Login/Register
Windows 10: after gaining remote access, remotely start Quick Assist as .\Administrator without UAC, or temporarily disable UAC
Asked Answered
windowspowershelluacremote-desktopuser-account-control
R

1

0

I'd like a script to be used in this situation:

  1. gain remote access without admin privileges
  2. remotely start Quick Assist as .\Administrator and not have a UAC dialogue.

Step 1 is usually made with Quick Assist, sometimes made with Teams screen sharing.

I'm aware that I can locate quickassist.exe in File Explorer then use Shift and the context menu to Run as a different user, however I'd like a scripted approach.

Experiment A

This works, but there's a Yes/No UAC dialogue:

$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if ( -not $isElevated ) {
    Start-Process powershell.exe -Credential Administrator -NoNewWindow -ArgumentList {
        Start-Process quickassist.exe -Verb RunAs ;
    } ;
}

Experiment B

I make multiple mistakes, don't know how to correct them. (I'm trying to learn PowerShell, gradually, but I'm easily confused whilst learning; slightly dyslexic.)

$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if ( -not $isElevated ) {
  Start-Process powershell.exe -Credential Administrator {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 0 -Force;
    };
  Write-Host "UAC (user account control) is weakened for a Quick Assist session …" -ForegroundColor Red;

  Start-Process powershell.exe -Credential Administrator -NoNewWindow -ArgumentList {Start-Process quickassist.exe -Verb RunAs -Wait};
  Write-Host "… Quick Assist session complete …" -ForegroundColor Red;

  Start-Process powershell.exe -Credential Administrator {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1 -Force;
    };
  Write-Host "… UAC is strengthened." -ForegroundColor Red;
}
  • the two intended changes to the registry do not occur
  • the third credential dialogue appears too soon – I want it to not appear until after the end of the Quick Assist session.

Also, conceptually, there's probably no need to run Quick Assist as Administrator whilst UAC is temporarily weakened.

References

https://mcmap.net/q/22616/-run-command-as-administrator-in-powershell-script-uac (2010-02-13) I see use of -Credential with Invoke-Command but when I try to do something similar, for changes to the registry, I make a mess.

https://mcmap.net/q/22617/-run-with-elevated-rights-a-powershell-script-with-spaces-in-path-from-windows-command-prompt-cmd (2017-11-27) self-elevating PowerShell scripts.

https://superuser.com/a/1524960/84988 (2020-02-12) and https://serverfault.com/a/1003238/91969 (2020-02-15) are interesting – the same script in both answers – however I need something like -Credential Administrator in lieu of -ComputerName.

https://mcmap.net/q/13753/-uac-getting-in-the-way-of-exe-install-powershell (2020-03-07) via https://mcmap.net/q/13952/-elevate-without-prompt-verb-runas-start-process

PowerShell commands - PowerShell - SS64.com

https://github.com/okieselbach/Intune/blob/master/DisablePromptOnSecureDesktop.ps1 (2020-11-13) via Quick Assist the built-in Remote Control in Windows 10 – Modern IT – Cloud – Workplace

Restate answered 2/4, 2021 at 14:28 Comment(5)
Does it work when you use logic like so... pastebin.com/YTHKn72Y. There is the start-process within another start-process you have in example b so maybe the -wait parameter needs to be with the outer start-process instead of the inner. I don't normally run this against any local machine and it's always run against the remote machine I'm about to help a non-admin user with a task on the same network and connected to the same domain. Are you not able to invoke-command remotely against the remote machine you are connecting?Toolmaker
Also the reg settings to disable the secure desktop to allow you to see the UAC and enter in the credentials yourself and not have the non-admin user enter them and you see and interact with UAC screen remote needs run regardless if if it's elevated or run as an admin or not. Take that logic out of the isElevated logic and run it without any conditional always before and then the other reg settings to reenable after with no conditional. See if those things help.Toolmaker
UAC is designed to prevent you from doing this. (If UAC were that easy to bypass, then it's precisely what all malware would do.)Farewell
Bill_Stewart you misunderstand. I'm not attempting to bypass authentication dialogues.Restate
OK, if you prefer the terminology, UAC is designed to permit elevation only after presenting a dialog requesting this permission. (If this were possible, then all malware could infect your machine as administrator with impunity.)Farewell
M
0

The short answer is don't. Get a real remote management tool or have someone hit the UAC yes prompt.

This is more of a windows thing than powershell, as windows explicitly denies elevating a process locally without going through UAC (and for good reason!). You used to be able to do things like this:

# Use Enter-PSSession to start a "remote" session 
# This may still support elevation if you specify CredSSP and configure credential delegation):
New-PSSession MyPCName -Auth CredSSP -cred (get-credential)

# Create a scheduled task with RunAs/elevated permissions:
Register-ScheduledTask -Action $action -User .\Administrator -TaskName "Admin-Stuff" -RunLevel Highest

Which now give fat access denied messages when running locally. You also are not able to edit registry settings within HKLM: without elevation, so disabling uac temporarily is not an option.

You may be able to make use of this exploit that allows admin users to bypass uac, but I think you still have to Run-as-other-user your shell to use it.

Macintyre answered 2/4, 2021 at 22:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.