当前位置: 文江博客话题详情

在 VbScript 中绕过 UAC

发布于 2024-10-24 18:14:36 字数 124 浏览 4 评论 0原文

我有一个在用户注销时运行的 Vbscript,它应该关闭某个服务,但是我无法关闭该服务,因为它被 UAC 阻止了。我想知道是否有一种方法可以在我的 vbscript 中绕过 UAC,而不必在我的域中的每台计算机上关闭 UAC。 谢谢!

原文

I have a Vbscript that runs on user log off that is suppose to turn off a service, however i't can't turn off the service since it's being blocked by UAC. I was wondering if there is a way to bypass UAC in my vbscript instead of having to turn off UAC on every machine in my domain.
thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

我们只是彼此的过ke 2024-10-31 18:14:36

如果你可以通过说“它不应该适用于我”来绕过它,那么 UAC 的意义何在?您无法从 vbscript 绕过它。

不过,您可以通过管理方式执行此操作,首先使用提升的凭据运行脚本

例如,通过“登录时”计划任务,以管理员或系统身份运行。我相信这适用于 Windows 7 和 Vista。

要在远程计算机上创建此类任务:

schtasks.exe /create /S COMPUTERNAME /RU "NT AUTHORITY\SYSTEM" /RL HIGHEST /SC ONLOGON /TN "Administrative OnLogon Script" /TR "cscript.exe \"Path\To\Script.vbs\""

还可以使用脚本创建任务。

注意:如果这是脚本执行的唯一操作,您只需使用 SCNET STOP 等命令即可直接停止服务。

What would be the point of UAC if you could bypass it by saying "it shouldn't apply to me"? You cannot bypass it from vbscript.

You can do this administratively though, by running the script using elevated credentials in the first place.

For example by having an "on logon" scheduled task, running as Administrator or SYSTEM. I believe this works in Windows 7, and vista.

To create such a task on a remote machine:

schtasks.exe /create /S COMPUTERNAME /RU "NT AUTHORITY\SYSTEM" /RL HIGHEST /SC ONLOGON /TN "Administrative OnLogon Script" /TR "cscript.exe \"Path\To\Script.vbs\""

Tasks can also be created using script.

Note: If this is the only thing the script does, you can simply use a command like SC or NET STOP to stop the service directly.

回复 原文
抠脚大汉 2024-10-31 18:14:36

确实不能从 vbscript 绕过它(据我所知以任何方式)。但 vbscript 是解决方案的一部分。

另一个稍微灵活的解决方案(丑陋但灵活)使用以下 2 行 vbscript:

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.LogEvent 4, "C536132C2CB6ABB85554670D2F97E23C"

该解决方案还需要以下自定义 xml 事件过滤器对于您的调度触发器:

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">
  *[System[Provider[@Name='WSH'] and (Level=4 or Level=0) and (EventID=4)]] 
  and 
  *[EventData[Data='C536132C2CB6ABB85554670D2F97E23C']]
</Select>
</Query>
</QueryList>

以下 xml 是我的任务调度程序的导出(修改了主机名和用户 ID)。它运行管理员级别的 powershell 控制台

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2013-07-24T15:00:52.6087783</Date>
<Author>MyRealHostName\my_real_login_name</Author>
<Description>Hack to run powershell as admin without confirmation</Description>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>
<QueryList><Query Id="0" Path="Application"><Select Path="Application">
*[System[Provider[@Name='WSH'] and (Level=4 or Level=0) and (EventID=4)]] 
and 
*[EventData[Data='C536132C2CB6ABB85554670D2F97E23C']]
</Select></Query></QueryList>
</Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>MyRealHostName\my_real_login_name</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Command>
<Arguments>-NoLogo -NoExit</Arguments>
<WorkingDirectory>c:\users\my_real_login_name</WorkingDirectory>
</Exec>
</Actions>
</Task>

请注意,您可以根据需要对数据字符串进行选择性:

C536132C2CB6ABB85554670D2F97E23C

是否是您任意与想要的应用程序绑定的任何足够唯一的字符串以提升的权限运行。因此,您可以管理任何应用程序,而无需不断提醒 Windows 7 没问题。它真的不应该这么难:-(

It's quite true you cannot bypass it from vbscript (in any way that I know). But vbscript is part of the solution.

Another slightly more flexible solution (ugly but flexible) uses the following 2 lines of vbscript:

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.LogEvent 4, "C536132C2CB6ABB85554670D2F97E23C"

The solution also requires the following custom xml event filter for your scheduling trigger:

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">
  *[System[Provider[@Name='WSH'] and (Level=4 or Level=0) and (EventID=4)]] 
  and 
  *[EventData[Data='C536132C2CB6ABB85554670D2F97E23C']]
</Select>
</Query>
</QueryList>

The following xml is an export from my task scheduler (with hostname and userid modified). It runs an admin level powershell console

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2013-07-24T15:00:52.6087783</Date>
<Author>MyRealHostName\my_real_login_name</Author>
<Description>Hack to run powershell as admin without confirmation</Description>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription>
<QueryList><Query Id="0" Path="Application"><Select Path="Application">
*[System[Provider[@Name='WSH'] and (Level=4 or Level=0) and (EventID=4)]] 
and 
*[EventData[Data='C536132C2CB6ABB85554670D2F97E23C']]
</Select></Query></QueryList>
</Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>MyRealHostName\my_real_login_name</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Command>
<Arguments>-NoLogo -NoExit</Arguments>
<WorkingDirectory>c:\users\my_real_login_name</WorkingDirectory>
</Exec>
</Actions>
</Task>

Note that you can be as selective as necessary with the data string:

C536132C2CB6ABB85554670D2F97E23C

Is any sufficiently unique string that you arbitrarily tie to the app you want to run with elevated privileges. So, you can be admin on any app without constantly reminding windows 7 that it's ok. It really should never be this hard:-(

回复 原文
~没有更多了~

关于作者

差↓一点笑了

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

佚名

文章 0 评论 0

今天

文章 0 评论 0

゛时过境迁

文章 0 评论 0

达拉崩吧

文章 0 评论 0

呆萌少年

文章 0 评论 0

孤者何惧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文