UAC issue on Windows Server 2008 R2 - batch-file

I have a 20-year-old executable on 64-bit Windows 2008 R2 that needs to run when called from a batch file.
I tried the settings under Compatibility | Privilege Level | Change settings for all users | Run this program as an administrator, but it does not work -- it always brings up the UAC access prompt.
The only way it will run is with User Account Control disabled. I thought about running the batch in a Scheduled Task with the elevated permissions, but if it doesn't work with the Compatibility settings to run as admin, I don't know how it would be any different in Scheduled Tasks. I will be running it with Scheduled Tasks, but right now I am in testing mode.
Also, the paths are hard-coded in the program, so I can't reinstall under Program Files - it has to be directly under C: drive.
Is there something else I can do to get this to run with UAC enabled?

When you login to Windows with an Administrator account, Windows creates two tokens for you: an elevated one that has all your admin privileges, and a limited one that functions more like a regular user token. When the OS detects that you are trying to run something that requires the elevated privileges, it will show a UAC prompt to allow you to confirm that you want to run elevated.
So, if you run the batch file in a way that it already uses an elevated token, you won't get a UAC prompt. Interactively, you can open Command Prompt elevated (which will require a UAC confirmation), and then run the batch file as much as you want without any further prompts. Alternatively, you could run it as a scheduled task. As long as the scheduled task is running with the correct user credentials (you could run under your user account with highest privileges checked, or run it under some system account, or even create a completely new Admin user account), it should be able to run without any UAC prompt.
Bear in mind that as soon as you have the system running a batch file with elevated privileges, anyone who can modify that batch file can compromise your computer. You should run it as an account with as few privileges as possible (while still running successfully), and make sure the batch file itself is secured.

Related

Batch file runs fine but not in Task Scheduler

Afternoon everyone,
I've tried to research this topic in depth and I cannot come to a conclusion for my problem. I'm trying to automate a batch file in Task Scheduler to execute two SSIS packages. Currently when I attempt to execute the scheduled task (either waiting for its set schedule or running on demand), task scheduler will show that the task has completed successfully, the "Status" will continue to say "Running" but the destination files are never created/re-created. This is the script:
dtexec /f "D:\SSIS\Folder\Folder\Folder\Package.dtsx"
dtexec /f "D:\SSIS\Folder\Folder\Folder\Package.dtsx"
The SSIS is supposed to pull information from SQL and export it to a CSV which it does wonderfully... If I execute this script in CMD, Powershell, or run my batch file directly.
About my environment:
My script resides on a SQL Server. (Windows Server 2016 Standard)
I have a domain admin account used for scripting permissions (all parent folders including the batch file itself have that domain admin added with full permissions, including the csv destination).
The scheduled task is set to: "Run whether user is logged on or not", "Run with highest privileges", Configured for Windows Vista and Windows Server 2008. I know my credentials are correct for my domain admin account.
In "Actions", "Program/script:" is currently set to "C:\Scripts\file.bat", there is nothing in "Add Arguments (optional):" currently, "Start in (optional):" is set to "C:\Scripts".
So here is what I've tried:
I've set "Program/script:" to "cmd.exe" and added an argument of "file.bat" with a start in as "C:\Scripts", no dice.
I've set "Program/script:" to "Powershell.exe" and set an argument of "-ExecutionPolicy Bypass C:\Scripts\file.bat" with a start in as "C:\Scripts", no luck again.
I added my domain admin account to the local administrators group on the server as well.
I've changed the user/group from my domain admin account to my domain admin account (the one I'm logged into the server with) and set it to "Run only when user is logged on", if this is set and I attempt to run the scheduled task, CMD flashes on screen and disappears before I can read anything (it's still too fast for the script to actually run, it takes ~20 seconds) and the destination file isn't altered.
(This one really stumps me) I've tried to add the script to another scheduled task on the server, that scheduled task will run on schedule and complete every script in the batch file except for these 2 lines. The other scheduled task it was added to uses the same domain admin account, same settings across the board, it even has other similar SSIS packages being run using "dtexec", I don't get it.
Thanks for any input anybody can give me, it's greatly appreciated.
I know this is a super old post, but I just had the same issue and wasn't successful with any other popular solutions around StackOverflow, so I want to put out an alternative solution for anyone still struggling!
When in doubt, double check the user account in the Security Options under Properties (right-click on Task > Properties > first page under "Security Options").
Even though the user that it had selected by default should have permission to execute the script, I had to change the user account to a user with a higher privilege (I'm on a work computer). For me, this meant I had to select the Administrator group on my particular desktop environment.

Runas command to read user details from a txt file

having an issue where a batch script of mine is changing time server REG Keys but requires admin privildges to do so, even if local user is admin.
My way around this i have found is using this line of code:
runas /noprofile /user:administrator\administrator "%UserProfile%\Desktop\Time Server.bat"
But this asks me for the admin password everytime, and i cant be doing this for 150+ users.
Can i get this command to read user details from a .txt file or .ini file?
Thank you in advanced.
OliV555
AFAIK this is not possible out of security reasons. I've spent a lot of time on this but at the end, I had to use a workaround:
Create a new task with the windows scheduler. In the interface select the admin user you want to run your script with and enter the password. Check the option to run the task with highest privileges. Let your task execute the batch file with all the code you want to run as admin. Don't enter any trigger to start your task automatically.
Now here's the trick:
To run your command with admin privileges simply execute
SCHTASKS /Run /TN <taskname>
If your local user is admin this will work straight on. Otherwise, you'll have to grant the user rights to start tasks.
EDIT: The scheduler will execute your batch file with system32 as working directory. So if you are using any relative paths in your script don't forget to adjust them or replace them with absolute paths.

Run batch file as administrator on Jenkins?

We're using Jenkins on Win8 x64 to build (msbuild), package (cspack), run (csrun) and test (nunit) an azure cloud services project. The Azure cloud service emulators need to run as administrator plus we need to bind to ports 80/443 (so can't use "lite" emulators).
We're doing the above via a simple .bat file that Jenkins runs. Typically no user logs into the machine, it boots up and Jenkin's runs as a service that keeps monitoring our GIT repo and emails on failures. An admin manually logs into the machine just for maintenance (eg. apply patches or reboot machine etc)
How do we configure Jenkins to run that .bat as administrator without human interaction?
With a desktop UI we can right click a command prompt, run as admin, acknowledge the UAC prompt, get the elevated privilege prompt and run the .bat file.
Our solution was to run the Jenkins' service as a separate local admin user. After installing Jenkins, Start => 'services' => Scroll to the Jenkins service => right click => properties => "log on" => "this account" => specify a local admin account.
Hopefully in newer Jenkins' builds it can work as the standard NETWORK SERVICE but for some reason it didn't with our box.
One of the solution:
Create bat file in slave.
Create shortcut of the file and right click the shortcut, properties -> Advanced -> check run as
administrator.
Control Panel -> System and Security -> Action
Center -> Change User Account Control Settings and set the level to
"never notify".
run the file on Jenkins
Somehow the file will be executed on slave server but it return failure on Jenkins.
This is My situation:
I need to use admin privileged console to run pywinauto script (written in python) to automate some app which requires admin privileged.
What I had tried:
In my experience, install Windows Jenkins slave as a service creating more issue to take care with, so I don't go this route.
To create a new process and it will open a new admin privileged shell and run command on it. But, in this way, Jenkins will not show its output, say in Blue Ocean.
What worked for me:
Just manually open an admin privileged console to start the your_window_node.jnlp file and then this Jenkins slave will have admin privileged.
If you'll log to the widows machine as an administrator and run the slave agent from this user, everything will be running under the administrator user

Batch file's Core FTP line is Not running during Scheduled Task. Works if started Manually

I have a simple batch file which needs to be run weekly to upload some files via Core FTP.
I'm using the free version of Core FTP LE.
MySavedProfile is the Site Name of the saved profile I created using Core FTP's site Manager. The profile contains the URL / credentials / etc of the site to connect to.
Here are the contents of the batch file:
SET logf=confirm.log
echo test-start >> %logf%
"C:\Progra~1\CoreFTP\coreftp.exe" -B -s -pasv -O -site MySavedProfile -u "C:\Progra~2\PathToFiles\FileToUpload.txt"
echo test-finish >> %logf%
For the Windows Server 2012 r2 Task Scheduler, I have created a basic, weekly scheduled task on the Task Scheduler Library root which runs the batch file. For this scheduled task I have:
(Under the General tab)
"Run whether user is logged on or not" is selected
"Run with highest privileges" is checked
Configure for = Windows Server 2012 R2
(Under Actions)
Action = Start a program
Program / Script = "C:\Progra~2\PathToFiles\batch.bat"
Start in = C:\Progra~2\PathToFiles\
Here is the weird behavior I am getting:
If I double click on the batch file directly, it works fine and uploads the text file via Core FTP just fine.
However, if I try to let the Windows Task Scheduler run it, it runs everything except the Core FTP line. That is, I get the usual:
test-start
test-finish
in the confirm.log file, but the FileToUpload.txt has not been uploaded to the remote server, and there are no errors from CoreFTP that I can detect.
I have tried this with a service account that has permissions to run batch files, as well as my own account for this scheduled task. I get the same result: it doesn't seem to run that CoreFTP line. At least not via Task Scheduler. I need this upload to be automated.
I've searched Core FTP's documentation, Google, etc. No one seems to have run into this exact issue. I've applied recommendations from distantly related issues, but none of them have worked.
Any help would be greatly appreciated. Thank you.
The only way to do this is to use the full version of Core FTP (that is Core FTP Pro). If you use the LE version you have to check the "Run only when user is logged on" option.
This happens because of the splash screen at the beginning.
If you can't be logged on forever you could create a user that will always be logged on just for these tasks.
Remember to use the -Log option on CoreFTP to check if it is actually doing something.

How can I use a batch file to launch an application as a specific user?

I'm trying to figure out how I can use a batch file to launch Internet Explorer as a local user on the system hosting the batch file. Ideally I'd like to be able to double click the batch file and not have to enter user credentials. To break it down a bit:
User is logged onto the host system with a domain user (Server 2008 R2 Standard 64bit)
User can then double click on a batch file that will launch Internet Explorer as a local user on the host system, without prompting for the local user credentials
All I can find is information about NET USE, any help would be greatly appreciated!
"runas" command was intentionally designed to prompt for password. So, that is not your solution.
One of option is to create a scheduled task where you can store the password (safely) and run the scheduled task from batch file.
But if the batch file is distributable and not going to be run on same machine.. you may have to investigate on how to create a schedule task from batch file and then run it.
you may find this reference helpful

Resources