1
function Get-WSLIP {
wsl -- ip -o -4 -json addr list eth0 `
| ConvertFrom-Json `
| %{ $_.addr_info.local } `
| ?{ $_ }
}

I have this function I want to run as a different user where WSL is installed and catch the output by assigning this function to a variable.

I've tried runas, but it seems it wants to open a second process and I was unable to catch the output.

dza
  • 1,478
  • 2
  • 13
  • 24

1 Answers1

1

Launching a process with a different user identity invariably launches the process in a new window on Windows, which means that you cannot directly capture that process' output.

You have two options:

  • Use the System.Diagnostics.Process API directly, which allows you to capture the process' output in memory, as text, via the .RedirectStandardOutput (and .RedirectStandardError) properties of the System.Diagnostics.ProcessStartInfo class.

    • This approach is nontrivial, especially if you want to also capture stderr output without the risk of deadlocks; a stdout-output-only-capturing solution can be found in this answer.

    • It precludes running the process hidden, because the use of another user's credentials (.UserName and .PassWord properties) requires that .UseShellExecute be $false, which in turn means that the .WindowStyle property is ignored.

  • Use Start-Process if you want (the option) to run the process hidden, although that requires the use of a temporary file to capture the output:

    • Pitfalls: You must ensure that the target user has permission:

      • to access the working directory of the newly launched process, which requires passing a suitable directory to -WorkingDirectory
      • to write to the (temporary) file path passed to -RedirectStandardOutput / -RedirectStandardError.

    • Note that -RedirectStandardOutput / -RedirectStandardError capture the output from the named streams separately, and must be separate files. If you want to merge the streams and capture them interleaved in a single file, you must launch your process via a shell (such as PowerShell or cmd.exe) and use its stream-merging features, typically 2>&1.

The following Start-Process-based solution shows how to run the process hidden and capture stdout output (only):

# Prompt for the target user's credentials.
$cred = Get-Credential

# Determine the working directory and temporary file path.
# IMPORTANT: THE TARGET USER MUST HAVE PERMISSION TO
#  * ACCESS the working directory
#  * access and WRITE TO the temp file.
$workingDir = "$env:SystemRoot\Temp"
$tmpFile = Join-Path "$env:SystemRoot\Temp" "~$PID.tmp"

# Launch the process as the target user, hidden, save its stdout
# to the temporary file, and wait for it to terminate.
(Start-Process -WindowStyle Hidden -PassThru -WorkingDirectory $workingDir -RedirectStandardOutput $tmpFile -Credential $cred powershell.exe @'
  -noprofile -command
  "[array] (wsl -- ip -o -4 -json addr list eth0 | ConvertFrom-Json).addr_info.local -ne ''"
'@).WaitForExit()

# Get the captured output and remove the temp. file.
$output = Get-Content $tmpFile; Remove-Item $tmpFile

# Print the captured result
$output

Note:

  • The powershell.exe CLI call above uses a streamlined version of the command in your question.

  • While Start-Process has a dedicated -Wait switch to await the launched process' termination, as of PowerShell Core 7.2 it appears to be incompatible with -Credential, i.e. with running as a different user (resulting in an Access denied error while still launching the process, albeit asynchronously).

    • The workaround is to use -PassThru, in order to make the normally output-less Start-Process emit a System.Diagnostics.Process instance describing the launched process, and call .WaitForExit() on that instance.
mklement0
  • 382,024
  • 64
  • 607
  • 775
  • Extreme solution definetily not what I expected, but it works. I accepted. So I guess its not the norm on Windows to capture output from a different user. How can one securely save credentials for running this via task scheduler for example? – dza Oct 31 '21 at 22:43
  • 1
    @dza, for a reasonably secure Windows solution for saving credentials, see [this answer](https://stackoverflow.com/a/40029496/45375). The [`Microsoft.PowerShell.SecretManagement`](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.secretmanagement/?view=ps-modules) module may be an alternative. Task Scheduler, specifically, allows you to specify and persist credentials too. – mklement0 Oct 31 '21 at 22:56
  • Yes, the reason is I need to run as Administrator to set firewall permission and regular user to grab WSL IP. – dza Oct 31 '21 at 23:06
  • 1
    @dza, actually, to run _with elevation_ (as administrator), you need to use `Start-Process -Verb RunAs`, and in this case the only way to avoid an interactive confirmation / password prompt is to use a scheduled task with preconfigured admin credentials that non-admin users can invoke on demand. – mklement0 Oct 31 '21 at 23:11
  • Cool thanks for that tip. I still have the issue of needing the users running WSL IP which is not available as Administrator. – dza Oct 31 '21 at 23:37