0

I need to develop a script for my client that will disable/enable the WWAN card on his laptop.

  • Client should be able to enable/disable the WWAN card without giving the client administrator credentials or an account
  • Should be user friendly. Like just double clicking the enable or disable shortcut on desktop to toggle on/off.
  • Avoid any method that may compromise security like disabling the need for Elevated credential prompts for all applications. (Only want to bypass for this script)

I have the command to disable/enable WiFi adapter. However, it requires that powershell be run as Administrator otherwise access will be denied.

Disable-NetAdapter -Name "Wi-Fi" -Confirm:$false

I have tried the following to no success. (Either Access Denied or the UAC Pops up and prompts for Admin Credentials):

  • Creating a .Bat file that runs the PS script with ExecutionPolicy -Bypass
powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -file "c:\Users\%username%\Desktop\DisableWifi.ps1"
  • Creating a shortcut of the PS Script with "Run As Admin" Enabled
  • Creating a shortcut with Run As Admin of a .Bat file that enables/disables the Network Adapter. 
netsh interface set interface Wi-Fi disable
  • ExecutionPolicy Bypass inside the PS Script
Start-Process powershell.exe -ArgumentList "/noexit", "-executionpolicy bypass","-file C:\Users\$env:UserName\Desktop\DisableWiFi.ps1"

Is there anyway to allow my client to be able to toggle on/off the WWAN card through a script on the desktop without them needing to enter admin credentials?

Thanks!

Gamblers
  • 41
  • 4
  • 1
    Being able to bypass security restriction in a script would be a massive problem. Please inform your client that their request is not possible. – SomethingDark Mar 15 '20 at 22:52
  • 1
    You are already violating a security rule with the use of ByPass with the ExecutionPolicy. Why are you doing this? The only reason to do this is that the corporate ExecutionPlicy is set to Restricted or RemoteSigned. This means they do not want script code to run at all or you need to sign your script. The admin thing, It cannot be done without completely disabling UAC holistically, and that is ill-advised. It is more prudent, to set this as a scheduled task to run with the credentials required. – postanote Mar 15 '20 at 23:28
  • There are tools out there specifically for this purpose. Install as an Admin, setup profiles of what adaptors you want enabled and their settings, then as a standard user they can click on the profile they want enabled at the time. Try googling "Network Settings Manager" – Durry42 Mar 16 '20 at 02:06
  • is [this](https://stackoverflow.com/a/60292423/12861751) what you're looking for? – ScriptKidd Mar 16 '20 at 10:01
  • "You are already violating a security rule with the use of ByPass with the ExecutionPolicy" - I would have to disagree with this statement, as PowerShell execution policy is a safety feature, _not_ a security boundary (see accepted answer at https://stackoverflow.com/questions/49772982/ from Bruce Payette, head designer of the PowerShell language). – Bill_Stewart Apr 13 '20 at 14:39

1 Answers1

1

It can be done.

  • The user must be running as an adminstrator.

Imagine we're back in the Windows XP days. If the user is running as a standard user, they simply cannot perform administrator functions. You can cry and complain as much as you want - but a standard user cannot gain administrator privileges just because they want them.

That has not changed: you have to be an administrator to administrate.

If the user is a standard user: you simply cannot bypass that.

  • So how do make it so the user doesn't need to get an administrator to enter their administrator credentials?
  • make them an administrator!

Which is easy enough to do:

  • don't make them a standard user
  • make them an administrator

But we all know you're complaining about UAC

We all know you're talking about being having to click OK on a UAC dialog. And as much as users hate it: tell them to get an enema and do some deep knee-bends.

Alternatively: you have to turn off UAC - so they run as Administrator all the time.

Thus making any malware able to completely take over their machine the instant it can run.

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
  • I don't understand the downvote on this answer. It is technically correct and also explains why it is not a good idea to disable UAC. – Bill_Stewart Apr 13 '20 at 14:41