New Elevation Powertoys for Windows Vista
Total Page:16
File Type:pdf, Size:1020Kb
Security At a glance: Run as Administrator for third-party scripting tools Run as Another User Prompt Here as System for CMD and Windows PowerShell Drag-and-drop Elevation Gadget New Elevation PowerToys for Windows Vista Michael Murgolo of my favourite third-party scripting tools, Welcome to another demonstrate how you can replace a nice edition of the Elevation Windows XP feature that was removed from Windows Vista, and look at some of the han- PowerToys for dy tools that are included in Elevation Pow- erToys. Windows Vista. I took Run as Administrator for additional a close look at this in scripting tools One topic I discussed in the previous article the June 2007 issue (available at http://technet.microsoft.com/ magazine/cc162321.aspx) was enabling the of TechNet Magazine. Run as Administrator option for the native Windows scripting tools. For this article, I’ve Here we are a year created Run as Administrator PowerToys for some third-party scripting tools: later. This time around, • AutoIt v3 (www.hiddensoft.com) • AutoHotkey (www.autohotkey.com) I want to show you • ActivePerl (www.activestate.com) how I expanded the • KiXtart 2010 (www.kixtart.org) The code for each of these is included in Run as Administrator the download for this article, which you can find at http://technetmagazine.com. The ac- functionality to some tual files are named ElevateAutoIt3.inf, El- 58 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine 58_62_Elevatio_des7.indd 58 13/8/08 16:05:49 evateAutoHotKey.inf, ElevatePerlScript.inf, domain he is on. This was accomplished on and ElevateKiXtart.inf, respectively. For Au- Windows XP using the Run as… right-click toIt v3, AutoHotkey and ActivePerl, setup is option. But this option is gone in Windows quite simple. Just download the correspond- Vista because it was replaced with the Run as ing application and install it in the default Administrator option. location. After you’ve installed the applica- The runas command-line tool, however, tions you are interested in, you can then just still exists in Windows Vista. Unfortunate- install the appropriate Run as Administrator PowerToy for each tool. Unfortunately, KiXtart 2010 does not pro- UAC was created vide an installer. Therefore, in order to make sure KiXtart is installed in a standard loca- to make the OS less tion so my PowerToy will work properly, I’ve provided an INF file that will installKiXtart vulnerable to malware 2010 (v 4.60) into Program Files\KiXtart and register the .kix file extension. by having users run Go to www.kixtart.org/?p=downloads, download KiX2010_460.zip, and unzip it into apps with standard a folder. Copy the Install_KiXtart.inf file (in- cluded in the code download that accompa- privileges nies this article) into that same folder. Then right-click on Install_KiXtart.inf and select Install. After that, you can simply install the ly, it cannot be used for the most common ElevateKiXtart.inf PowerToy. dual account tasks – running Microsoft Management Console (MMC) snap-ins. For Run as another user powertoy example, say you have been delegated some User Account Control (UAC) was created account management tasks in Active Direc- to make the operating system less vulnera- tory. You are running as a standard user for ble to malware by having users, even those everyday tasks, and your network adminis- who are Administrators, run most applica- tration account is also a member of the lo- tions with standard user privileges. UAC of- cal administrators group (so you can install fers elevation potential for administrative network management tools when needed) tasks and other app functions. This elevation on a Windows Vista computer with UAC en- potential is provided through the Run as abled. Now you want to start Active Direc- Administrator option, which you get when tory User & Computers (ADU&C) with your right-clicking on executable files. The Eleva- Active Directory administrative account, so tion PowerToys that I discussed in the June you try the runas command, as follows: 2007 issue extended this capability to work runas /user:mydomain\admin on other file and object types. "mmc.exe %windir%\system32\dsa.msc" The functionality built into Windows Vis- ta works quite well for many administra- Unfortunately, this does not cause ADU&C tive tasks. However, one important scenario to launch. Instead, you receive a runas error was left out for Windows Vista. Many IT de- that says “The requested operation requires partments have a policy where network ad- elevation.” What is happening in this case is ministrators use one user account for their that the MMC executable is marked to run everyday tasks (using e-mail, creating docu- at the highestAvailable privilege level. Since ments, and the like) and another account the highestAvailable level for your network that is used only for network administration administration account is as administrator, (or local computer administration). launching ADU&C in this manner would re- This is done to help lower the risk that if quire elevation. Since runas does not cause a a network administrator accidentally runs prompt for elevation, the error occurs. malware doing his everyday tasks, he will So Windows Vista makes this scenario dif- not compromise his entire system – or the ficult by not providing a context menu item TechNet Magazine September 2008 59 58_62_Elevatio_des7.indd 59 13/8/08 16:06:05 Security for Run as… and by providing no built-in and given it an HTML Application UI to cre- means to run a process as another user that ate a PowerToy that creates a Run as Another requires elevation. User option available through the right-click This would be a frustrating article if there menu. When you select Run as Another User, was no solution to this, but as luck would you get an HTML Application like the one have it, one of my original Elevation Power- shown in Figure 1. Here, just enter the user name and do- main – for an account on the local comput- Windows Vista offers er, check the Use Local Account checkbox. You can then click the Run button to launch no context menu item the application as a standard user, or you can click the Run as Admin button to launch for Run as… and no the application with elevated privileges. Af- ter you click either of these two buttons, built-in way to run a runas.exe will run and prompt for a password or smart card pin. process as another user Since this PowerToy uses the Elevate Com- mand PowerToy, you need to install that first. to be elevated Then right-click on the RunAs.inf file, select Install, and approve the elevation. To unin- stall the tool, use the Programs and Features Toys provides the key to solving the second Control Panel. problem, and I’ve whipped up another one You will find that some of the shortcuts to to solve the first. (I wish I could claim that .msc files in the Administrative Tools (such I thought up the solution to the elevation as Computer Management) will work with problem, but this was hit upon by Gov Ma- this PowerToy. But note that if you install haraj of the Windows AppCompat team.) the Windows Server 2003 administrative It turns out that the Elevate Command tools using adminpak.msi, the shortcuts that PowerToy can be used with the runas com- are created are not standard shortcuts to the mand. Where the previous command failed .msc files. Instead, they are Windows Install- to cause an elevation prompt, the following er shortcuts, and as a result Windows Explor- will cause the prompt: er will not display the Run as Another User runas /user:mydomain\admin option for those shortcuts. "elevate mmc.exe%windir%\system32\dsa.msc" For those shortcuts you will either have This causes runas to launch elevate.cmd to find the actual .msc files and right-click (technically, the process being launched is on them or create new shortcuts to the .msc cmd.exe) as the other user, and the elevate files. Additionally, runas does not work with command takes care of launching mmc.exe Internet Explorer® due to the way Internet with an elevation prompt. Explorer was re-architected for Protected Finally, I’ve taken this trick, combined it Mode in Windows Vista (you can find addi- with file associations for .exe and .msc files, tional information concerning this issue at http://support.microsoft.com/?id=922980). Note: between the time I finished these PowerToys and the publication of this article, Windows Sysinternals has released a new tool that is functionally very similar to my Run as Another User PowerToy. It’s called ShellRu- nas and can be found on the Windows Sys- ternals site: http://technet.microsoft.com/ sysinternals/cc300361. Since the folks at Sysinternals actually Figure 1 Run as Another write real code for a living, you may prefer User tool their tool for your own use. I decided to leave 60 To get your FREE copy of TechNet Magazine subscribe at: www.microsoft.com/uk/technetmagazine 58_62_Elevatio_des7.indd 60 13/8/08 16:06:28 mine in the article as an example of how this task in particular and shell extensions in gen- eral can be done using HTML Applications with script code. CMD and PowerShell Prompt Here as System Figure 2 CMD Prompt Here as System and There are times when it is necessary to run PowerShell Prompt Here programs in the Local System context. For as System options example, many software distribution tools, such as System Center Configuration Man- ager (SCCM), use a client agent that runs as Local System to accomplish its tasks.