0

I would like to create a windows service that launches a Powershell script with administrator privileges. To do so, I used PowerGUI to transform my script into an exe file and I also used PowerGUI to create a service from this exe file.

When I start the service it works but my script isn't run with administrator privileges and if I choose to logon as the local administrator I get the following error : "Windows could not start the myservice service on Local Computer. Error 5: Access is denied" .

Can anybody help if it is possible to run the script with adminsitrator privileges ?

M.Brbr
  • 129
  • 2
  • 14
  • Workaround: if the script can be launched as a Scheduled Task, it's easy to use Administrator. https://superuser.com/questions/770420/schedule-a-task-with-admin-privileges-without-a-user-prompt-in-windows-7 – DrMoishe Pippik Jun 29 '18 at 16:44
  • I already tried to run it with a schedule task. The script is indeed launched with administrator privileges but for a reason I can not figure out, the command devcon.exe that I use in my script doesn't seem to benefit from these privileges and hence my script doesn't work properly... – M.Brbr Jul 02 '18 at 07:13

1 Answers1

0

If you are saying you are embedding the admin creds in your script. This is a very bad risk posture. There a few free tools to convert .ps1 to .exe, yet they are not true .exe, and can be easily reversed back to plain text. So, exposing any creds in the script/exe.

The suggested Schedule Task is the most prudent way to do this and you can just use the script. Set the ST with whatever creds you need, or set it to run with highest creds in the ST UI settings, which is protected via the built-in Windows DPAPI, so not reversible.

You can also put a check for admin in the script using the 'Requires' statement, to ensure that admin level is being used and you can set it to self elevate if it is not. However, the will still prompt someone to enter admin creds.

Then there is also PS JEA implementation you may want to consider.

Just Enough Administration: Windows PowerShell security controls help protect enterprise data

'msdn.microsoft.com/en-us/library/dn896648.aspx'

Leverage PowerShell Just Enough Administration for your Helpdesk

'blogs.technet.microsoft.com/datacentersecurity/2017/04/24/leverage-powershell-just-enough-administration-for-your-helpdesk'

Updated do to the request for clickable stuff.

https://msdn.microsoft.com/en-us/library/dn896648.aspx?f=255&MSPPError=-2147217396

https://blogs.technet.microsoft.com/datacentersecurity/2017/04/24/leverage-powershell-just-enough-administration-for-your-helpdesk

postanote
  • 4,589
  • 2
  • 7
  • 7
  • As a rule of thumb, hotlinks should not be trusted and by that rule I don't think it's prudent to do so. You have no idea where they could lead if you do not take the time to inspect them first. I never click on links without ever looking at their source, though many will, out of habit or being less than diligent about their own safety. This is how folks get infected. I've been hit by cases where, forums block your post, if you do this. I don't remember reading any rule on this forum that says, all links must be hot. – postanote Jun 30 '18 at 01:41
  • We are not a forum. – Ramhound Jun 30 '18 at 03:07