0

I'd like a script to be used in this situation:

  1. gain remote access without admin privileges
  2. remotely start Quick Assist as .\Administrator and not have a UAC dialogue.

Step 1 is usually made with Quick Assist, sometimes made with Teams screen sharing.

I'm aware that I can locate quickassist.exe in File Explorer then use Shift and the context menu to Run as a different user, however I'd like a scripted approach.

Experiment A

This works, but there's a Yes/No UAC dialogue:

$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if ( -not $isElevated ) {
    Start-Process powershell.exe -Credential Administrator -NoNewWindow -ArgumentList {
        Start-Process quickassist.exe -Verb RunAs ;
    } ;
}

Experiment B

I make multiple mistakes, don't know how to correct them. (I'm trying to learn PowerShell, gradually, but I'm easily confused whilst learning; slightly dyslexic.)

$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if ( -not $isElevated ) {
  Start-Process powershell.exe -Credential Administrator {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 0 -Force;
    };
  Write-Host "UAC (user account control) is weakened for a Quick Assist session …" -ForegroundColor Red;

  Start-Process powershell.exe -Credential Administrator -NoNewWindow -ArgumentList {Start-Process quickassist.exe -Verb RunAs -Wait};
  Write-Host "… Quick Assist session complete …" -ForegroundColor Red;

  Start-Process powershell.exe -Credential Administrator {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1 -Force;
    };
  Write-Host "… UAC is strengthened." -ForegroundColor Red;
}
  • the two intended changes to the registry do not occur
  • the third credential dialogue appears too soon – I want it to not appear until after the end of the Quick Assist session.

Also, conceptually, there's probably no need to run Quick Assist as Administrator whilst UAC is temporarily weakened.

References

https://stackoverflow.com/a/2258134/38108 (2010-02-13) I see use of -Credential with Invoke-Command but when I try to do something similar, for changes to the registry, I make a mess.

https://stackoverflow.com/a/47516161/38108 (2017-11-27) self-elevating PowerShell scripts.

https://superuser.com/a/1524960/84988 (2020-02-12) and https://serverfault.com/a/1003238/91969 (2020-02-15) are interesting – the same script in both answers – however I need something like -Credential Administrator in lieu of -ComputerName.

https://stackoverflow.com/a/60292423/38108 (2020-03-07) via https://stackoverflow.com/a/60263039/38108

PowerShell commands - PowerShell - SS64.com

https://github.com/okieselbach/Intune/blob/master/DisablePromptOnSecureDesktop.ps1 (2020-11-13) via Quick Assist the built-in Remote Control in Windows 10 – Modern IT – Cloud – Workplace

Graham Perrin
  • 524
  • 1
  • 10
  • 45
  • Does it work when you use logic like so... https://pastebin.com/YTHKn72Y. There is the start-process within another start-process you have in example b so maybe the `-wait` parameter needs to be with the outer start-process instead of the inner. I don't normally run this against any local machine and it's always run against the remote machine I'm about to help a non-admin user with a task on the same network and connected to the same domain. Are you not able to invoke-command remotely against the remote machine you are connecting? – Bitcoin Murderous Maniac Apr 02 '21 at 17:20
  • Also the reg settings to disable the secure desktop to allow you to see the UAC and enter in the credentials yourself and not have the non-admin user enter them and you see and interact with UAC screen remote needs run regardless if if it's elevated or run as an admin or not. Take that logic out of the `isElevated` logic and run it without any conditional always before and then the other reg settings to reenable after with no conditional. See if those things help. – Bitcoin Murderous Maniac Apr 02 '21 at 17:21
  • UAC is designed to prevent you from doing this. (If UAC were that easy to bypass, then it's precisely what all malware would do.) – Bill_Stewart Apr 05 '21 at 14:11
  • Bill_Stewart you misunderstand. I'm not attempting to bypass authentication dialogues. – Graham Perrin Apr 05 '21 at 17:30
  • OK, if you prefer the terminology, UAC is designed to permit elevation only after presenting a dialog requesting this permission. (If this were possible, then all malware could infect your machine as administrator with impunity.) – Bill_Stewart Apr 05 '21 at 18:19

1 Answers1

0

The short answer is don't. Get a real remote management tool or have someone hit the UAC yes prompt.

This is more of a windows thing than powershell, as windows explicitly denies elevating a process locally without going through UAC (and for good reason!). You used to be able to do things like this:

# Use Enter-PSSession to start a "remote" session 
# This may still support elevation if you specify CredSSP and configure credential delegation):
New-PSSession MyPCName -Auth CredSSP -cred (get-credential)

# Create a scheduled task with RunAs/elevated permissions:
Register-ScheduledTask -Action $action -User .\Administrator -TaskName "Admin-Stuff" -RunLevel Highest

Which now give fat access denied messages when running locally. You also are not able to edit registry settings within HKLM: without elevation, so disabling uac temporarily is not an option.

You may be able to make use of this exploit that allows admin users to bypass uac, but I think you still have to Run-as-other-user your shell to use it.

Cpt.Whale
  • 4,784
  • 1
  • 10
  • 16