I need to execute a PS which creates registry entries for the current user and right after restarts a service (admin rights needed). I found a module called RunAsUser that seems to do this very nicely. https://github.com/KelvinTegelaar/RunAsUser
Install-PackageProvider -Name "NuGet" -RequiredVersion "2.8.5.201" -Force -Confirm:$False
install-module RunAsUser -Confirm:$False -Force
$scriptblock = {
Set-ItemProperty -Path "HKCU:\HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings\" -Name LastUrl -Value "vpn.xxx.yyy"
}
invoke-ascurrentuser -scriptblock $scriptblock
Restart-Service -Name PanGPS
But when I run it with a user with local admin rights I get the following error asking for SYSTEM rights.
invoke-ascurrentuser : Not running with correct privilege. You must run this script as system or have the SeDelegateSessionUserImpersonatePrivilege token. At C:\Temp\MoveFromVPN2toVPN.ps1:30 char:1
invoke-ascurrentuser -scriptblock $scriptblock
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-AsCurrentUser
Any idea on how to become SYSTEM? I managed to obtain a shell with SYSTEM using psexec command.
psexec.exe -i -s powershell.exe
From there my script works flawless, but I would like to make it programmatically directly inside my script.
Any idea how to do this?
thanks.
CodePudding user response:
Building on An-dir's helpful comment:
The
SYSTEM(NT AUTHORITY\SYSTEM) account is a highly privileged, built-in user account that is not designed for interactive use.The
Invoke-AsCurrentUserfunction from the third-partyRunAsUsermodule you link to is designed to run PowerShell code as the current user from a process that already is running asSYSTEM, as happens in the context of RMM (Remote Monitoring and Management) systems.While
psexec-sindeed can run a process asSYSTEM(and can therefore also run a PowerShell script viapowershell.exe, the Windows PowerShell CLI), there is rarely a need for it, and I don't think you need it either. Crucially,psexec -srequires calling from a process that is already elevated (see next point).
It sounds like you're simply trying to run your script with elevation (with administrative privileges), which happens in the context of a specific administrator user account, but only when explicitly requested, using one of the following:
Starting an elevated PowerShell session interactively, e.g. by right-clicking the PowerShell icon in the taskbar or the Start Menu and selecting
Run as Adminstrator, at which point a UAC dialog is presented in order to confirm the intent to elevate (or, if the current user isn't an administrator, to enter an administrator's credentials).Starting a PowerShell session programmatically, e.g. by using
Start-Process-Verb Runas powershell.exeIf you want your script to automatically elevate itself if needed, i.e. to re-invoke itself with elevation if invoked from a non-elevated process, use the technique shown in this answer; note, however, that the UAC dialog still has to be confirmed (unless UAC is disabled entirely, which is strongly discouraged).
CodePudding user response:
Thanks a lot for your comments. Finally I managed to do it without additional modules. as the script is executed from InTune as SYSTEM, it can write directly into the registry hive of the connected user.
$a = New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
$username = Gwmi -Class Win32_ComputerSystem | select username
$objuser = New-Object System.Security.Principal.NTAccount($username.username)
$sid = $objuser.Translate([System.Security.Principal.SecurityIdentifier])
$Path = "HKU:\$sid\Software\Palo Alto Networks\GlobalProtect\Settings\XXX.yyy"
if( -not (Test-Path -Path $Path -PathType Container) )
{
New-Item -Path $Path
}
Remove-PSDrive -Name HKU
Restart-Service -Name PanGPS