How to elevate to SYSTEM - needed to execute RunAsUser module

Question

I need to execute a PS which creates registry entries for the current user and right after restarts a service (admin rights needed). I found a module called RunAsUser that seems to do this very nicely. https://github.com/KelvinTegelaar/RunAsUser

Install-PackageProvider -Name "NuGet" -RequiredVersion "2.8.5.201" -Force -Confirm:$False
install-module RunAsUser -Confirm:$False -Force
$scriptblock = { 
Set-ItemProperty -Path "HKCU:\HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings\" -Name LastUrl -Value "vpn.xxx.yyy"
}
invoke-ascurrentuser -scriptblock $scriptblock
Restart-Service -Name PanGPS

But when I run it with a user with local admin rights I get the following error asking for SYSTEM rights.

invoke-ascurrentuser : Not running with correct privilege. You must run this script as system or have the SeDelegateSessionUserImpersonatePrivilege token. At C:\Temp\MoveFromVPN2toVPN.ps1:30 char:1
+ invoke-ascurrentuser -scriptblock $scriptblock
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-AsCurrentUser

Any idea on how to become SYSTEM? I managed to obtain a shell with SYSTEM using psexec command.

psexec.exe -i -s powershell.exe

From there my script works flawless, but I would like to make it programmatically directly inside my script.

Any idea how to do this?

thanks.

Answer 1

Building on An-dir's helpful comment:

• The SYSTEM (NT AUTHORITY\SYSTEM) account is a highly privileged, built-in user account that is not designed for interactive use.

  • The Invoke-AsCurrentUser function from the third-party RunAsUser module you link to is designed to run PowerShell code as the current user from a process that already is running as SYSTEM, as happens in the context of RMM (Remote Monitoring and Management) systems.

  • While psexec -s indeed can run a process as SYSTEM (and can therefore also run a PowerShell script via powershell.exe, the Windows PowerShell CLI), there is rarely a need for it, and I don't think you need it either. Crucially, psexec -s requires calling from a process that is already elevated (see next point).

• It sounds like you're simply trying to run your script with elevation (with administrative privileges), which happens in the context of a specific administrator user account, but only when explicitly requested, using one of the following:

  • Starting an elevated PowerShell session interactively, e.g. by right-clicking the PowerShell icon in the taskbar or the Start Menu and selecting Run as Adminstrator, at which point a UAC dialog is presented in order to confirm the intent to elevate (or, if the current user isn't an administrator, to enter an administrator's credentials).

  • Starting a PowerShell session programmatically, e.g. by using Start-Process -Verb Runas powershell.exe

  • If you want your script to automatically elevate itself if needed, i.e. to re-invoke itself with elevation if invoked from a non-elevated process, use the technique shown in this answer; note, however, that the UAC dialog still has to be confirmed (unless UAC is disabled entirely, which is strongly discouraged).

Answer 2

Thanks a lot for your comments. Finally I managed to do it without additional modules. as the script is executed from InTune as SYSTEM, it can write directly into the registry hive of the connected user.

$a = New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$username = Gwmi -Class Win32_ComputerSystem | select username
$objuser = New-Object System.Security.Principal.NTAccount($username.username)
$sid = $objuser.Translate([System.Security.Principal.SecurityIdentifier])

$Path = "HKU:\$sid\Software\Palo Alto Networks\GlobalProtect\Settings\XXX.yyy"
if( -not (Test-Path -Path $Path -PathType Container) )
{
    New-Item -Path $Path
}
Remove-PSDrive -Name HKU 

Restart-Service -Name PanGPS