[英]elevate without prompt - verb runas start-process
This may not be possible, but I'm looking to run a .ps1 powershell script from a command line, it needs to be run with Elevated privileges, without or bypassing any UAC prompts.这可能是不可能的,但我希望从命令行运行 .ps1 powershell 脚本,它需要以提升的权限运行,而无需或绕过任何 UAC 提示。
This is from a scripting perspective, with no user interaction.这是从脚本的角度来看,没有用户交互。 So "Run as administrator" for CMD or Powershell is not an option.
因此,CMD 或 Powershell 的“以管理员身份运行”不是一个选项。 There cannot be any UAC prompts to click on as these will most likely be hidden from view.
不能有任何 UAC 提示可以点击,因为这些很可能会被隐藏起来。
My command started off like this -我的命令是这样开始的 -
powershell.exe -executionpolicy bypass -file .\\remove-default-apps.ps1
This would launch the .ps1 fine, but the script would ultimately fail, as the commands in the script require elevation (Get-AppxPackage | Remove-AppxPackage)这将很好地启动 .ps1,但脚本最终会失败,因为脚本中的命令需要提升 (Get-AppxPackage | Remove-AppxPackage)
My next attempt was using Powershell to run the script using -我的下一次尝试是使用 Powershell 运行脚本 -
Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File MyScript.ps1' -Verb RunAs
But still this prompts for elevation.但这仍然提示提升。 I can replicate the errors running the script from a non-elevated cmd window manually, but running elevated it works fine.
我可以手动复制从非提升的 cmd 窗口运行脚本的错误,但运行提升它工作正常。
Anyone know if this is at all possible?有谁知道这是否可能? Or have any tips to point me in the right direction, Ive tried a lot of other methods (psexec, scheduled task..) but am unable to achieve this.
或者有任何提示可以指出我正确的方向,我尝试了很多其他方法(psexec,计划任务......)但我无法实现这一点。
This is by design.这是设计使然。 If UAC could be ignored in some method, it would kill the point of UAC.
如果可以在某些方法中忽略 UAC,它将扼杀 UAC 的意义。 Every malicious piece of software would escalate itself without prompting, just like the wild west before UAC.
每个恶意软件都会在没有提示的情况下自行升级,就像 UAC 之前的狂野西部一样。
With elevation you can set other things to run elevated, whether Scheduled Tasks or otherwise.通过提升,您可以设置其他内容以提升运行,无论是计划任务还是其他方式。 The most common thing to run these sorts of things enterprise wide is by using configuration management (SCCM, LANDesk, Puppet, Salt, etc) with an agent or to run remotely via
PSRemoting
/ PSexec
.在企业范围内运行这些类型的东西最常见的是通过代理使用配置管理(SCCM、LANDesk、Puppet、Salt 等)或通过
PSRemoting
/ PSexec
远程运行。 (Note the agents have to be installed with admin rights in the first place) (请注意,必须首先使用管理员权限安装代理)
As for the removing provisioned packages, that seems like a task to be done at image time.至于删除已配置的软件包,这似乎是要在映像时完成的任务。 Either removing it straight from the WIM prior to deploying, removing it in a Task Sequence task after the image has been laid down while still in WinPE, or removing prior to SysPrep.
要么在部署之前直接从 WIM 中删除它,要么在映像已放置且仍在 WinPE 中的任务序列任务中删除它,要么在 SysPrep 之前删除。 I'm partial to the 2nd method, and keeping all of my imaging tasks programmatic in MDT and having as close to a default Windows image.
我偏爱第二种方法,并将我的所有成像任务都保留在 MDT 中,并尽可能接近默认的 Windows 图像。
If you don't want the prompt, you can turn UAC off (or set to never notify etc Win8+).如果你不想要提示,你可以关闭 UAC(或设置为从不通知等 Win8+)。 That can be done by Group Policy, if you are looking to do on many computers.
如果您希望在多台计算机上执行此操作,则可以通过组策略来完成。 However that would not be wise.
然而,这并不明智。
Disabling UAC is not a wise decision.禁用 UAC 不是一个明智的决定。 However, it is possible to bypass it using Powershell:
但是,可以使用 Powershell绕过它:
if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) {
Remove-Item "HKCU:\software\classes\ms-settings" -Force -Recurse
#Script that will run at high integrity
} else {
$reg_path = "HKCU:\software\classes\ms-settings\shell\open\command"
New-Item $reg_path -Force
New-ItemProperty $reg_path -Name "DelegateExecute" -Value $null -Force
Set-ItemProperty $reg_path -Name "(default)" -Value "powershell.exe -NoProfile -ExecutionPolicy Bypass -File $PSCommandPath" -Force
Start-Process "ComputerDefaults.exe"
}
*This script only for Windows 10 users who are already admin. *此脚本仅适用于已经是管理员的 Windows 10 用户。 See here for my full answer.
在这里查看我的完整答案。
After hitting many brick walls... I eventually solved my problem.在打了很多砖墙之后……我最终解决了我的问题。 Found this helpful tool - https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396
找到了这个有用的工具 - https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396
Using this along with temporarily disabling UAC prompts via registry allowed the powershelll commands to run with elevation as intended.使用此功能以及通过注册表暂时禁用 UAC 提示允许 powershelll 命令按预期以提升运行。
My final script was:我的最终脚本是:
REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
elevate %SystemRoot%\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -file remove-default-apps.ps1
提升 %SystemRoot%\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -file remove-default-apps.ps1
REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.