locked
Getting Powershell to Execute with elevated credentials without run-as RRS feed

  • Question

  • I have code that is being invoked by a third party program. Unfortunately, it does not allow for the use of elevated credentials to run this script.

    I was told the best approach is to have the third party program invoke a program that uses Start-Process, which in turn will invoke the script that requires the elevated credentials.

    For simplicity, I am attempting to use Start-Process to run a program that outputs "Hello World", and I cannot figure out why it is unable to work

    #hello.ps1

    Write-Host Hello World

    And here is the code that uses stored, encrypted password to create credentials to use in Start-Process

    #start.ps1

    <#Previously created password file in C:\Script\cred.txt, read-host -assecurestring | convertfrom-securestring | out-file C:\Script\cred.txt#>

    $password = get-content C:\Script\cred.txt | convertto-securestring $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\Username",$password $script = "C:\script\hello.ps1" Start-Process -FilePath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Credential $credentials -ArgumentList "-file $script"

    Instead of the "Hello World" being output on the Powershell_ise GUI, the cmd window pops up, and no output is written

    1. How to make "Hello World" print to the Powershell_ise GUI

    2. How to suppress the cmd window from popping up?

    EDIT

    Ok, I updated my code by changing parameters of start-process

    start-process powershell -Credential $credentials -ArgumentList '-noexit','-File','C:\script\hello.ps1' 


     but I still have two issues

    1. I am using Powershell_ise.exe. How to make "Hello World" print to the GUI

    2. How to suppress the cmd window?

    EDIT:

    I included more details in response to one of the other users. Thank you.

    Thursday, August 29, 2013 6:21 PM

Answers

  • Guys, I figured out the answer to my original question.

    I am using start-process in first script to invoke second script.

    I'll work on this some more and let you know if I have further questions.

    Thanks!

    • Marked as answer by Bill_Stewart Thursday, September 19, 2013 8:48 PM
    Friday, August 30, 2013 5:37 PM

All replies

  • I have code that is being invoked by a third party program. Unfortunately, it does not allow for the use of elevated credentials to run this script.

    Please explain more. What does "it does not allow for the use of elevated credentials to run this script" mean? What code? What script? Why do you need elevated credentials?

    Bill

    Thursday, August 29, 2013 7:01 PM
  • A little background.   YOu can only elevate a new process.  The current process can never be elevated.


    ¯\_(ツ)_/¯

    Thursday, August 29, 2013 7:21 PM
  • I hope the following will clarify things:

    In our organization, we are using third party software that sends an IP address it detects to a script we create. It sends the IP address in string format, i.e. "sender-ip=10.10.10.10".

    We need to create a script that takes the parameter, "sender-ip=10.10.10.10", and find the last logged in user of 10.10.10.10

    The below script works when I launch the cmd shell using Run-As, entering in the credentials of the Service Account, and launching powershell_ise.exe, and then invoking the program with

    .\script.ps1 "sender-ip=10.10.10.10"

    #script.ps1

    $userID=$NULL $line_array = @() $multi_array = @() [hashtable]$my_hash = @{} foreach ($i in $args){ $line_array+= $i.split(" ") } foreach ($j in $line_array){ $multi_array += ,@($j.split("=")) } foreach ($k in $multi_array){ $my_hash.add($k[0],$k[1]) } $Sender_IP = $my_hash.Get_Item("sender-ip") <# Courtesy of http://blogs.technet.com/b/heyscriptingguy/archive/2012/02/19/use-powershell-to-find-last-logon-times-for-virtual-workstations.aspx#> <#Gather information on the computer corresponding to $Sender_IP#> $Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Sender_IP <#Determine the build number#> $Build = $Win32OS.BuildNumber <#Running Windows Vista with SP1 and later, i.e. $Build is greater than or equal to 6001#> if($Build -ge 6001){ $Win32User = Get-WmiObject -Class Win32_UserProfile -ComputerName $Sender_IP $Win32User = $Win32User | Sort-Object -Property LastUseTime -Descending $LastUser = $Win32User | Select-Object -First 1 $UserSID = New-Object System.Security.Principal.SecurityIdentifier($LastUser.SID) $userId = $UserSID.Translate([System.Security.Principal.NTAccount]) $userId = $userId.Value } <#Running Windows Vista without SP1 and earlier, i.e $Build is less than or equal to 6000#> elseif ($Build -le 6000){ $SysDrv = $Win32OS.SystemDrive $SysDrv = $SysDrv.Replace(":","$") $ProfDrv = "\\" + $Sender_IP + "\" + $SysDrv $ProfLoc = Join-Path -Path $ProfDrv -ChildPath "Documents and Settings" $Profiles = Get-ChildItem -Path $ProfLoc $LastProf = $Profiles | ForEach-Object -Process {$_.GetFiles("ntuser.dat.LOG")} $LastProf = $LastProf | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1 $userId = $LastProf.DirectoryName.Replace("$ProfLoc","").Trim("\").ToUpper() } else{ $userId = "Unknown/UserID" } if ($userId -ne $NULL){ return "userId=" + $userId } elseif ($userID -eq $NULL) { $userId = "Unknown/UserID" return "userId=" + $userId }

    But the third party program does not have a way to launch scripts with elevated privileges, which means I created another powershell script that can be launched by an ordinary user with the elevated privileges (i.e. password is encrypted and stored elsewhere)

    #elevated.ps1

    [string]$abc = $args <#Previously created password file in C:\Script\cred.txt, read-host -assecurestring | convertfrom-securestring | out-file C:\Script\cred.txt#> $password = get-content C:\Script\cred.txt | convertto-securestring $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "DOMAIN\Username",$password [string]$output = start-process powershell -Credential $credentials -ArgumentList '-noexit','-File', 'C:\script\script.ps1', $abc return $output

    When I invoke elevated.ps1 with

    .\elevated.ps1 "sender-ip=10.10.10.10"

    The script works perfectly.

    Now, I am looking for a way to include elevated.ps1 and script.ps1 into one single script and I am stumped.

    Any ideas?


    Friday, August 30, 2013 12:36 PM
  • You haven't answered the question of why you need elevated credentials in the first place.

    Bill

    Friday, August 30, 2013 3:49 PM
  • It sounds like you are asking how to start a script with alternate credentials and not how to elevated a script.

    Think about the differences between the two things.


    ¯\_(ツ)_/¯

    Friday, August 30, 2013 4:19 PM
  • We are using a third party program that will invoke this script. The third-party program does not automatically use elevated credentials, so I needed to create a script that invokes the original script with these credentials, using start-process

    Third-party program -> script1 to invoke script 2 with elevated credentials -> script 2

    Friday, August 30, 2013 5:33 PM
  • Guys, I figured out the answer to my original question.

    I am using start-process in first script to invoke second script.

    I'll work on this some more and let you know if I have further questions.

    Thanks!

    • Marked as answer by Bill_Stewart Thursday, September 19, 2013 8:48 PM
    Friday, August 30, 2013 5:37 PM
  • If he/she requested is obvious that he/she needs install or run as administrator in order to finish the task. Regardless the task it is important to know how to run it as administrator in automatic way, many times you need run a script in unattended mode. 
    Monday, November 19, 2018 5:47 PM
  • Start-Process fail if you use both:

    -Verb runas 

    -NoNewWindow

    You have to run a process and send the issues/messages into your original command windows in easy way, but it fails.

    Monday, November 19, 2018 5:50 PM
  • Please start a new question if you are asking something else.

    -- Bill Stewart [Bill_Stewart]

    Monday, November 19, 2018 7:23 PM