Security

At a glance: Run as Administrator for third-party scripting tools Run as Another User Prompt Here as System for CMD and Windows PowerShell Drag-and-drop Elevation Gadget New Elevation PowerToys for Windows Vista

Michael Murgolo

of my favourite third-party scripting tools, Welcome to another demonstrate how you can replace a nice edition of the Elevation Windows XP feature that was removed from Windows Vista, and look at some of the han- PowerToys for dy tools that are included in Elevation Pow- erToys. Windows Vista. I took Run as Administrator for additional a close look at this in scripting tools One topic I discussed in the previous article the June 2007 issue (available at http://technet.microsoft.com/ magazine/cc162321.aspx) was enabling the of TechNet Magazine. Run as Administrator option for the native Windows scripting tools. For this article, I’ve Here we are a year created Run as Administrator PowerToys for some third-party scripting tools:

later. This time around, • AutoIt v3 (www.hiddensoft.com) • AutoHotkey (www.autohotkey.com) I want to show you • ActivePerl (www.activestate.com) how I expanded the • KiXtart 2010 (www.kixtart.org) The code for each of these is included in Run as Administrator the download for this article, which you can find at http://technetmagazine.com. The ac- functionality to some tual files are named ElevateAutoIt3.inf, El-

58 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine

58_62_Elevatio_des7.indd 58 13/8/08 16:05:49 evateAutoHotKey.inf, ElevatePerlScript.inf, domain he is on. This was accomplished on and ElevateKiXtart.inf, respectively. For Au- Windows XP using the Run as… right-click toIt v3, AutoHotkey and ActivePerl, setup is option. But this option is gone in Windows quite simple. Just download the correspond- Vista because it was replaced with the Run as ing application and install it in the default Administrator option. location. After you’ve installed the applica- The runas command-line tool, however, tions you are interested in, you can then just still exists in Windows Vista. Unfortunate- install the appropriate Run as Administrator PowerToy for each tool. Unfortunately, KiXtart 2010 does not pro- UAC was created vide an installer. Therefore, in order to make sure KiXtart is installed in a standard loca- to make the OS less tion so my PowerToy will work properly, I’ve provided an INF file that will installKiXtart vulnerable to 2010 (v 4.60) into Program Files\KiXtart and register the .kix file extension. by having users run Go to www.kixtart.org/?p=downloads, download KiX2010_460.zip, and unzip it into apps with standard a folder. Copy the Install_KiXtart.inf file (in- cluded in the code download that accompa- privileges nies this article) into that same folder. Then right-click on Install_KiXtart.inf and select Install. After that, you can simply install the ly, it cannot be used for the most common ElevateKiXtart.inf PowerToy. dual account tasks – running Microsoft Management Console (MMC) snap-ins. For Run as another user powertoy example, say you have been delegated some User Account Control (UAC) was created account management tasks in Active Direc- to make the less vulnera- tory. You are running as a standard user for ble to malware by having users, even those everyday tasks, and your network adminis- who are Administrators, run most applica- tration account is also a member of the lo- tions with standard user privileges. UAC of- cal administrators group (so you can install fers elevation potential for administrative network management tools when needed) tasks and other app functions. This elevation on a Windows Vista computer with UAC en- potential is provided through the Run as abled. Now you want to start Active Direc- Administrator option, which you get when tory User & Computers (ADU&) with your right-clicking on executable files. The Eleva- Active Directory administrative account, so tion PowerToys that I discussed in the June you try the runas command, as follows: 2007 issue extended this capability to work runas /user:mydomain\admin on other file and object types. "mmc.exe %windir%\system32\dsa.msc" The functionality built into Windows Vis- ta works quite well for many administra- Unfortunately, this does not cause ADU&C tive tasks. However, one important scenario to launch. Instead, you receive a runas error was left out for Windows Vista. Many IT de- that says “The requested operation requires partments have a policy where network ad- elevation.” What is happening in this case is ministrators use one user account for their that the MMC executable is marked to run everyday tasks (using e-mail, creating docu- at the highestAvailable privilege level. Since ments, and the like) and another account the highestAvailable level for your network that is used only for network administration administration account is as administrator, (or local computer administration). launching ADU&C in this manner would re- This is done to help lower the risk that if quire elevation. Since runas does not cause a a network administrator accidentally runs prompt for elevation, the error occurs. malware doing his everyday tasks, he will So Windows Vista makes this scenario dif- not compromise his entire system – or the ficult by not providing a context menu item

TechNet Magazine September 2008 59

58_62_Elevatio_des7.indd 59 13/8/08 16:06:05 Security

for Run as… and by providing no built-in and given it an HTML Application UI to cre- means to run a process as another user that ate a PowerToy that creates a Run as Another requires elevation. User option available through the right-click This would be a frustrating article if there menu. When you select Run as Another User, was no solution to this, but as luck would you get an HTML Application like the one have it, one of my original Elevation Power- shown in Figure 1. Here, just enter the user name and do- main – for an account on the local comput- Windows Vista offers er, check the Use Local Account checkbox. You can then click the Run button to launch no context menu item the application as a standard user, or you can click the Run as Admin button to launch for Run as… and no the application with elevated privileges. Af- ter you click either of these two buttons, built-in way to run a runas.exe will run and prompt for a password or smart card pin. process as another user Since this PowerToy uses the Elevate Com- mand PowerToy, you need to install that first. to be elevated Then right-click on the RunAs.inf file, select Install, and approve the elevation. To unin- stall the tool, use the Programs and Features Toys provides the key to solving the second Control Panel. problem, and I’ve whipped up another one You will find that some of the shortcuts to to solve the first. (I wish I could claim that .msc files in the Administrative Tools (such I thought up the solution to the elevation as Computer Management) will work with problem, but this was hit upon by Gov Ma- this PowerToy. But note that if you install haraj of the Windows AppCompat team.) the Windows Server 2003 administrative It turns out that the Elevate Command tools using adminpak.msi, the shortcuts that PowerToy can be used with the runas com- are created are not standard shortcuts to the mand. Where the previous command failed .msc files. Instead, they are Windows Install- to cause an elevation prompt, the following er shortcuts, and as a result Windows Explor- will cause the prompt: er will not display the Run as Another User

runas /user:mydomain\admin option for those shortcuts. "elevate mmc.exe%windir%\system32\dsa.msc" For those shortcuts you will either have This causes runas to launch elevate.cmd to find the actual .msc files and right-click (technically, the process being launched is on them or create new shortcuts to the .msc cmd.exe) as the other user, and the elevate files. Additionally, runas does not work with command takes care of launching mmc.exe Explorer® due to the way Internet with an elevation prompt. Explorer was re-architected for Protected Finally, I’ve taken this trick, combined it Mode in Windows Vista (you can find addi- with file associations for .exe and .msc files, tional information concerning this issue at http://support.microsoft.com/?id=922980). Note: between the time I finished these PowerToys and the publication of this article, Windows Sysinternals has released a new tool that is functionally very similar to my Run as Another User PowerToy. It’s called ShellRu- nas and can be found on the Windows Sys- ternals site: http://technet.microsoft.com/ sysinternals/cc300361. Since the folks at Sysinternals actually Figure 1 Run as Another write real code for a living, you may prefer User tool their tool for your own use. I decided to leave

60 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine

58_62_Elevatio_des7.indd 60 13/8/08 16:06:28 mine in the article as an example of how this task in particular and shell extensions in gen- eral can be done using HTML Applications with script code.

CMD and PowerShell Prompt Here as System Figure 2 CMD Prompt Here as System and There are times when it is necessary to run PowerShell Prompt Here programs in the Local System context. For as System options example, many distribution tools, such as System Center Configuration Man- ager (SCCM), use a client agent that runs as Local System to accomplish its tasks. To test the behaviour of a software instal- lation program running as Local System be- Figure 3 CMD Prompt as System must be used fore attempting a distribution with a product responsibly such as SCCM, it can be helpful to start the installer using a command prompt running as Local System. Therefore, I set out to cre- provided an INF file (available in the code ate my CMD and PowerShell Prompt Here download) to install the whole Sysinternals as System PowerToys. Suite (which includes Psexec) into Program When using Windows XP, I used to ac- Files\Sysinternals Suite. As an added bonus, complish a function like this with a com- this INF file creates Start Menu shortcuts for mand shell script: the Suite’s graphical tools. To install the suite, first down- @echo off sc create CmdAsSystem type= own type= interact load SysinternalsSuite.zip from http:// Figure 4 The drag-and- binPath= "cmd /c start cmd /k (cd c:\ ^& colour ec ^& drop Elevation Gadget title ***** SYSTEM *****)" technet.microsoft.com/sysinternals/ net start CmdAsSystem bb842062.aspx and unzip it into a folder. sc delete CmdAsSystem Copy my INF file (Install_SysinternalsSuite. However, if you try to run this from an el- inf) into that folder, right-click Install_Sys- evated command prompt on Windows Vista, internalsSuite.inf, and select Install. Since you get the following error message and the these new PowerToys use the Elevate Com- command prompt running as System will mand PowerToy, install that next. After do- not appear: ing that, you can install CmdHereAsSystem. inf and PowerShellHereAsSystem.inf. Once WARNING: The service CmdAsSystem is configured as these PowerToys are installed, you will then interactive whose support is being deprecated. The service may not function properly. have the CMD Prompt Here as System and PowerShell Prompt Here as System options The problem is that this script tries to cre- available as right-click items for folders and ate and start an interactive service. Interac- drives in Windows Explorer, as you can see tive services will not function correctly due in Figure 2. to Session 0 Isolation in Windows Vista. Figure 3 shows a CMD prompt running (For an explanation of Session 0 Isolation, as system. I selected the bright colours as a see the “Services in Windows Vista” white- reminder that this prompt is running as Sys- paper available at www.microsoft.com/uk/ tem and can do unexpected (and damaging) vistaservices) things to the system if the wrong commands To work around this limitation, I used are entered. the Psexec tool that was developed by Sys- Finally, these PowerToys add commands to internals (see http://technet.microsoft.com/ the system so that these prompts can be start- sysinternals/bb897553.aspx). This tool allows ed in the Run dialog or a CMD prompt. For processes to be started in the System con- example, executing the following command text. Unfortunately, most Sysinternals tools from the Run box will start a CMD prompt do not include an installer. Therefore, I’ve as System in the Windows folder:

TechNet Magazine September 2008 61

58_62_Elevatio_des7.indd 61 13/8/08 16:06:53 Security

cmdassystem "c:\windows" the new PowerToys and the ones from the original article. I’ve made minor changes to The equivalent command for Windows a few of the old ones. For example, the origi- PowerShell is psassystem. You should note nal versions of Windows PowerShell Prompt that I have also modified the CMD and Here as Administrator and Elevate WSH Script both installed their own copies of ele- You can drag and vate.cmd and elevate.vbs. Since several of the new PowerToys also depend on these files, drop an executable I’ve changed these tools to require Elevate Command PowerToy to be installed (and or a script onto the then they share that copy). To determine if a PowerToy requires the installation of the El- Elevation Gadget and evate Command PowerToy, check the header in the INF file. the item will launch as Some other original PowerToys have mi- nor, non-functional changes as well. Always elevated uninstall the old version of a PowerToy be- fore installing the latest. Since this collection has now expanded to 17 tools, I’ve included command shell scripts to install and unin- PowerShell Prompt Here as Administrator stall the entire collection (InstallAllPower- PowerToys to install similar commands – Toys.cmd and UninstallAllPowerToys.cmd, cmdasadmin and psasadmin, respectively. respectively). You can customise these to in- stall and uninstall only the tools that you Elevation Gadget need to use. Most of my PowerToys require clicking the You should keep in mind that InstallAll- right mouse button. But as a bonus for this PowerToys.cmd does not install the Run as update, I have included something a bit Administrator PowerToys for third-party more fun. This is a Windows Sidebar Gadget, scripting tools by default. You can modify which I call the Elevation Gadget (shown in this script to install only those PowerToys Figure 4). It is a drag-and-drop target. Just for which you have installed the software. drag an executable or a script from Windows When you run either of these, it will re- Explorer that has a runas action defined and launch itself as elevated. UninstallAllPower- it will launch as elevated. Toys.cmd should remove all the old versions If you have installed my previous Elevation of these tools as well. PowerToys, then this will work for Windows As with all my PowerToys, these are unsup- Script Host scripts, Windows PowerShell ported, use-at-your-own-risk tools. And they scripts, HTML Applications, and Windows are not official Microsoft products – they are Installer packages and patches (as well as exe- my own personal creations. These were only cutables and command shell scripts that have tested by me and a few other volunteers on a runas action defined by default in Windows 32-bit Windows Vista with US English as the Vista). And you can also drag more than one default language. Finally, it is possible that item at a time. (Just try dragging a folder to any or all of these PowerToys may not work the gadget and see what happens.) with future Windows updates, service packs To install the gadget, double-click on El- evation.gadget (available in the code down- Michael Murgolo is a Senior load). If you would like to look at the code Infrastructure Consultant for Microsoft for the gadget, just add the .cab extension to Consulting Services. He focuses on operating the file name. You can then extract the con- systems, deployment, network services, Active tents from the Cab file. Directory, systems management, automation and patch management. He is a subject matter Wrapping up expert in the area of desktop deployment and The download for this article contains both migration.

62 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine

58_62_Elevatio_des7.indd 62 13/8/08 16:07:17