tros804 Posted June 11, 2019 Share Posted June 11, 2019 Hello I have a software vendor that requires all users be administrators on their PC to allow updates to process correctly (not my favorite folks...). Of course, being the security guru I am, I immediately put an end to allowing users to be administrators on their PC just to let updates process. To allow them to process, however, I built an AutoIT script that was working fine prior to this latest update that was pushed by them. Now, with this latest update, all updates process EXCEPT when it gets to copying files to C:\Windows\system32; I'll see errors stating that it aborted. When I manually attempt to copy items to system32 as the local Administrator, I get a UAC prompt asking for permission to allow the copy and if I click Continue, it copies the file without issue. So clearly, the local Administrator account I have has the permission, it just appears that UAC is putting a halt to allowing the file copy. Thoughts on how to get around this without adjusting UAC settings? I'd really like to leave this as is. NOTE - I substituted actual vendor names and names of their exes with generic names below. $drive = EnvGet("systemdrive") RunAs("Administrator", @ComputerName, "AdminPassword", "", $drive & "\vendor\vendor.exe") ;Wait for Vendor Version Control to close Do Sleep(100) Until Not WinExists("Vendor Version Control") ;Wait for VendorAppLauncher to exist ProcessWait("VendorAppLauncher.exe") ;Close the Vendor Launcher as Admin RunAs("Administrator", @ComputerName, "AdminPassword", "", ProcessClose("VendorAppLauncher.exe")) ;Re-open Vendor Launcher as user Run($drive & "\Vendor\VendorAppLauncher.exe", $drive & "\Vendor") Link to comment Share on other sites More sharing options...
Subz Posted June 11, 2019 Share Posted June 11, 2019 Try to install using system account, this isn't effected by UAC, you could use PSExec or create a Task Schedule to run as System Link to comment Share on other sites More sharing options...
tros804 Posted June 11, 2019 Author Share Posted June 11, 2019 Thanks. I tried using the SYSTEM account with PSExec but it appears the update program just sits idle with no window that appears so this doesn't appear to be a solid solution to this. Link to comment Share on other sites More sharing options...
AdamUL Posted June 11, 2019 Share Posted June 11, 2019 Here is a workaround for dealing with RunAs and RunAsWait and the UAC Admin Token. This uses re-execution to elevate the script and allow the Admin part of the script to run. After the admin part runs, it reverts back to the not admin part. Example script is below. expandcollapse popup#include <MsgBoxConstants.au3> Global $sAdminUser = "USERNAME" Global $sAdminPassword = "PASSWORD" Global $sDomain = @ComputerName Global $iLogOnFlag = 0 Global $sParameters = "" ;Run as the Admin account. If @UserName <> $sAdminUser And Not IsAdmin() Then $sParameters = "" If Not @Compiled Then $sParameters = ' "' & @ScriptFullPath & '"' EndIf ;Use RunAsWait to run as AdminUser, to continue the script as the user that started it, and to wait for the Admin part to Finish. RunAsWait($sAdminUser, $sDomain, $sAdminPassword, $iLogOnFlag, @AutoItExe & $sParameters) If @error Then Exit MsgBox($MB_ICONERROR + $MB_TOPMOST, "ERROR!", "Unable to run under administrator account.") EndIf ;Request the Admin Token for the Admin account in Windows Vista and Higher. If @UserName = $sAdminUser And Not IsAdmin() And Not StringRegExp(@OSVersion, "_(XP|200(0|3))") Then $sParameters = "" If Not @Compiled Then $sParameters = '"' & @ScriptFullPath & '"' EndIf ;Use ShellExecuteWait to run as AdminUser with Admin Token, to wait for the Admin part of the script to finish, and then to exit. ShellExecuteWait(@AutoItExe, $sParameters, "", "runas") If @error Then Exit MsgBox($MB_ICONERROR + $MB_TOPMOST, "ERROR!", "Unable to elevate to Admin due to UAC.") Exit EndIf MsgBox($MB_ICONINFORMATION, @UserName, "Is " & (IsAdmin() ? "" : "Not " ) & "Admin") ;Example Global $sDrive = EnvGet("systemdrive") ;Admin part of script. If IsAdmin() Then MsgBox ($MB_OK, "Admin Run Test", "Run Admin part of script and then exit to run as user who started the script.") ;Example Run($sDrive & "\vendor\vendor.exe") ;Wait for Vendor Version Control to close Do Sleep(100) Until Not WinExists("Vendor Version Control") ;Wait for VendorAppLauncher to exist ProcessWait("VendorAppLauncher.exe") ;Close the Vendor Launcher as Admin ProcessClose("VendorAppLauncher.exe") ;Exit to finish Admin part of script. Exit EndIf ;Put rest of the non Admin part of script here. ;Re-open Vendor Launcher as user Run($sDrive & "\Vendor\VendorAppLauncher.exe", $sDrive & "\Vendor") Adam tros804 and wongshing1439 1 1 Link to comment Share on other sites More sharing options...
tros804 Posted June 11, 2019 Author Share Posted June 11, 2019 @AdamUL This appears to be exactly what I was looking for. So far, my tests are coming back successful after implementing your workaround. You, my friend, are a freaking rock star! Thank you for the assistance! Link to comment Share on other sites More sharing options...
AdamUL Posted June 11, 2019 Share Posted June 11, 2019 @tros804 Thank you and your welcome, I'm glad I could help. Adam Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now