I am using psexec.exe to run programs in a different security context. However the programs start but it does not seem to be running in the specified security context.
In its minimal form:
psexec -u wsadmin -p password cmd Starts a new cmd window if I type in that window whoami
C:\Windows\system32>whoami win-k1r7g38nlkt\wsadmin C:\Windows\system32>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator wsadmin The command completed successfully. As you can see I am definately the other user. And I can confirm that this user is member of the "Administrators group"
C:\Windows\system32>mkdir test Access is denied. If I use runas with the specified user it works as supposed. But I need to supply the password on the commandline.
4 Answers
On Windows Vista and later, if UAC is enabled, a process launched by psexec -- even when run from an administrator account -- must have its elevate token set in order to get full privileges. This can be done by passing the -h attribute in the psexec command line. So, you would change your command to:
psexec -h -u wsadmin -p password cmd For more info, run psexec /?:
-h If the target system is Vista or higher, has the process run with the account's elevated token, if available. 7It took me hours to find a working way to PsExec between two Windows 7 Computers with non-Admin user starting PsExec ... Disabling UAC (EnableLUA=0, ConsentPromptBehaviorAdmin=0, LocalAccountTokenFilterPolicy=1) did not work, turning off the Firewalls did not work...
Here I found the working way - thanks JelmerS: (Info from PSexec is not connecting to machine using supplied username and password)
This is because psexec still tries to access the ADMIN$ share with your local credentials, before executing your command as another user. According to this thread, you can cache credentials before executing psexec:
cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE psexec.exe \\MACHINE_NAME_HERE -i notepad cmdkey.exe /delete:MACHINE_NAME_HERE 1I have found a solution:
Turns out that when you have UAC enabled psexec does not work as supposed.
Whenever HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA is set to 0 psexec works as expected.
Here is what worked for me, it doesn't get rid of UAC completely but turns it off for administrators
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control:Run All Administrators in Admin Approval Mode - Disabled
1