Start EXE Under Privileged Account Elevated

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 4 years and 4 weeks old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
andycarpenter@westat.com
Posts: 18
Last visit: Wed Jan 17, 2024 9:56 am

Start EXE Under Privileged Account Elevated

Post by andycarpenter@westat.com »

Using PowerShell Studio/Packager I have created a PowerShell-based EXE that has a default manifest for elevation. Let's call that the elevated EXE.

From a non-elevated EXE running under a non-privileged account, I want to call the elevated EXE, have it run under a privileged account, and run elevated.

I'm trying to use Start-Process and supply the Credential of the privileged account. If I run just that, I get the error that elevation is required, as expected due to the manifest. I'm having trouble specifying that it should run with elevation. I've seen -Verb RunAs and -RunAs for that. Neither works (see error messages below).

Can anyone please set me straight on how to get this EXE elevated running under a different/privileged account?

THANKS,
Andy
  1. Start-Process -FilePath $EXEpath -Credential $CredTA
Start-Process : This command cannot be run due to the error: The requested operation requires elevation.
  1. Start-Process -FilePath $EXEpath -Credential $CredTA -Verb Runas
Start-Process : Parameter set cannot be resolved using the specified named parameters.

  1. Start-Process -FilePath $EXEpath -Credential $CredTA -Runas
Start-Process : Missing an argument for parameter 'Credential'. Specify a parameter of type 'System.Management.Automation.PSCredential' and try again.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Start EXE Under Privileged Account Elevated

Post by jvierra »

You cannot auto-elevate an interactive process. You can run under alternate credentials which will create a full session under the alternate credentials but it cannot be elevated without answering the UAC challenge. This is a fundamental restrictions in Windows. It is designed to defeat malware from exploiting the system.

The package you are calling can specify alternate credentials and can be optioned to prompt for elevation. Just configure the EXE package correctly and don't start it with alternate credentials. The package will supply its own credentials.
User avatar
andycarpenter@westat.com
Posts: 18
Last visit: Wed Jan 17, 2024 9:56 am

Re: Start EXE Under Privileged Account Elevated

Post by andycarpenter@westat.com »

Thanks so much for your very quick reply. It's an area where I clearly don't have a great handle on the details. Your explanation makes sense.

What I'm doing as a work-around for now [and it makes no sense to me that it works] is...
EXE is not elevated and runs as the current/non-priviledged user
EXE spits out a temp-PS1 file that contains the Restart-Computer command
EXE does a Start-Process "powershell.exe" -File temp-PS1 [no privileged credentials]
Restarts like a charm.

From an overall security standpoint, not sure why...
I CANNOT get a restart without UAC challenge even using credentials for a privileged account.
I CAN get a restart from a non-privileged account without UAC challenge just by calling powershell to run a PS1.

I realize that question may not fit the form, so feel free to pass.

THANKS AGAIN,
Andy
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Start EXE Under Privileged Account Elevated

Post by jvierra »

There is no way to restart a local system without UAC except by running the restart as a scheduled task. Create an on-demand taks and give the user permissions on the task. They user can just use the command line or a script to trigger the task and the computer will restart or shutdown as needed.
This topic is 4 years and 4 weeks old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked