Looking for a language that can pass hard-coded credentials to start a .exe with elevated permissions

[xearow]

Hey guys, in my environment I have a program that needs to be updated somewhat frequently for all of our users. This updater requires elevation- and we don't want to have all of our users having the admin credentials/privileges.

Since the updater is its own .exe, I was wondering if there was a language that would let me hard code in the credentials to be able to start the program as administrator?

so basically, in a dream world it would have a function that does something along the lines of

 

RunAsAdmin(Program_File_Path(string), Admin_Name(string), Admin_Password(string))

[Master Disaster]

Powershell can do it...

 

if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }

# Your script here

[Theguywhobea]

I think you could just write a little batch file to do this

[xearow]

4 minutes ago, Master Disaster said:

Powershell can do it...

 

 

if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }

# Your script here

Alright so I tried using that- where in this code would I place the administrative credentials?

 

Or does this simply prompt the user to elevate the process?

[Mira Yurizaki]

39 minutes ago, xearow said:

Alright so I tried using that- where in this code would I place the administrative credentials?

 

Or does this simply prompt the user to elevate the process?

You should ask for the credentials every time you run an elevated task. Any thing that inputs them automagically is asking for trouble.

 

If the core issue is the program "needs" to be updated frequently, you should ask: Does the program really need to be updated? If you can continue working on whatever it is without updating, then hold off on updating until it's really necessary or update less frequently.

Edited August 27, 2019 by Mira Yurizaki

[xearow]

1 minute ago, Mira Yurizaki said:

You should ask for the credentials every time you run an elevated task. Any thing that inputs them automagically is asking for trouble.

Yeah I know but I need some kind of way to have this update on all of our user's computers without they themselves having elevated privileges.

[Mira Yurizaki]

6 minutes ago, xearow said:

Yeah I know but I need some kind of way to have this update on all of our user's computers without they themselves having elevated privileges.

If you don't have some IT team managing the systems on an enterprise level, then a workaround to this is to enable write permissions where the application lives for all users, assuming all this update is doing is writing to that folder and not making changes to the registry or whatever.

 

However I edited my response, the gist of it is figure out if you really need to update the application as frequently as they push updates out. If there's no pressing need to update the application every time there's an update, then update less often.

[xearow]

2 minutes ago, Mira Yurizaki said:

If you don't have some IT team managing the systems on an enterprise level, then a workaround to this is to enable write permissions where the application lives for all users, assuming all this update is doing is writing to that folder and not making changes to the registry or whatever.

 

However I edited my response, the gist of it is figure out if you really need to update the application as frequently as they push updates out. If there's no pressing need to update the application every time there's an update, then update less often.

Unfortunately the application has a check to see if it is updated on startup, and will not start if it is not updated.

 

Writing the permissions sounds like a valid option, I'll have to look into that.

[Franck]

15 minutes ago, xearow said:

Unfortunately the application has a check to see if it is updated on startup, and will not start if it is not updated.

You can have an external updater application. When your app starts, run the updater app and request the status of your app.

If the updater return you a flag saying it's up to date then close the updater and continue.

If it return you a flag saying an update is required call another function of the updater saying to update your app and close your app.

The update shall update all the files including the exe if needed and the update should finish by starting the application that requested the updated.

 

This method can allow your to create a custom updater that work for hundreds of applications. You just need a couple of parameters like :

- Application to update main exe (to restart once done)

- location of service or file that tell him if it's up to date or not

- location of the files to download or service that will provide him with the package

- location of the application to know where to put the files.

[FlappyBoobs]

Just use windows scheduler, you have the option to use an admin account to run the program and the user won't have access to the credentials. Pro tip, setup a new admin account to do this that no one uses, locking out an account used for updating is a nightmare. Set it to run every week during business hours. 

 

I am assuming the updater will just exit if there is no update of course.