1

I am currently logged into my system as administrator, and run power1.ps1 code to call another power2.ps1 script in elevated mode.

$command = "C:\script\Power2.ps1"

Invoke-Expression $command

power2.ps1 includes the block to run the script with admin privileges, but my problem is I that I get a UAC pop-up dialog asking for confirmation where I have to click on Yes.

Code in Power2.ps1

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

{   
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}

Write-Host "Admin Privilege Code Here"

Is there any way I can completely automate the process? I will not be able to change the UAC access to disable.

Community
  • 1
  • 1
Pr Mod
  • 261
  • 2
  • 5
  • 15
  • 1
    you could create a scheduled task runs your script and set the privileged account to run this task. – Guenther Schmitz May 27 '18 at 16:33
  • 1
    These scripts are part of the suite ,and gets initiated based on user input. i will not be able to create a scheduled task in that environment. – Pr Mod May 27 '18 at 16:40

1 Answers1

2

Trying to simulate a user's response to a UAC (User Account Control) dialog shouldn't be done - because it defeats the entire purpose of UAC - and most likely cannot be done (if it could be done, that would be a serious bug exploitable by malware and is certainly not something to rely upon; similarly, while it is possible to disable UAC altogether (which itself requires administrative privileges), doing so is strongly discouraged for security reasons).

With UAC in place, the only way to avoid a UAC dialog in direct invocation is if the calling process itself is already running with elevation (e.g. if it was started with the Run as administrator shortcut-menu command).

However, with limitations you can use a scheduled task to bypass UAC for a given command, by calling that scheduled task on demand:

  • Create an auxiliary scheduled task that invokes your Power2.ps1 script and is configured to run elevated.

    • In the Task Scheduler (taskschd.msc) UI that means: Run with highest privilege must be checked (tab General) and also Allow task to be run on demand (tab Settings).

    • The task must be configured to run in the same user account that it will be on-demand invoked from, and that user account must be a member of the Administrators group.

  • Use Start-ScheduledTask <task-path> (or schtasks.exe /Run /TN <task-path>) to invoke this task on demand, from the same account that the task is configured for, as noted.

    • Start-ScheduledTask (as well as schtasks.exe /Run) runs asynchronously, so for synchronous invocation more work is needed - see this article.

      • Note that using -AsJob to return a job whose completion can be waited for with Wait-Job unfortunately appears not to help (as of Windows PowerShell 5.1 / PowerShell 7.2.1): the job is reported as completed before the task's command has terminated.

    • Also, the task's command invariably runs in a new console window (if the executable invoked is a console application).

mklement0
  • 382,024
  • 64
  • 607
  • 775
  • 1
    i have converted my script to exe and from exe file properties i changed it to run as admin. and i call this exe from another auto it script. which has the command #requireadmin will help to run my exe as elevated previllage. – Pr Mod Aug 12 '18 at 15:39