CODEWITHSUNDEEP
windowspowershelluacremote-desktopuser-account-control
Graham Perrin
Graham Perrin

Reputation: 534

Windows 10: after gaining remote access, remotely start Quick Assist as .\Administrator without UAC, or temporarily disable UAC

I'd like a script to be used in this situation:

  1. gain remote access without admin privileges
  2. remotely start Quick Assist as .\Administrator and not have a UAC dialogue.

Step 1 is usually made with Quick Assist, sometimes made with Teams screen sharing.

I'm aware that I can locate quickassist.exe in File Explorer then use Shift and the context menu to Run as a different user, however I'd like a scripted approach.

Experiment A

This works, but there's a Yes/No UAC dialogue:

$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if ( -not $isElevated ) {
    Start-Process powershell.exe -Credential Administrator -NoNewWindow -ArgumentList {
        Start-Process quickassist.exe -Verb RunAs ;
    } ;
}

Experiment B

I make multiple mistakes, don't know how to correct them. (I'm trying to learn PowerShell, gradually, but I'm easily confused whilst learning; slightly dyslexic.)

$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if ( -not $isElevated ) {
  Start-Process powershell.exe -Credential Administrator {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 0 -Force;
    };
  Write-Host "UAC (user account control) is weakened for a Quick Assist session …" -ForegroundColor Red;

  Start-Process powershell.exe -Credential Administrator -NoNewWindow -ArgumentList {Start-Process quickassist.exe -Verb RunAs -Wait};
  Write-Host "… Quick Assist session complete …" -ForegroundColor Red;

  Start-Process powershell.exe -Credential Administrator {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1 -Force;
    };
  Write-Host "… UAC is strengthened." -ForegroundColor Red;
}

Also, conceptually, there's probably no need to run Quick Assist as Administrator whilst UAC is temporarily weakened.

References

https://stackoverflow.com/a/2258134/38108 (2010-02-13) I see use of -Credential with Invoke-Command but when I try to do something similar, for changes to the registry, I make a mess.

https://stackoverflow.com/a/47516161/38108 (2017-11-27) self-elevating PowerShell scripts.

https://superuser.com/a/1524960/84988 (2020-02-12) and https://serverfault.com/a/1003238/91969 (2020-02-15) are interesting – the same script in both answers – however I need something like -Credential Administrator in lieu of -ComputerName.

https://stackoverflow.com/a/60292423/38108 (2020-03-07) via https://stackoverflow.com/a/60263039/38108

PowerShell commands - PowerShell - SS64.com

https://github.com/okieselbach/Intune/blob/master/DisablePromptOnSecureDesktop.ps1 (2020-11-13) via Quick Assist the built-in Remote Control in Windows 10 – Modern IT – Cloud – Workplace

Upvotes: 0

Views: 1443

Answers (1)

Cpt.Whale
Cpt.Whale

Reputation: 5351

The short answer is don't. Get a real remote management tool or have someone hit the UAC yes prompt.

This is more of a windows thing than powershell, as windows explicitly denies elevating a process locally without going through UAC (and for good reason!). You used to be able to do things like this:

# Use Enter-PSSession to start a "remote" session 
# This may still support elevation if you specify CredSSP and configure credential delegation):
New-PSSession MyPCName -Auth CredSSP -cred (get-credential)

# Create a scheduled task with RunAs/elevated permissions:
Register-ScheduledTask -Action $action -User .\Administrator -TaskName "Admin-Stuff" -RunLevel Highest

Which now give fat access denied messages when running locally. You also are not able to edit registry settings within HKLM: without elevation, so disabling uac temporarily is not an option.

You may be able to make use of this exploit that allows admin users to bypass uac, but I think you still have to Run-as-other-user your shell to use it.

Upvotes: 0

Related Questions