]BBBQ[PÚXÚÊ
BBBBUÙÛ

BBBBTZ
BBBBBBPØÙH    ÌÍÛØ][]ËÛÜÊ
OI][Ý××Ò[Ý[ÙQ[][Û][  ][ÝÂBBB[Ù[XÝ[YÑ[Õ[ÜÈÈ]]ÜÙHTÐ[Û]ÜØÜÙY
[Y
KØÜÂHÛÝÚ[È]ÙY[HÈÚYÛYÈHH]]ÚØÜÙ[[È[ÎÌLÔÙÜ[H[ÉÌLÕTÐØ]ÚHÜÙHÙÚXÚÈÈÚ[ÙHH]X]ÈÙ[HÝÜXÚ[ÝÈ[ÈÝY[[[]H[KÑ _]XXHÈZ
]]Ü[[]XXHÈZ
][ÝÓ]ÈÛ^I][ÝÊ]XXHÈZ
ÝÚÜÝ^J]XXHÈZ
X
XJ]XXHÈZ
][Û^J]XXHÈZ
ÞÝ[K^J]XXHÈZ
KÊ]XXHÈZ
Y^ÜKÊ]XXHÈZ
[Ë^J]XXHÈZ
][ÝÓ]×ÑÛ^I][ÝÊ]XXHÈZ
ÜÝ^J]XÑÔÈXHÈZ
XÞXÛ]XÑÔÈXHÈZ
XÞXÛY
[ÑÔH]]Ü[[    ][ÝÓ]ÈÛ^I][ÝË ][ÝÓ]×ÑÛ^I][ÝËÝÚÜÝ^KX
XK][Û^KÞÝ[K^KKËY^ÜKË[Ë^KÜÝ^B[ÑÔHXÛXÙ[ÑÔHXÞXÛYØÙ

Share this post


Link to post
Share on other sites
Richard Robertson

I believe that the non-current account is not receiving the new USB alert. Try saving a log every time a device is found and check if the admin account even sees the device.

Share this post


Link to post
Share on other sites
kajuberdut

Your right Richard. Any thoughts on how I might get it to work?

Share this post


Link to post
Share on other sites
kajuberdut

Sorry for the double post, editing seems to be disabled.

I just tried running the .exe with a right click and run as and it works fine. Something about having windows tasks scheduler run it is whats not working. Unless anybody has some idea why that is, I'll just look for a different way to make it run on start up (maybe something as perverse as a au3.exe in the start up folder that runs my virus scan as administrator.)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×