如何在 Windows 中与另一个管理员用户一起运行应用程序
此代码适用于计算机的非管理员用户,以便他们可以以管理员身份运行任务/应用程序 所以我创建了一个管理员用户,我将用它来启动应用程序(带有路径)。
当我尝试与其他用户一起使用 Runas 命令启动应用程序时,遇到问题。
该命令要求输入用户密码
所以我尝试使用:
import subprocess as sub
prog = sub.Popen(['runas', '/noprofile', '/user:kairos', path/of/app],shell=True, stdin=sub.PIPE, stdout=sub.PIPE)
prog.communicate(input=password.encode())
但没有附加任何内容。 另一种方法是使用带有凭据的“Start-Process”Powershell 命令
import subprocess as sub
command = """
$username = 'kairos'
$password = 'password'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process "path\to\app" -Credential $credential
"""
exec = sub.Popen(["powershell","& {" + command + "}"], stdout=sub.PIPE)
exec.communicate()
,但此命令返回“访问被拒绝”,尽管我的用户是计算机的本地管理员
我也尝试过使用此命令,但我坚持使用 UAC
ctypes.windll.shell32.ShellExecuteW(None, "runas", "path\to\app")
有什么想法吗?
This code is intended for non-administrator users of their computer so that they can run a task / application as admin
So i have created an admin user which i would use to launch app ( with path).
I'm getting an issue when i try to launch an app with the command Runas with another user.
The command requires the user's password to be entered
So i have tried to use :
import subprocess as sub
prog = sub.Popen(['runas', '/noprofile', '/user:kairos', path/of/app],shell=True, stdin=sub.PIPE, stdout=sub.PIPE)
prog.communicate(input=password.encode())
But nothing append.
Another way was to use the 'Start-Process' Powershell command with credentials
import subprocess as sub
command = """
$username = 'kairos'
$password = 'password'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process "path\to\app" -Credential $credential
"""
exec = sub.Popen(["powershell","& {" + command + "}"], stdout=sub.PIPE)
exec.communicate()
But this command return "Access denied" despite my user is a local admin of the comput
I have also tried to use this command but im stuck with the UAC
ctypes.windll.shell32.ShellExecuteW(None, "runas", "path\to\app")
Any ideas ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
runas.exe实用程序无法运行具有提升权限的进程(以管理员身份)。也不能
Start-Process使用-Credential参数。只有
Start-Process和-Verb RunAs可以启动具有提升的进程,并且-Verb与- 互斥凭据。换句话说:您可以以不同的用户身份在始终非提升的进程中运行,或者您可以请求提升,在这种情况下,您无法选择应该使用哪个管理用户来运行提升的进程。
如果要求用户响应 UAC 提示(见下文)可以接受,您可以使用两步调用过程,首先使用
-Credential启动非提升进程作为其他用途,然后然后使用-Verb RunAs请求提升该 > 过程 - 参见 这个答案。除非您禁用 UAC - 强烈建议不要这样做 - 您从根本上不能完全自动化地启动带有提升的进程。始终需要两个交互操作之一:
如果当前用户身份原则上属于
Administrators组:需要简单的确认。否则,需要以交互方式提供管理员凭据。
避免 UAC 提示的唯一方法是首先在提升的进程中运行或使用以下有限的解决方法:假设您原则上是管理员,您可以使用预先配置的命令设置计划任务以通过提升运行,然后您可以从您的非提升会话中按需调用该任务,而不会触发 UAC 提示 - 请参阅这个答案。
The
runas.exeutility can not run processes with elevation (as admin).Neither can
Start-Processwith the-Credentialparameter.Only
Start-Processwith-Verb RunAscan launch a process with elevation, and-Verbis mutually exclusive with-Credential.In other words: You can either run as a different user, in an invariably non-elevated process, or you can request elevation, in which case you do not get to choose what administrative user should be used to run the elevated process as.
If requiring the user to respond to a UAC prompt (see below) is acceptable, you can use a two-step invocation process, where you first use
-Credentialto launch a non-elevated process as another use and then request elevation with-Verb RunAsfrom that process - see this answer.Unless you disable UAC - which is strongly discouraged - you fundamentally cannot fully automate launching a process with elevation. One of two interactive actions are always required:
If the current user identity is part of the
Administratorsgroup in principle: Simple confirmation is required.Otherwise, interactively providing an administrator's credentials is required.
The only way to avoid UAC prompts is to either run in an elevated process to begin with or use the following, limited workaround: Assuming that you are an administrator in principle, you can set up a scheduled task with a preconfigured command to be run with elevation, which you can then invoke on demand from a non-elevated session of yours without triggering a UAC prompt - see this answer.
尽管对于任何试图做这样的事情的公司来说,这似乎是一个可怕的想法,但我可能有一个可能会实现你的目标的答案。
如果UAC正确启用,您可能无法通过任何“非黑客方法”绕过它。您的安全应用程序应该阻止能够执行此类操作的应用程序。
但是您可能会在后台运行该应用程序 - 而不是在当前用户会话中 - 如果这足以让您尝试使用 WMI 启动进程 - 使用 wmic 尝试 https://ss64.com/nt/wmic.html 并使用“进程调用创建” - 示例:
替代方案是创建“计划任务”或与您一起运行的服务更高的权限并等待触发。该触发器可能是在包含要执行的操作的文件夹中创建的文件或应用程序事件日志中的条目。根据文件系统处理程序,可以立即通知等待文件更改。
但如果你想在任何公司应用这一点,你就必须考虑安全性。如果您使用任何不安全的方法来工作,您的非管理员获得了该管理员(只是在另一个进程中),他就是该管理员,并且可能有多种方法来使用您的“kairos”拥有的所有权限。根据哪个应用程序声称需要管理权限,您可能有许多解决方案来使该应用程序以更少的权限运行。一种解决方案可能是授予应用程序所需文件夹的非管理员权限。如果应用程序需要更改例如网络设置,您可以授予用户本地网络运营商权限,以便他始终能够更改网络设置。
另一个提示 - 切勿创建任何硬编码任何类型密码的程序。即使从已编译的应用程序中获取该密码的方法也有很多。如果您需要其他用户,请依靠操作系统的方法(具有专用服务用户的服务)。
Despite this seems to be a horrible idea for the security of any company trying to do something like this i might have an answer that may lead to your goal.
If UAC is enabled correctly, you may not bypass it by any "non hacking method". Your security applications should block applications that are able to do something like that.
BUT you may get that application work in background - not in the current user session - if that is enough for you try to start your process with WMI - Use wmic to try https://ss64.com/nt/wmic.html and use "process call create" - Example:
alternative would be to create a "Scheduled Task" or a service that runs with your higher privileges and waits for a trigger. That trigger might be a file created in a folder containing what to do or an entry in application event log. The wait for file change can be notified instantly depending on filesystem handler.
But you must think about security if you are trying to apply that in any company. If you get any unsecure method to work in that your non-admin gets that admin - just in another process - he is that admin and might have multiple ways to use all permissions your "kairos" has. Depending on which application claims to need that administrative permissions you might have many solutions to make that application work with less permissions either. One solution might be to grant the non-admin permissions to the required folders of the application. If the application needs to change e.g. network settings you might grant the user local network operator permissions, so he is always able to change network settings.
Another tip - Never create any program that has hardcoded any kind of password. There are plenty of ways to get that password even from a compiled application. If you need another user, rely on the methods that are part of the operating system (Service with dedicated service user).