0

I'm working on a project where I want to switch from a normal account to a non-logged in admin account from the command line, and the best I've managed is a psexec chain to get an NT AUTHORITY\SYSTEM shell, using tscon to switch to a logged-in admin account:

PsExec64.exe -u administrator -p xxxxxxx
PsExec64.exe -s tscon 3 /dest:console
  • Using one psexec doesn't work for some reason, as I get access denied when using -s right away

Is there a simple way to create a new session with a logged-in administrator account (for which I know the password) or at least open a new explorer.exe instance; if not possible, could someone explain why?

  • The best I got was 2s of an admin explorer.exe, then it restarts in the normal user

To clarify, what I want to do is a simple .exe / command line that locks me out of the current user and logs me in to the admin one without any other interaction. (This would then be used in conjunction with some other software to allow admin access under certain conditions)

@Cpt.Whale suggested an RDP to 127.0.0.2 which I've seen while doing some research, but he is right in that you can't have more than one active user (Just tested)

I can't really add much as to why I want this, but the end goal would be giving someone a token that allows to then switch to admin without the admin password, the token would be then invalidated giving access only once. I need to have the full desktop because the user given permission would have to start other programs and browse the filesystem as admin

TheStaticTurtle
  • 63
  • 1
  • 6
  • Are you looking to switch the enter `explorer.exe` shell to the admin account or just the [terminal](https://superuser.com/a/1560192/529800)? – JW0914 Sep 01 '21 at 13:15
  • I'm looking to switch the whole desktop to another user. I use switch loosely here because the account I want to switch to isn't logged in – TheStaticTurtle Sep 01 '21 at 13:17
  • The "normal" way is to lock the current session and log in as your other user. You could start this from a shell with `rundll32.exe user32.dll,LockWorkStation`. It sounds like you want something else, but maybe you can explain what steps you want to avoid/skip? – Cpt.Whale Sep 01 '21 at 14:21
  • Alternatively, you can start a local RDP session as `admin` (I think you have to `start-process mstsc.exe -credential $adminuser`, and connect to `127.0.0.2` due to an old baked-in limitation). Close the RDP process without logging out the user and you've got a session to find with tscon. It may require windows server OS though (or Win10 Enterprise with RDS?) to support more than 1 active logon session. – Cpt.Whale Sep 01 '21 at 14:28
  • I saw your edit, can you add a bit more about what your goal is/what allowing admin access should look like? For example, if it's to run certain local software, you can address most user-specific issues by loading their registry hive before starting the process, e.g.: `Start-Process foo.exe -Credential $admin -LoadUserProfile`. There are a lot of good ways to delegate access to a specific user, but logging them into another user's session is (generally) at the bottom of the list. – Cpt.Whale Sep 01 '21 at 16:18
  • If it's a security thing, "temporary admin access" doesn't exist. When you give someone admin permissions, they have it **forever**. For example, there is nothing stopping them from using it to create their own admin user, or remove your restrictions, or change their own user's permissions. – Cpt.Whale Sep 02 '21 at 16:18
  • Some alternatives to try and be helpful: If you Trust someone, but don't want them writing the password on a sticky note, use LAPS to automate updating the admin user's password. If you don't trust them, you can absolutely configure any software to not require elevated permissions to run. Or allow users to run *specific* programs as admin. If they need regular full admin access to something, then give them a separate space like a virtual machine. – Cpt.Whale Sep 02 '21 at 16:31
  • What you are saying is true, but most end-users of ours won't have the tech know-how to create a user. LAPS would be great is the computer was in a domain and I had remote access, the admin right are needed to walk the user through an update procedure of said software so a vm won't work, but thanks for your time and your ideas anyway – TheStaticTurtle Sep 02 '21 at 20:44

0 Answers0