One more update to tie everything together.
Scenario:
- Run a batch file as the logged-on user, and prompt the user to run Elevated
Issues:
- The logged-on user cannot access files in the __BESData folder, the batch file must be relocated to a path they can access.
- No built-in Relevance Inspector returns the value that the ActionScript override ‘runas=currentuser’ uses
- No built-in ActionScript Override prompts the user to run elevated
- The syntax for the override ‘runas=localuser’ with ‘user=SOMETHING’ requires DOMAIN\username for domain accounts, but just username for local accounts.
This ActionScript works around each of these issues:
// Create the batch file that will be executed as the user.
// The batch creates a small .VBS file that prompts for elevation and then re-runs the batch file elevated.
delete __createfile
createfile until EOF_EOF_EOF
:: BatchGotAdmin
::-------------------------------------
@REM --> Check for elevated permissions
@ "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system" >nul 2>&1
@REM --> If error flag set, we do not have admin.
@if '%errorlevel%' NEQ '0' (
@echo Requesting administrative privileges...
@goto UACPrompt
) else ( @goto gotAdmin )
:UACPrompt
@REM Ensure any previous copy of getadmin.vbs is removed to avoid escalation attack
@del /q "%temp%\getadmin.vbs" > NUL 2>&1
@IF EXIST "%temp%\getadmin.vbs" @echo Unable to clear previous getadmin.vbs, aborting... & exit /B 1
@echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
@echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
@wscript.exe "%temp%\getadmin.vbs"
@exit /B
:gotAdmin
@if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
@pushd "%CD%"
@REM CD /D "%~dp0"
@REM ############################################
@REM Now do the things that required elevation
echo test > %systemroot%\test.out
@REM ############ End of batch script ###########
EOF_EOF_EOF
// Save these values as Parameters so they appear in the client log for debugging
// In the case of multiple logged-on users, we just select the first one returned by the inspector
parameter "user_name"="{(preceding text of first "|" of it | it) of concatenation "|" of names of logged on users}"
parameter "user_profile"="{(preceding text of first "|" of it | it) of concatenation "|" of profile folders of users of logged on users}"
// DOMAIN\ should be specified *only* for domain users. Local users should have not prefix, not even COMPUTERNAME\user
parameter "user_domain_name"="{(preceding text of first "|" of it | it) of concatenation "|" of ((if exists domain whose (it as lowercase != computer name as lowercase) of it then domain of it & "\" else "") of user of it & name of it) of logged on users}"
if {exists logged on users}
// Create a per-user folder in which to store the batch file (if the action had Downloads they should be copied here as well )
folder create "{parameter "user_profile"}\BES_Action"
delete "{parameter "user_profile"}\BES_Action\test.cmd"
copy __createfile "{parameter "user_profile"}\BES_Action\test.cmd"
// Important - the check for elevation fails in 32-bit mode because \windows\syswow64\config does not exist
// The batch command must be run in native mode
action uses wow64 redirection {not x64 of operating system}
override wait
hidden=false
runas=localuser
user={parameter "user_domain_name"}
password=impersonate
wait cmd.exe /C "{parameter "user_profile"}\BES_Action\test.cmd"
else
// No user was logged on, batch execution skipped
parameter "Skipped"="No logged on user"
endif