runas error

[kajuberdut]

Hi,

I wrote a little script to watch for common USB flash drives with infected files and invoke a .bat to remove them if they exist. The problem is I'm using windows taskscheduler to make it runas administrator when a normal user logs on. The script works great if its run as whatever user is logged in (assuming they have permissions), but seems to do nothing if its run as administrator when a different user is logged in. I "borrowed" the section to check for USB devices from another script, so I dont really understand this section:

expandcollapse popup

$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")
$colEvents = $objWMIService.ExecNotificationQuery _
    ("Select * From __InstanceOperationEvent Within 5 Where " _
        & "TargetInstance isa 'Win32_LogicalDisk'")

While 1
     $objEvent = $colEvents.NextEvent
    If $objEvent.TargetInstance.DriveType = 2 Then
        Select
            Case $objEvent.Path_.Class()="__InstanceCreationEvent"oÝ÷ Ù8^Â%zÇ+_¢YhÂËajy,v½©Üyú+¶¡zZZºÚ"µÍÕÈØÜØZ]ÈÜHTÐÚ]HÈH]XÝYÙXÚÈH]HÜÙZ[[ËÛÈHÙ[Y[ÝÙY^XÝ]ÈH]È[[ÝHØZY[ËÕHÛÛ[ÈÙ^H]ÚØÜHØØ]Y[ÛÛ[Y[È]HÝÛKÕH^XÝY[YH[ØØ][ÛÙ]ØÜ]Ú]Y^]ÛÎÔÙÜ[H[ËÕTÐØ]ÚË]]Ú]Ù]Ü[Û ][ÝÝ^ZXÛÛYI][ÝËJHØÚ[ÙHÈÈÈXZÙHH]]Ú]XÛÛÚXH[È^XÝ][ÛÛØ[   ÌÍÙ]XÙHH    ][ÝÉ][ÝÂÛØ[   ÌÍÛX[ÛÛXÚÙH  ][ÝÉ][ÝÂÛØ[   ÌÍÔÔÕH ][ÝÉ][ÝÂÛØ[   ÌÍÛ]ÙÛH    ][ÝÉ][ÝÂÛØ[   ÌÍÚY^ÜHH    ][ÝÉ][ÝÂÛØ[   ÌÍØHH    ][ÝÉ][ÝÂÛØ[   ÌÍÜÞÝ[HH   ][ÝÉ][ÝÂÛØ[   ÌÍÜ][ÛH ][ÝÉ][ÝÂÛØ[   ÌÍÚX
XHH ][ÝÉ][ÝÂÛØ[   ÌÍÜÝÚÜÝH ][ÝÉ][ÝÂÛØ[   ÌÍØ]]Ü[H    ][ÝÉ][ÝÂÛØ[   ÌÍØ[ÝÙH    ][ÝÉ][ÝÂÌÍÜÝÛÛ]H  ][ÝË][ÝÂÌÍÛØÓRTÙXÙHHØÙ]
    ][ÝÝÚ[YÛ]ÎÌLÉÌLÉ][ÝÈ [È ÌÍÜÝÛÛ]   [È ][ÝÉÌLÜÛÝ ÌLØÚ[]][ÝÊB[ÈÛX
HÐÛXHÝÙ[XÝY[ÈHXXBÛØ[    ÌÍÛX[ÛÛXÚÙH  ][ÝÉ][ÝÂÛØ[   ÌÍÔÔÕH ][ÝÉ][ÝÂÛØ[   ÌÍÛ]ÙÛH    ][ÝÉ][ÝÂÛØ[   ÌÍÚY^ÜHH    ][ÝÉ][ÝÂÛØ[   ÌÍØHH    ][ÝÉ][ÝÂÛØ[   ÌÍÜÞÝ[HH   ][ÝÉ][ÝÂÛØ[   ÌÍÜ][ÛH ][ÝÉ][ÝÂÛØ[   ÌÍÚX
XHH ][ÝÉ][ÝÂÛØ[   ÌÍÜÝÚÜÝH ][ÝÉ][ÝÂÛØ[   ÌÍØ]]Ü[H    ][ÝÉ][ÝÂ[[Â[È[PÚXÚÊ
NØÚXÚÜÈÜÝÜXÚ[ÝÈ[ÂRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÐ]]Ü[[][ÝÊH[BIÌÍØ]]Ü[H  ][ÝÐ]]Ü[[][ÝÂQ[YRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÓ]ÈÛ^I][ÝÊH[BIÌÍÛ]ÙÛH ][ÝÛ]ÙÛ^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÜÝÚÜÝ^I][ÝÊH[BIÌÍÜÝÚÜÝH   ][ÝÜÝÚÜÝ^I][ÝÂQ[YRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÒX
XI][ÝÊBU[BIÌÍÚX
XHH ][ÝÚX
XI][ÝÂQ[YRY[Q^ÝÊ    ÌÍÙ]XÙH [È ][ÝÔ][Û^I][ÝÊH[BIÌÍÜ][ÛH   ][ÝÔ][Û^I][ÝÂQ[YRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÜÞÝ[K^I][ÝÊH[BIÌÍÜÞÝ[HH   ][ÝÜÞÝ[K^I][ÝÂQ[YRY[Q^ÝÊ    ÌÍÙ]XÙH [È ][ÝÐKÉ][ÝÊH[BIÌÍØHH ][ÝØKÉ][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÒY^ÜKÉ][ÝÊH[BIÌÍÚY^ÜHH ][ÝÒY^ÜKÉ][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÓ]×ÑÛ^I][ÝÊH[BIÌÍÛ]ÙÛH   ][ÝÛ]ÙÛ^I][ÝÂQ[YRY[Q^ÝÊ ÌÍÙ]XÙH [È ][ÝÔÜÝ^I][ÝÊH[BIÌÍÔÔÕH   ][ÝÔÜÝ^I][ÝÂQ[YRY[Q^ÝÊ  ÌÍÙ]XÙH [È ][ÝÔPÖPÓT][ÝÊH[BIÌÍÛX[ÛÛXÚÙH   ][ÝÓX[ÐÛÛXÚÙ][ÝÂQ[YRY[Q^ÝÊ   ÌÍÙ]XÙH [È ][ÝÔXÞXÛY   ][ÝÊH[BIÌÍÛX[ÛÛXÚÙH    ][ÝÓX[ÐÛÛXÚÙ][ÝÂQ[Y[[Â[ÈÙÛ

BBBRY   ÌÍÛX[ÛÛXÚÙH  ][ÝÓX[ÐÛÛXÚÙ][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÔÔÕH ][ÝÔÜÝ^I][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÛ]ÙÛH    ][ÝÛ]ÙÛ^I][ÝÈ[BBBBP[ÝÙ
BBBQ[ÙRY   ÌÍÚY^ÜHH    ][ÝÒY^ÜKÉ][ÝÈ[BBBBP[ÝÙ
BBBQ[ÙRY   ÌÍØHH    ][ÝØKÉ][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÜÞÝ[HH   ][ÝÜÞÝ[K^I][ÝÈ[BBBBP[ÝÙ
BBBQ[ÙRY   ÌÍÜ][ÛH ][ÝÔ][Û^I][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÚX
XHH ][ÝÚX
XI][ÝÈ[BBBP[ÝÙ
BBBQ[ÙRY   ÌÍÜÝÚÜÝH ][ÝÜÝÚÜÝ^I][ÝÈ[BBBP[ÝÙ
BBBQ[Y[[Â[ÈZ
BBBRY   ÌÍØ[ÝÙH
[BBBBTÚ[^XÝ]UØZ]
    ][ÝÐÎÌLÔÙÜ[H[ÉÌLÕTÐØ]Ú ÌLÑÚ]Q^] ][ÝË  ][ÝÉ][ÝË    ÌÍÙ]XÙK ][ÝÛÜ[][ÝËÕ×ÒQJBBBBBQ[UÜ]S[J   ][ÝÐÎÌLÔÙÜ[H[ÉÌLÕTÐØ]Ú ÌLÕTÐØ]ÚÙË   ][ÝË  ÌÍÙ]XÙH [È ][ÝÈZYÙ  ][ÝÈ  [È ÌÍÛX[ÛÛXÚÙ   [È ][ÝÈ  ][ÝÈ  [È ÌÍÔÔÕ  [È ][ÝÈ  ][ÝÈ  [È ÌÍÛ]ÙÛ [È ][ÝÈ  ][ÝÈ  [È ÌÍÚY^ÜH [È ][ÝÈ  ][ÝÈ  [È ÌÍØH [È ][ÝÈ  ][ÝÈ  [È ÌÍÜÞÝ[H    [È ][ÝÈ  ][ÝÈ  [È ÌÍÜ][Û  [È ][ÝÈ  ][ÝÈ  [È ÌÍÚX
XH  [È ][ÝÈ  ][ÝÈ  [È ÌÍÜÝÚÜÝ  [È ][ÝÈ  ][ÝÈ  [È ÌÍØ]]Ü[ [È ][ÝÈÝXÙÜÙ[    ][ÝÈ  [ÈÔBBBBB[ÙØÞ
    ][ÝÔZY    ][ÝË  ][ÝÕ[È[ÝK[Ý]XÙHÈYHÛÝÚ[È[È[[ÝY  ][ÝÈ  [ÈÔ   [È ÌÍÛX[ÛÛXÚÙ   [ÈÔ   [È ÌÍÔÔÕ  [ÈÔ   [È ÌÍÛ]ÙÛ [ÈÔ   [È ÌÍÚY^ÜH [ÈÔ   [È ÌÍØH [ÈÔ   [È ÌÍÜÞÝ[H    [ÈÔ   [È ÌÍÜ][Û  [ÈÔ   [È ÌÍÚX
XH  [ÈÔ   [È ÌÍÜÝÚÜÝ  [ÈÔ   [È ÌÍØ]]Ü[ [ÈÔ   [È ][ÝÒY[ÝH[[ÝÚ]H[XÝYÙ[[ÝÛÛ]X^HH[XÝYXÙH[HÈØØ[][ÝÈ [ÈÔ   [ÈÔ   [ÈÔ   [È ][ÝÕTÐØ]ÚÈÜ][H
Ú[È]]Ú]ËI][ÝÊBBBBIÌÍÙ]XÙHH    ][ÝÉ][ÝÂBBBPÛX
BBBBNÒYÙHHÝÙ]È[K[ÝXYZ[ÈYYÈH[[Ý[ÙH]XÙKHÈHÜÜÚX[]H]HÙXÛÛÚ]HÚ[HÜÝ[YYÈH[XÝY]ÈYÙÙY[Ú[HHÝÈÝ[Ù[BBBBBBQ[ÙRY ÌÍØ[ÝÙH
È[BBB[ÙØÞ
    ][ÝÔXÙHÛÛXÝ[Ý]ÛÜÈYZ[Ý]Ü][ÝË   ][ÝÓÝØ[ÈÈHÚYÛYXØ[Ø[HÚ]È[XÝ[ÛÈ[ÙYHTÐÚ]KY[ÝHHÙZ[[ÝHÈÝÚÚÈ[[ÝHÙH[Î ][ÝÈ  [ÈÔ   [È ÌÍÛX[ÛÛXÚÙ   [È ][ÝÈ  ][ÝÈ  [È ÌÍÔÔÕ  [È ][ÝÈ  ][ÝÈ  [È ÌÍÛ]ÙÛ [È ][ÝÈ  ][ÝÈ  [È ÌÍÚY^ÜH [È ][ÝÈ  ][ÝÈ  [È ÌÍØH [È ][ÝÈ  ][ÝÈ  [È ÌÍÜÞÝ[H    [È ][ÝÈ  ][ÝÈ  [È ÌÍÜ][Û  [È ][ÝÈ  ][ÝÈ  [È ÌÍÚX
XH  [È ][ÝÈ  ][ÝÈ  [È ÌÍÜÝÚÜÝ  [È ][ÝÈ  ][ÝÈ  [È ÌÍØ]]Ü[ [È ][ÝÈ  ][ÝÈ  [ÈÔ   [ÈÔ   [È ][ÝÔXÙHÛÛXÝH]ÛÜÈYZ[Ý]ÜÈ][HÛÝÈÚKY[ÝH]HÚ[ÙY[ÝZ[XÙHØY[H[[ÝK[Z[Ù    ][ÝÈ  [È ÌÍÙ]XÙH [ÈÔ   [ÈÔ   [È ][ÝÈKU[È[ÝK][ÝÈ   [ÈÔ   [ÈÔ   [ÈÔ   [È ][ÝÕTÐØ]ÚÈÜ][H
Ú[È]]Ú]ËI][ÝÊBBBBIÌÍÙ]XÙHH    ][ÝÉ][ÝÂBBBPÛX
BBBQ[Y[[Â[È[ÝÙ
BÌÍØ[ÝÙHÙÐÞ
    ][ÝÕÈØØ[][ÝË ][ÝÕHÛÝÚ[È[ÈÛÚ]H   ][ÝÈ  [È ÌÍÙ]XÙH [È ][ÝÈ]HY[]XÝYÈØXHÙÎ   ][ÝÈ  [ÈÔ   [È ÌÍÛX[ÛÛXÚÙ   [ÈÔ   [È ÌÍÔÔÕ  [ÈÔ   [È ÌÍÛ]ÙÛ [ÈÔ   [È ÌÍÚY^ÜH [ÈÔ   [È ÌÍØH [ÈÔ   [È ÌÍÜÞÝ[H    [ÈÔ   [È ÌÍÜ][Û  [ÈÔ   [È ÌÍÚX
XH  [ÈÔ   [È ÌÍÜÝÚÜÝ  [ÈÔ   [È ÌÍØ]]Ü[ [ÈÔ   [È ][ÝÔXÙHÛXÚÈYÈÈ[ÝÈÙH[ÈÈH[[ÝY[ÝÛÛ[[ÈÚÝ[ÝHYXÝY][ÝÈ [ÈÔ   [ÈÔ   [ÈÔ   [È ][ÝÈUY[][ÝÊB[[ÂBB  ÌÍØÛÛ][ÈH ÌÍÛØÓRTÙXÙK^XÓÝYXØ][Û]YHÂ
    ][ÝÔÙ[XÝ
ÛH×Ò[Ý[ÙSÜ][Û][Ú][
HÚH    ][ÝÈ    [È ][ÝÕÙ][Ý[ÙHØH ÌÎNÕÚ[ÌÓÙÚXØ[ÚÉÌÎNÉ][ÝÊBÚ[HB   ÌÍÛØ][H ÌÍØÛÛ][Ë^][Y  ÌÍÛØ][Ù][Ý[ÙK]UHH[Ù[XÝØÙH    ÌÍÛØ][]ËÛÜÊ
OI][Ý××Ò[Ý[ÙPÜX][Û][    ][Ý  ÌÍÙ]XÙHH    ÌÍÛØ][Ù][Ý[ÙK]XÙRY  [È ][ÝÉÌLÉ][ÝÈÝÚ[H]XÙHÈÙ[YH[YHÈÙ]HÚ[ÝÜÈ[HXXH  ÌÍÙ]XÙHØ[HÙHÈY[ÙH]BBBQ[PÚXÚÊ
BBBBUÙÛ

BBBBTZ
BBBBBBPØÙH    ÌÍÛØ][]ËÛÜÊ
OI][Ý××Ò[Ý[ÙQ[][Û][  ][ÝÂBBB[Ù[XÝ[YÑ[Õ[ÜÈÈ]]ÜÙHTÐ[Û]ÜØÜÙY
[Y
KØÜÂHÛÝÚ[È]ÙY[HÈÚYÛYÈHH]]ÚØÜÙ[[È[ÎÌLÔÙÜ[H[ÉÌLÕTÐØ]ÚHÜÙHÙÚXÚÈÈÚ[ÙHH]X]ÈÙ[HÝÜXÚ[ÝÈ[ÈÝY[[[]H[KÑ _]XXHÈZ
]]Ü[[]XXHÈZ
][ÝÓ]ÈÛ^I][ÝÊ]XXHÈZ
ÝÚÜÝ^J]XXHÈZ
X
XJ]XXHÈZ
][Û^J]XXHÈZ
ÞÝ[K^J]XXHÈZ
KÊ]XXHÈZ
Y^ÜKÊ]XXHÈZ
[Ë^J]XXHÈZ
][ÝÓ]×ÑÛ^I][ÝÊ]XXHÈZ
ÜÝ^J]XÑÔÈXHÈZ
XÞXÛ]XÑÔÈXHÈZ
XÞXÛY
[ÑÔH]]Ü[[    ][ÝÓ]ÈÛ^I][ÝË ][ÝÓ]×ÑÛ^I][ÝËÝÚÜÝ^KX
XK][Û^KÞÝ[K^KKËY^ÜKË[Ë^KÜÝ^B[ÑÔHXÛXÙ[ÑÔHXÞXÛYØÙ

[Richard Robertson]

I believe that the non-current account is not receiving the new USB alert. Try saving a log every time a device is found and check if the admin account even sees the device.

[kajuberdut]

Your right Richard. Any thoughts on how I might get it to work?

[kajuberdut]

Sorry for the double post, editing seems to be disabled.

I just tried running the .exe with a right click and run as and it works fine. Something about having windows tasks scheduler run it is whats not working. Unless anybody has some idea why that is, I'll just look for a different way to make it run on start up (maybe something as perverse as a au3.exe in the start up folder that runs my virus scan as administrator.)