none
How to mimic UAC Style prompt locking with vbscript

    שאלה

  • Hey !!

    i would like to be able to lock the computer to a specific prompt till it is filled (like UAC Does) for security logging purposes,

    anyone have an idea how i can achieve this?

    יום ראשון 26 פברואר 2012 09:17

תשובות

  • im not trying to prevent users from logging in, just get extra information about why they DID log in, its more auditing then security but its extra info we want to have...

    What you are asking to do is normally a function of auditing and security. Why add another layer that will have to be maintained when you can just use built in system mechanisms.


    ¯\_(ツ)_/¯

    • הוצע כתשובה על-ידי Bill_StewartModerator יום שני 27 פברואר 2012 18:41
    • סומן כתשובה על-ידי Ory Shiloah יום שלישי 28 פברואר 2012 05:24
    יום שני 27 פברואר 2012 06:44

כל התגובות

  • There is no real way to create a fake UAC prompt as, not any method you can call. What you can do is elevate your own script, assuming it is not already elevated. Using something like this:

    Set objShell = CreateObject("Shell.Application") Set FSO = CreateObject("Scripting.FileSystemObject") strPath = FSO.GetParentFolderName (WScript.ScriptFullName) If FSO.FileExists(strPath & "\MAIN.VBS") Then objShell.ShellExecute "wscript.exe", _ Chr(34) & strPath & "\MAIN.VBS" & Chr(34), "", "runas", 1 Else MsgBox "Script file MAIN.VBS not found" End If

    source


    What are you trying to achieve exactly and what scripting language do you prefer. Because if it is just an input box you require which pauses the script that is relatively easy to achieve in any scripting language.

    יום ראשון 26 פברואר 2012 10:04
  • Using something like this:

    Set objShell = CreateObject("Shell.Application") Set FSO = CreateObject("Scripting.FileSystemObject") strPath = FSO.GetParentFolderName (WScript.ScriptFullName) If FSO.FileExists(strPath & "\MAIN.VBS") Then objShell.ShellExecute "wscript.exe", _ Chr(34) & strPath & "\MAIN.VBS" & Chr(34), "", "runas", 1 Else MsgBox "Script file MAIN.VBS not found" End If

    source

    You can elevate a script without relying on an external .vbs file MAIN.VBS, using this "boot-strap" method:

    '-----------------------------------
    'Elevate a script before running it.
    '25.2.2011 FNL
    '-----------------------------------
    If WScript.Arguments.Count = 0 Then
        ElevateUAC
    Else
        'Your own VBS code goes here
        Set oFSO = CreateObject("Scripting.FileSystemObject")
        Set oFile = oFSO.CreateTextFile("c:\Windows\test.txt", True)
        oFile.WriteLine("The quick brown fox")
        oFile.Close
    End If

    '-------------------------------------------------
    'Invoke the above script under elevated privileges
    '-------------------------------------------------
    Sub ElevateUAC
       Set oShell = CreateObject("Shell.Application")
       oShell.ShellExecute "wscript.exe", WScript.ScriptFullName & " |", , "runas", 1
    End Sub

    יום ראשון 26 פברואר 2012 10:24
  • Hey !!

    i would like to be able to lock the computer to a specific prompt till it is filled (like UAC Does) for security logging purposes,

    anyone have an idea how i can achieve this?

    You cannot do this in script.  It can be done through API calls.

    What UAC does is create  second desktop and unconditionall switch to it and post a modal dialog.  This can be cancelled but cannot be 'looked-away' from.

    There are commandline utilities which can switch to a new blank desktop and execute a program or script.  If the script then posts a modal dialog you will have a situation similar to what you are looking for.

    If you want to use this to steal passwords then it will not likely work as expected.  If yuo just want to force the users attention then it will lock the coputer screen until teh user eother hits cancel(if available) or OK or uses Ctl-Alt-Del which will also ccancel the dialog.

    If th edialog is canceled and teh script or program ends you will be left on the blanddesktop with no obvious method for returning to teh original desktop.  Be sure your script warns about aborting the dialog and be sure it switches the desktop back before exiting.  Some utilities allow you to set  a switch that automatically returns to the original desktop when the caled program exits.  If your utility has this then use it.


    ¯\_(ツ)_/¯

    יום ראשון 26 פברואר 2012 18:21
  • First of all, thank you for your time !

    Actually the method you describe with switching the desktops sounds spot on.

    i'm looking to force users to supply a reason for logging into specific servers to audit unprivileged use and maintenance tasks done by administrators, and hence we are dealing with "users" i would like it to be a bit more aggressive with acquiring the information i want...

    could you please recommend a way to revert users to a blank desktop and only a prompt??

    (vb script proffered but i would anything that works and isn't hard enough to understand will do i guess :)

    יום ראשון 26 פברואר 2012 20:29
  • First of all, thank you for your time !

    Actually the method you describe with switching the desktops sounds spot on.

    i'm looking to force users to supply a reason for logging into specific servers to audit unprivileged use and maintenance tasks done by administrators, and hence we are dealing with "users" i would like it to be a bit more aggressive with acquiring the information i want...

    could you please recommend a way to revert users to a blank desktop and only a prompt??

    (vb script proffered but i would anything that works and isn't hard enough to understand will do i guess :)

    I can only recommend searching the net for a desktop switcher.

    The method you are trying to create will not prevent users from logging into a resource by other means.

    What you are asking to do is normally a function of auditing and security. Why add another layer that will have to be maintained when you can just use built in system mechanisms.


    ¯\_(ツ)_/¯

    יום ראשון 26 פברואר 2012 20:47
  • First of all, thank you for your time !

    Actually the method you describe with switching the desktops sounds spot on.

    i'm looking to force users to supply a reason for logging into specific servers to audit unprivileged use and maintenance tasks done by administrators, and hence we are dealing with "users" i would like it to be a bit more aggressive with acquiring the information i want...

    could you please recommend a way to revert users to a blank desktop and only a prompt??

    (vb script proffered but i would anything that works and isn't hard enough to understand will do i guess :)

    I can only recommend searching the net for a desktop switcher.

    The method you are trying to create will not prevent users from logging into a resource by other means.

    What you are asking to do is normally a function of auditing and security. Why add another layer that will have to be maintained when you can just use built in system mechanisms.


    ¯\_(ツ)_/¯

    im not trying to prevent users from logging in, just get extra information about why they DID log in, its more auditing then security but its extra info we want to have...
    יום שני 27 פברואר 2012 05:46
  • im not trying to prevent users from logging in, just get extra information about why they DID log in, its more auditing then security but its extra info we want to have...

    What you are asking to do is normally a function of auditing and security. Why add another layer that will have to be maintained when you can just use built in system mechanisms.


    ¯\_(ツ)_/¯

    • הוצע כתשובה על-ידי Bill_StewartModerator יום שני 27 פברואר 2012 18:41
    • סומן כתשובה על-ידי Ory Shiloah יום שלישי 28 פברואר 2012 05:24
    יום שני 27 פברואר 2012 06:44
  • Indeed, in the end i found the Correct GPO that delays the login till the script finishes effectively causing the "lock" effect i was looking for.

    thanks for your time either way !!

    יום שלישי 28 פברואר 2012 05:24