Exit code -1 on every runascurrentuser operation

Hi all,

i am seeing a new phenomenon.
whenever i run ANY operation using “runascurrentuser” i am getting “operation succeeded” with exit code -1 and the action never actually takes place.
i am using a copy of an action i ran many times in the past (enforce screen saver for computers not in domain), but for some reason it no longer succeeds.

it is possible that some security software is blocking it, but i also heard from another BES admin that he sees the same behavior.

can any of you confirm runascurrentuser still works? (my environment is 9.5.8 with most clients on 9.5.3)

thanks

Runascurrentuser still works, but we now prefer use of the ‘override run’ options to avoid the additional download.

The most common problems I see with running a program as the current user, are trying to run binaries from the __Download folder (standars users don’t have access to the directory); using ‘move’ rather than ‘copy’ to get the binary out of the __Download folder (‘move’ keeps the existing file permissions, which still won’t allow a standard user to read/execute it); or trying to run as current user when there is nobody logged on.

Thanks for your reply Jason,
as i mentioned, i am still on 9.5.3 on most clients so cant use “override run” (requires 9.5.5), i still have relays which are 2003 server so cant upgrade.
i will try to move runascurrentuser, but as i mentioned this is a copy of a task that used to work.
more to come…

Perhaps you could post an example of usage that is failing? It’s difficult to guess at what could possibly go wrong in general terms.

1 Like

Where do you place the module to be run by RunAsCurrentUser?
By default, “current user” has no access to __Download folder of BigFix. If you want to run the dowloaded module, you need to copy the module to some place “current user” has access before running RunAsCurrentUser.

thanks both,
i figured that part out and modified accordingly…

action uses wow64 redirection false

delete __createfile
delete wizardedit.reg
delete "c:\temp\wizardedit.reg"
delete "c:\temp\runascurrentuser.exe"

createfile until @end_create_reg_file
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop]
"ScreenSaveActive"="1"
"ScreenSaverIsSecure"="1"
"ScreenSaveTimeOut"="600"
"SCRNSAVE.EXE"="%windir%\\Screensaver_2019.scr"
@end_create_reg_file

move __createfile "c:\temp\wizardedit.reg"
prefetch RunAsCurrentUser.exe sha1:ee47505ebfb2790b9da8a20ed70e67158e9753d0 size:342528 http://software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.3.1.exe sha256:1a9b518c775e2a85a7c47801e9b8221df338a65ad8df326485e4cd2aea22fe52
move __Download\RunAsCurrentUser.exe "c:\temp\RunAsCurrentUser.exe"
waithidden "c:\temp\RunAsCurrentUser.exe" --w "c:\Windows\regedit.exe" /s "c:\temp\wizardedit.reg"

This part works, and now, to the next problem: :slight_smile:
as you both mentioned, runascurrentuser runs with the current user privileges, and as a normal user they cant write to the “Policies” branch of their HKCU.
now, i can modify the task to write to the personal registry hive (but then the user is able to change the screensaver), so i see 2 other options:

  1. elevate the use of runascurrentuser.exe somehow
  2. not use runascurrentuser.exe, enumerate the current user’s hive and write directly to the user hive, as local system.

any thoughts how i can accomplish either?

thanks!

I don’t think you can run elevated as far as you are using RunAsCurrentUser.exe.
If all you need to deal with current user is the registry, how about using current user key of <registry> ?

https://developer.bigfix.com/relevance/reference/registry.html

thanks for this Akira.
this is a Relevance inspector, is there an example for an action with current user key of <registry>?

You can use relevance in the action script like:
regset “[{current user key of registry}\…]” “name”=“value”

Also, you can use relevance in the createfile like:

createfile until __END
…
[{current user key of registry}\….]
…
__END

Hi,
so after some trial and error i figured it out, and its simpler than i thought…

`

regset “[{current user key of registry}\Software\Policies\Microsoft\Windows\Control Panel\Desktop]” “SCRNSAVE.EXE”=“%windir%\TESTSCR.SCR”

This writes the correct value to the Policies branch of the currently logged on user’s registry (who is not an admin).

thanks again!