tech at work


RunAs with elevation and encrypted credentials

As most of you know Windows UAC can be a real pain in the a**.

My problem: We use software where an additional tool is included to switch the license type (network vs. standalone). This tool saves it's settings to the HKLM registry hive and our users do not have admin privileges so we need to think about a solution. We need to run just this tool with local administrative privileges, but without asking the user for any credentials.

I tried a lot, PsExec, Elevate.exe, RunAs, but none of the solutions offered the possibility to pass (encrypted) credentials AND force the application to run with elevation.

In the end I ended in writing a VBS-Script which uses lsrunase and calls itself twice, sounds complicated but works. You need to follow these instructions:

    1. Create a unprivileged service account in your active directory and choose a secure password (you'll need it later). Just be sure to set "user cannot change password" and "password never expires".
    2. Set up your group policy that this service user gets local administrative privileges on your client computers.
    3. Search for (lsrunase.exe and lsencrypt.exe are free tools provided by Geert Moernaut which are now included in a commercial software named Lansweeper in a newer version. But the older version of these tools can be found easily.)
    4. Start lsencrypt.exe (which has a GUI) and encrypt your service user password
    5. Edit the localadmin.vbs file - pay attention to the comments
    6. Drag-and-drop the localadmin.vbs to encoder.vbs which creates an encoded localadmin.vbe file which you can copy to your clients. Be sure to put lsrunase.exe in the same directory as the .vbe script.

' localadmin.vbs
' (by) Ing. Florian Stichlberger 2013
' Run any program with elevation and local administrative rights
' using an encrypted password
' * Be sure to deploy a encoded .vbe file only - otherwise the user can be able
' to modify this script and run any command with admin privileges!
' * This script has been tested on Win7 Enterprise 64bit and Win8 Enterprise 64bit only
' * If you find any errors or improvements, please let me know...
' * As usual, if you decide to execute this script the author cannot be held
' responsible for any malfunctions, data corruption or unintended functionality

Const strDomain="CONTOSO"
Const strUser="svclocaladmin"
Const strPasswd="+ld/m/4L+Lrag6irTt1AgGE="

Const strCommand="c:\some\path\name\program.exe"

Set oShellApp = CreateObject("Shell.Application")
Set oWshShell = CreateObject( "WScript.Shell" )
Set oFso = CreateObject("Scripting.FileSystemObject")
strCurDir = oFso.GetParentFolderName(WScript.ScriptFullName)
'shortpath is needed because lsrunase does not support double escaping of quotation marks
strScriptName = oFso.GetFile(WScript.ScriptFullName).ShortPath

' I know, Arguments.Count is not very nice but it's fast and easy
If WScript.Arguments.Count=0 Then 'running for the first time - run myself with correct credentials
 strParam = "/user:" & strUser & _
 " /password:" & strPasswd & _
 " /domain:" & strDomain & _
 " /command:""wscript " & strScriptName & " //b proceed"" /runpath:C:\"
 Call oShellApp.ShellExecute(strCurDir & "\lsrunase.exe", strParam, "", "", 1)
Else 'running the second time with (hopefully) correct credentials
 If Not IsElevated Then
 ' We do not have elevation yet, so re-execute with elevation
 Call oShellApp.ShellExecute("wscript.exe", strScriptName & " //b proceed", "", "runas", 0)
 ' In this section the command gets executed
 Call oShellApp.ShellExecute(strCommand, "", "", "", 1)
 End If
End If

Function IsElevated
 Set shell = CreateObject("WScript.Shell")
 Set whoami = shell.Exec("whoami /groups")
 strWhoamiOutput = whoami.StdOut.ReadAll()

 If InStr(1, strWhoamiOutput, "S-1-16-12288", vbTextCompare) Then
 isElevated = True
 isElevated = False
 End If
End Function

Download sources here:

Filed under: Windows Leave comment
Comments (1) Trackbacks (0)
  1. Thanks very much!!!!!

Leave a comment

No trackbacks yet.