1

I am trying to code a PowerShell script to self-elevate using a user/pass. The problem is, runas and -Credential can't be used together in Start-Process. I tried running a powershell in a powershell, but it does not work. The idea is to bypass the UAC with user/pass. Does anyone have a suggestion?

EDIT: It's not possible!

$username = "test"
$password = "123456"
$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))


     # Self-elevate the script if required
    if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
     if ([int](Get-CimInstance -Class Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber) -ge 6000) {
     
        Write-Host -ForegroundColor 'Red' "Bypassing UAC..."
        Start-Sleep -s 2
        
     
      $CommandLine = "-File `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments
      $CommandLine = "Start-Process -FilePath PowerShell.exe -verb runas -ArgumentList " + $CommandLine
      Start-Process powershell.exe -Credential $credentials -ArgumentList $CommandLine
      
        Write-Host -ForegroundColor 'Red' "Bypassing UAC..." $CommandLine
        Start-Sleep -s 30
      
      Exit
     }
    }


Write-Host -ForegroundColor 'Green' "Admin mode..."
Write-Host -ForegroundColor 'Gray' "Shell will exit in 15 seconds..."
Start-Sleep -s 15
Milos
  • 2,927
  • 1
  • 15
  • 27
  • 1
    And the most upvoted comment completely missed the point. It's not about tricking UAC, its about authenticating as admin so UAC has no reason to react. – Milos Nov 02 '20 at 12:16
  • 1
    If you are not an elevated user and UAC is enabled, you cannot bypass (or if you prefer, "programmatically accept") the UAC prompt. The UAC prompt will always appear. – Bill_Stewart Nov 02 '20 at 19:14
  • @Bill_Stewart Yes, my idea was to run as standard user and by using admin user/pass credentials I wanted to avoid UAC. Not possible? – Milos Nov 02 '20 at 19:21
  • 1
    If UAC is enabled, then no, what you want to do is not possible. This is by design. You will need to use a different approach to solve your problem. – Bill_Stewart Nov 02 '20 at 19:29
  • @Milos: If your code has a valid admin username and password, then yes you can use them to run a program without triggering a UAC prompt. – Ben Voigt Nov 02 '20 at 23:29
  • Read this, your question is probably a duplicate except for being script instead of compiled C++: https://stackoverflow.com/q/39403050/103167 – Ben Voigt Nov 02 '20 at 23:31
  • Even closer duplicate (asked for script answer, got a C++ one): https://stackoverflow.com/q/21716527/103167 – Ben Voigt Nov 02 '20 at 23:35

1 Answers1

2

UAC is designed to present a confirmation prompt whenever there is an attempt to elevate to administrative privileges. (The prompt does not appear when the process is already running elevated.) If UAC is enabled (and it is strongly recommended that you leave it enabled), the elevation prompt will always appear. You cannot bypass (or, if you prefer alternative terminology, "programmatically accept") the UAC prompt. This is by design.

Bill_Stewart
  • 22,916
  • 4
  • 51
  • 62
  • If you programmatically provide the credentials, there's no reason for the prompt. What UAC provides is a way to execute with admin rights **on the basis of the credentials the user logged in with**, and that is what requires user consent. If you aren't using the login credentials there's no need for consent. – Ben Voigt Nov 02 '20 at 23:28
  • I can start a process using administrator credentials using `powershell.exe` and the `-Credential` parameter. The spawned process is not elevated even though the credentials are for a user that is a member of `Administrators`. Elevating from that process still triggers the UAC prompt. – Bill_Stewart Nov 03 '20 at 00:01
  • Well that's a restriction of the way you are doing it, not of the OS – Ben Voigt Nov 03 '20 at 15:44
  • I am willing to grant that this _may_ be possible to accomplish using only administrative credentials (I can't confirm or validate this). Even if it _is_ technically possible, I would definitely _not_ recommend it (properly securing credentials, in this case _administrative_ credentials, is not trivial and beyond the scope of this question). – Bill_Stewart Nov 03 '20 at 22:41