无提示提升 - 动词 runas start-process

Question

This may not be possible, but I'm looking to run a .ps1 powershell script from a command line, it needs to be run with Elevated privileges, without or bypassing any UAC prompts.

This is from a scripting perspective, with no user interaction. So "Run as administrator" for CMD or Powershell is not an option. There cannot be any UAC prompts to click on as these will most likely be hidden from view.

My command started off like this -

powershell.exe -executionpolicy bypass -file .\\remove-default-apps.ps1

This would launch the .ps1 fine, but the script would ultimately fail, as the commands in the script require elevation (Get-AppxPackage | Remove-AppxPackage)

My next attempt was using Powershell to run the script using -

Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File MyScript.ps1' -Verb RunAs

But still this prompts for elevation. I can replicate the errors running the script from a non-elevated cmd window manually, but running elevated it works fine.

Anyone know if this is at all possible? Or have any tips to point me in the right direction, Ive tried a lot of other methods (psexec, scheduled task..) but am unable to achieve this.

Answer 1

This is by design. If UAC could be ignored in some method, it would kill the point of UAC. Every malicious piece of software would escalate itself without prompting, just like the wild west before UAC.

With elevation you can set other things to run elevated, whether Scheduled Tasks or otherwise. The most common thing to run these sorts of things enterprise wide is by using configuration management (SCCM, LANDesk, Puppet, Salt, etc) with an agent or to run remotely via PSRemoting / PSexec . (Note the agents have to be installed with admin rights in the first place)

As for the removing provisioned packages, that seems like a task to be done at image time. Either removing it straight from the WIM prior to deploying, removing it in a Task Sequence task after the image has been laid down while still in WinPE, or removing prior to SysPrep. I'm partial to the 2nd method, and keeping all of my imaging tasks programmatic in MDT and having as close to a default Windows image.

If you don't want the prompt, you can turn UAC off (or set to never notify etc Win8+). That can be done by Group Policy, if you are looking to do on many computers. However that would not be wise.

Answer 2

Disabling UAC is not a wise decision. However, it is possible to bypass it using Powershell:

if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
    Remove-Item "HKCU:\software\classes\ms-settings" -Force -Recurse
    #Script that will run at high integrity
} else {
    $reg_path = "HKCU:\software\classes\ms-settings\shell\open\command"
    New-Item $reg_path -Force
    New-ItemProperty $reg_path -Name "DelegateExecute" -Value $null -Force
    Set-ItemProperty $reg_path -Name "(default)" -Value "powershell.exe -NoProfile -ExecutionPolicy Bypass -File $PSCommandPath" -Force
    Start-Process "ComputerDefaults.exe"
}

*This script only for Windows 10 users who are already admin. See here for my full answer.

Answer 3

After hitting many brick walls... I eventually solved my problem. Found this helpful tool - https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396

Using this along with temporarily disabling UAC prompts via registry allowed the powershelll commands to run with elevation as intended.

My final script was:

REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

elevate %SystemRoot%\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -file remove-default-apps.ps1

REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f