This looks like a job for the Service Control Manager (SCM). SCM is already equipped to securely store credentials and securely execute programs in different contexts than the interactive user. Non-Administrator users won't be able to access the credentials or directly interact with the security context used to execute services, but they will be permitted to start/stop services if they have permission.
First, it's important to know that you can run a non-service program as a service. It will generate an error message (and the service won't show "Started") but the program will execute. In the case of a command like your netsh
, which executes and immediately exits, running it as a "service" will work just fine to accomplish what you need. (Longer-running commands would be problematic because SCM would eventually terminate them when they don't respond properly.)
I haven't tested this with netsh
, but I did use another command (net user bob /add
) to "prove" that the Service Control Manager.
Create a service that executes your command: sc create ServiceName binPath= "netsh wlan set hostednetwork mode=allow ssid=$WLANSSID key=$WLANKEY"
Modify the security descriptor on the service to permit "Users" to start/stop the service (shamelessly taken from another Server Fault answer of mine): sc sdset ServiceName D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWPDT;;;S-1-5-32-545)
Start the service as the limited user. sc start SerivceName
You will receive an error 1053 "The service did not respond to the start or control request in a timely fashion." after the netsh
command executes and terminates. The netsh
command will be run in a SYSTEM security context.
If you need the user to be able to interact with the command-line then this gets more complicated. You could probably code up some kind of baroque script to allow the user to specify the arguments, and in turn have those arguments read by a script that the "service" parses and feeds to netsh
. You'd want to be exceedingly careful that you didn't inadvertently allow the limited user the ability to arbitrarily execute code as SYSTEM in constructing this, however.