7

I'm trying to remotely start installations and I'd like not to disable UAC. If I start the processes remotely using psexec, the installer will just get stalled waiting for the UAC prompt. Other tasks such as temporary files cleaning, services restarting, etc, will get me Access Denied errors. Is there anyway psexec can walk around UAC such as logging in with Administrator but with the TrustedInstaller privileges or something like that?

By the way, I'm targeting Windows 2008 R2, but I think this question applies to Vista, 2008 and Windows 7 as well.

Miguel Ventura
  • 183
  • 1
  • 1
  • 6

7 Answers7

12

The -h parameter is key here: without it, psexec does not not execute the command with UAC elevated privileges on Windows Vista and above:

C:\Users\merickson>psexec /?

PsExec v1.97 - Execute processes remotely
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

PsExec executes a program on a remote system, where remotely executed console
applications execute interactively.

Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd]
 [-n s][-l][-s|-e][x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>]
 [-a n,n,...] cmd [arguments]

...

 -h         If the target system is Vista or higher, has the process
            run with the account's elevated token, if available.
...

(edit: added evidence of -h switch's existence, per comment below)

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
  • Cheers Miles! I downloaded the 1.97 and sure enough it has the -h flag -- the website doesn't mention it which is why I made the original comment. – John Röthlisberger Apr 15 '10 at 16:34
1
psexec \<remote IP> -u user -p password -h netsh advfi
rewall firewall add rule name="AllowRDP " dir=in action=allow protocol=TCP local
port=3389
grekasius
  • 2,046
  • 11
  • 15
user235756
  • 11
  • 1
1

You need to use the -u option and specify an account that has local admin access to that machine (a local account, domain admin account etc)

 -u         Specifies optional user name for login to remote
            computer.

For example

psexec \\pc999.myDomain.loc -u pc999\Administrator <your exe>

Izzy
  • 8,214
  • 2
  • 30
  • 35
1

Apparently my process was being blocked not because psexec was ignoring the provided login.

Not sure why, but using Vista as a client machine the credentials passed with -u and -p parameters weren't actually being used to login to the server (figured out using event viewer on the server). Instead, it was always the logged in user that was being used. Apparently this is what happens when both machines are in the same domain.

Had to open the credentials manager (Control Panel > User Accounts > Manage your network passwords) and create a new set for the target machine with the user I wanted to use for psexec.

Miguel Ventura
  • 183
  • 1
  • 1
  • 6
0

I also had this problem but miguel's solution of adding the credentials to the credential manager solved the problem for me

Running Windows 7 32-bit on both client and server in a domain using psexec 1.98

I wonder if this is a bug, it seems so.

studiohack
  • 305
  • 5
  • 17
aL3891
  • 121
  • 3
0

I have the same problem. The command i run is psexec.exe -accepteula -n 120 \MyServer -u User -p Password cmd "/C dir

I am running it from win2008 r2 and the target (MyServer) is win2008 r2 aswell.

Miguel's suggestion worked for me, after i added the credentials it worked fine.

Ed Sykes
  • 248
  • 2
  • 3
  • Furthermore, once you have the credentials in the vault, you don't need to give the credentials to psexec. It doesn't hurt to give the credentials though. – Ed Sykes Mar 24 '11 at 16:52
0

You could use the -s flag to run the command in the SYSTEM context. That is assuming you're not already running the command with other credentials that need access elsewhere on the network.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59