Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

elevate without prompt - verb runas start-process

This may not be possible, but I'm looking to run a .ps1 powershell script from a command line, it needs to be run with Elevated privileges, without or bypassing any UAC prompts.

This is from a scripting perspective, with no user interaction. So "Run as administrator" for CMD or Powershell is not an option. There cannot be any UAC prompts to click on as these will most likely be hidden from view.

My command started off like this -

powershell.exe -executionpolicy bypass -file .\remove-default-apps.ps1

This would launch the .ps1 fine, but the script would ultimately fail, as the commands in the script require elevation (Get-AppxPackage | Remove-AppxPackage)

My next attempt was using Powershell to run the script using -

Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File MyScript.ps1' -Verb RunAs

But still this prompts for elevation. I can replicate the errors running the script from a non-elevated cmd window manually, but running elevated it works fine.

Anyone know if this is at all possible? Or have any tips to point me in the right direction, Ive tried a lot of other methods (psexec, scheduled task..) but am unable to achieve this.

like image 285
robotjones Avatar asked Mar 03 '17 14:03

robotjones


1 Answers

This is by design. If UAC could be ignored in some method, it would kill the point of UAC. Every malicious piece of software would escalate itself without prompting, just like the wild west before UAC.

With elevation you can set other things to run elevated, whether Scheduled Tasks or otherwise. The most common thing to run these sorts of things enterprise wide is by using configuration management (SCCM, LANDesk, Puppet, Salt, etc) with an agent or to run remotely via PSRemoting/PSexec. (Note the agents have to be installed with admin rights in the first place)

As for the removing provisioned packages, that seems like a task to be done at image time. Either removing it straight from the WIM prior to deploying, removing it in a Task Sequence task after the image has been laid down while still in WinPE, or removing prior to SysPrep. I'm partial to the 2nd method, and keeping all of my imaging tasks programmatic in MDT and having as close to a default Windows image.

If you don't want the prompt, you can turn UAC off (or set to never notify etc Win8+). That can be done by Group Policy, if you are looking to do on many computers. However that would not be wise.

like image 117
BenH Avatar answered Oct 05 '22 23:10

BenH