Kaseya Community

Elevated CMD Prompt (or powershell) in user context (logged in user)

  • Heo,

    does anyone know about how to get an elevated cmd prompt in an agent procedure with the logged in user or at least the use creds(impersonate user)?

    We need to install software on clients, and some of those are installed in the users appdata folder.

    i can work around that, the procedure looks for user logged in, scans for the file, then executes the install.

    Now to the prob:

    the software can be installed silently, but only from an elevated prompt und the user logged in. It starts when i run it as user in the proc, but displays the UACL window which needs to be confirmed by the user and this will not work for us and the customer.

    The installer doesn't complete if run as *use creds* or as system nor impersonate user. And VSA can't handle %USERNAME% in the impersonate user ofc.

    All i really want is a switch for elevated prompt and user-context (logged in or call for %USERNAME%, and since VSA pulls the info anyway, even last logged in user) FFS.

    Next in Line with the problem is unattended Office install. can't get it to work within vsa agent procedures or software deployment. 

    Any ideas folks? I would greatly appreciate it. 

    Thx to all of you.

  • Addition:

    One of the main drawbacks on Agent Procedures with run as system is, it can't use UNC Paths either.

  • For the UAC problem, i use a script that someone shared here. I tried to search for it to give him credit but i dont find it.

    It get the actual value for UAC, it changes to Disable, execute what you need, left it as you found it.

    Copy, create a XML file and import to Kaseya.

    <?xml version="1.0" encoding="utf-8"?>

    <ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">

     <Procedure name="DISABLE_ENABLE UAC">

       <Body description="">

         <If description="">

           <Condition name="CheckRegistryValue">

             <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin" />

             <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" />

             <Parameter xsi:type="StringParameter" name="Value" value="" />

           </Condition>

           <Then>

             <Statement name="GetVariable" continueOnFail="false">

               <Parameter xsi:type="EnumParameter" name="VariableType" value="RegistryValue" />

               <Parameter xsi:type="StringParameter" name="SourceContent" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin" />

               <Parameter xsi:type="StringParameter" name="VariableName" value="UAC" />

             </Statement>

             <If description="">

               <Condition name="CheckVariable">

                 <Parameter xsi:type="StringParameter" name="VariableName" value="#UAC#" />

                 <Parameter xsi:type="EnumParameter" name="Condition" value="NotEquals" />

                 <Parameter xsi:type="StringParameter" name="Value" value="0" />

               </Condition>

               <Then>

                 <Statement name="SetRegistryValue" continueOnFail="false">

                   <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin" />

                   <Parameter xsi:type="StringParameter" name="Value" value="0" />

                   <Parameter xsi:type="EnumParameter" name="DataType" value="Integer" />

                 </Statement>

               </Then>

             </If>

           </Then>

         </If>

         <If description="CODE HERE">

           <Condition name="CheckVariable">

             <Parameter xsi:type="StringParameter" name="VariableName" value="#UAC#" />

             <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" />

             <Parameter xsi:type="StringParameter" name="Value" value="" />

           </Condition>

           <Then>

             <If description="">

               <Condition name="CheckVariable">

                 <Parameter xsi:type="StringParameter" name="VariableName" value="#UAC#" />

                 <Parameter xsi:type="EnumParameter" name="Condition" value="NotEquals" />

                 <Parameter xsi:type="StringParameter" name="Value" value="0" />

               </Condition>

               <Then>

                 <Statement name="SetRegistryValue" continueOnFail="false">

                   <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin" />

                   <Parameter xsi:type="StringParameter" name="Value" value="#UAC#" />

                   <Parameter xsi:type="EnumParameter" name="DataType" value="Integer" />

                 </Statement>

               </Then>

             </If>

           </Then>

         </If>

       </Body>

     </Procedure>

    </ScriptExport>

  • i use elevate64 to give my scripts/procedures the ability to run in an elevated prompt.

    www.winability.com/.../elevate

  • Thx the booth of you, i will test booth solutions.

    Just for the fun of it:

    We will always find a way to circumnavigate the incapabilties of VSA. I want Kaseya to step up and take action. Implement usefull features. VSA has to be a tool for the monkey with a wrench. IMHO.

    Thx guys

  • - thx for the script, it solved one of my problems but i got a question. Unaltered, besides adding a 10 sec pause in between, it changes the UAC value to 0, but never gets it back to whatever it was. i can't find the problem, it succeeds in VSA, no fail there. any ideas?



    typo
    [edited by: m.pataly at 1:39 AM (GMT -7) on Sep 18, 2019]
  • The uac script is mine ;)

    Question - isn't an elevated command prompt, by definition, no longer running as the user? Hence asking for an elevated user command prompt is not sensual. This is why the fault folder that the elevated prompt opens to, is sysyem32, not the users home folder.

  • Thanks for the script i use it a lot. :).

    Maybe its a 64 bits problem, try to detect the OS bitness and use diferent SetRegistryValue or Set64RegistryValue.

  • Thx to booth of you.

    The reason to ask for an elevated cmd prompt is because i ran into some problems deploying specific software for a customer.

    The app can be installed via silent switches, but only runs elevated, otherwise it gets stuck. it also has to run within the logged in user because it installs itself in the users appdata folder (software can't be redirected).

    It cant be installed with use creds or impersonate, nor anything running as system.

    By searching for another solution i found this gem:

    If you need an App to run as admin (automated or for any other reason) and/or in conjuction with Craigs UAC Script, this is very helpful:

    Add the File to:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

    Type:

    REG_SZ

    Name:

    C:\Install\VMware-viclient.exe

    Value:

    ~ RUNASADMIN

    I had to use this to autodeploy an old version of the vsphereclient (value: ~ RUNASADMIN WINXPSP3).



    added missing info
    [edited by: m.pataly at 4:20 AM (GMT -7) on Sep 20, 2019]
  • addon to the aboe post:

    this makes my life easier using software deployment. i can run a pre install procedure adding the reg key(s) and then run the installer from KSDU (still under development, still testing).