Escalation of privilege

[Nicolas Macarez]

Hi Everyone
I am working on a Windows 2000 Professional desktop (no domain controller,
no Active Directory, everything is local).

When a user, without any admin rights, logs on, a logon script is executed.
This VB script (WSH and WMI stuff) modifies some registry keys and entries
under HKEY_CURRENT_USER and I need to run this script with the admin
rights - otherwise certain entries are not modified because the users doen't
have the right to do so.

How can I escalate the privilege INSIDE my script, and then release the
rights afterwards, once the session is opened ?

Help greatly appreciated !

Nicolas

 

[List]

This isn't really possible without knowledge of an admin password so not
really viable. A better way would be to use Group Policy (or use regedt32)
to change the registry key permissions so that they do run.

 

[MSFT]

--------------------

From: "Nicolas Macarez" <[email protected]>
Subject: Escalation of privilege
Date: Mon, 17 Nov 2003 13:26:46 +0100
Lines: 18
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.security
NNTP-Posting-Host: nicolasmacarez.net2.nerim.net 62.212.111.232
Path: cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:15879
X-Tomcat-NG: microsoft.public.win2000.security

Hi Everyone
I am working on a Windows 2000 Professional desktop (no domain controller,
no Active Directory, everything is local).

When a user, without any admin rights, logs on, a logon script is executed.
This VB script (WSH and WMI stuff) modifies some registry keys and entries
under HKEY_CURRENT_USER and I need to run this script with the admin
rights - otherwise certain entries are not modified because the users doen't
have the right to do so.

How can I escalate the privilege INSIDE my script, and then release the
rights afterwards, once the session is opened ?

Help greatly appreciated !

Nicolas

Hi Nicolas-

Depending on what you are doing in the script, you may or may not be able
to execute the command under a different user context. This will most
likely be a bad idea, as you will need to leave an admin username and
password in the clear (or easily accessible) to make your script function.
If you are mapping a network drive, you can specific a username and
password. Otherwise, try the following articles:

294676 HOW TO: Enable and Use the "Run As" Command When Running Programs in
http://support.microsoft.com/?id=294676

254094 Runas Utility Uses Default Profile When Invoked from Command Prompt
If
http://support.microsoft.com/?id=254094

325362 HOW TO: Use "Run as" to Start an Application as an Administrator in
http://support.microsoft.com/?id=325362

/Siddharth
PSS Security

 

[Nicolas Macarez]

Thanks for your answer.
The issue is that I don't want to use "group policy " because I'm fully
local (no DC, no AD) and the policy of Win2K Pro doesn't have all the
features I need - and that are available by tweaking the registry.
Nicolas

 

[Nicolas Macarez]

--------------------
cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.

Hi Nicolas-

Depending on what you are doing in the script, you may or may not be able
to execute the command under a different user context. This will most
likely be a bad idea, as you will need to leave an admin username and
password in the clear (or easily accessible) to make your script function.
If you are mapping a network drive, you can specific a username and
password. Otherwise, try the following articles:

294676 HOW TO: Enable and Use the "Run As" Command When Running Programs in
http://support.microsoft.com/?id=294676

254094 Runas Utility Uses Default Profile When Invoked from Command Prompt
If
http://support.microsoft.com/?id=254094

325362 HOW TO: Use "Run as" to Start an Application as an Administrator in
http://support.microsoft.com/?id=325362

/Siddharth
PSS Security

Thanks Siddharth for your answer.
admin/password in clear is no problem for me since I shall hide the
C:\Script folder. I can even encrypt the VBS script with the WMI features.
I tried to use runas (and sanur which can pipe the admin/password in the
command line). It works, of course, but a new problem turns up: it's not
the registry of the current user which is modified but the registry of the
Aministrator account - and it's not fine at all.

In fact, runas open an admin session behind the scenes, executes the scripts
(and so modifies the HKEY_CURRENT_USER stuff, but the Aministrator account
itself), and at last closes the session and gives you back the cursor.
The HKEY_CURRENT_USER of the plain current user (the guy with no admin
rights) is not modifed at all.

I'm still searching for a workaround...

Nicolas

 

[Buz [MSFT]]

Have you looked into using RunAs?

HOW TO: Enable and Use the "Run As" Command When Running Programs in Windows
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q294676

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[System]

You may also want to give NeoExec a go. NeoExec, unlike runas, does not log
on with another user account but it grants the required privs on the fly.

www.neovalens.com