Run a program as another user problem

rated by 0 users
This post has 5 Replies | 0 Followers

Top 500 Contributor
Posts 13
the_fallen Posted: 04-02-2012 1:09 PM

First of all, I'm new to both PowerShell and here. I'm learning PowerShell as well (still at the very beginning.).

That said, I'd like to expose a problem.

I'm using Windows 7 Ultimate SP1 x86, and I have created a dedicated standard user account to run a tool from other standard user accounts.

At first, I tried to use Microsoft's own tool PsExec with a batch file, as follows:

@echo off

"C:\pathtopsexec\PsExec.exe" -d -e -u username -p password "C:\pathtodnscrypt\DNSCrypt.bat"

pause

What happened is that I get an error saying that it couldn't start the program because it couldn't login to the dedicated user account, either due to a wrong password or username. But, if I manually copy and paste that same command into an opened cmd line window, and press Enter, then it works and the program will start under those credentials.

Anyway, I decided that it would be best to have the credentials encrypted, so considering I'm not that great scripting with PowerShell yet, I looked around and found a script that will allow to me to set an encrypted file with the credentials, and then I use the following command to start the program using one of the scripts commands that allow to retrieve the credentials from the script file.

The command I entered in PowerShell (not in a script) is:

start-process "C:\pathtotool\dnscrypt-proxy.exe" -credential (.\PowerShellRunAs -get passwordfilename)

The problem is, that at the image of the batch file invoking PsExec, it will also present an error saying it couldn't start dnscrypt-proxy.exe tool, also due to either a wrong user name or password.

But, if I enter:

start-process "C:\pathtotool\dnscrypt-proxy.exe" -credential

Then, I'll be presented with the credentials window, and after I enter the credentials, then the tool with run as the other user. As it should.

So, why is it that in both scenarios (Batch file + PsExec and PowerShell first command), it fails to run the program as another user? The credencials are correct.

I truly can't figure out what's going on. I really would like to use the PowerShell script, because it will encrypt the credencials, but it also fails to run the program.

Any help would be welcome.

 

Thanks a lot!

 

P.S: I got your PowerShell videos from CBT Nuggets. I really like the way you teach!

Top 10 Contributor
Posts 640

So, can't help you with PSExec. I don't use it, and honestly never have, so I know little about it other that what it's supposed to do.

I'm also not familiar with the PowerShellRunAs script you've found. So I'm not certain that it's creating a valid Credential object to pass to the -credential parameter. 

The last command you presented, I would expect to work. With a blank -Credential parameter, PowerShell prompts, creates the credential object, and you're on your way. Regardless of whether you've provided the correct username and password to the second example, I'm not certain the PowerShellRunAs script is doing the right thing and producing a valid, and correct, credential object. I've got no way to test that in my end, but based on what you're seeing, I'm guessing it isn't.

Your'e actually getting a false sense of security anyway. The password in that file may be encrypted, but that script has to contain the decryption key. Anyone with 5 minutes of time on their hand could get at the clear-text password quite easily. You might look into a script packager instead; I believe PowerGUI contains one, as do PrimalScript and PrimalForms. They'll produce a packaged EXE which can run under alternate credentials, and they can use Windows APIs to elevate the process, which is a bit more reliable. PowerGUI, at least, is free.

But, don't think for a moment that the script you're using is actually doing much to protect your password. You put a password in a text file, and it's accessible, encrypted or no. After all, it has to be DE-crypted to be used, and if the script can decrypt it, so can anyone else.

Top 500 Contributor
Posts 13

Hello Don,

Thanks for being really fast on your reply. Smile

 

I'll start with the security issue regarding the password. For now, I'm not that worried about it, and simply because I'm only experimenting for now; I suppose having the password encrypted, is just in case I happen to open the file and someone is behind me, without realizing it. This way, they don't get to see the actual password. Besides that, I'm the only user of this system. No one else has access to it.

I do appreciate your feedback, though. I actually had intentions of packaging the script at a later moment, when having everything working.

 

Regarding the PowerShellRunAs script, I got it from Microsoft Script Gallery. I forgot to mention it previously. Here it's the link: -http://gallery.technet.microsoft.com/scriptcenter/PowerShell-function-to-3e9766e3

At this point, I don't have enough knowledge to verify whether or not the script is functioning as it should be, but I find it odd that I get the exact same error message that I get with PsExec. Unless it's just a coincidence.

But, to figure it out, I actually create a very basic script on my own, and made it like this:

$username = "username"

$password = "password"

$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))

Start-Process "C:\Program Files\DNSCrypt\dnscrypt-proxy.exe" -Credential ($credentials)

Then, when I run it, I get exactly the same error I get with both PsExec and my other "script" that also used PowerShellRunAs as a basis.

In this script I did, I actually mentioned the username and the actual password; so, it had to get the data, right? If so, why does it fail to run the program?

I get a message like (I'm not on an English system, so I apologize if it's not 100% accurate.):

Start-Process : This command cannot be executed due to the error: Session logon failed - unknown username or wrong password.

 

What could possible be wrong in the above script, for this error message to appear? I already downloaded PowerGUI, by the way. Would packaging this script with it, actually make it work? For sure I'll try it, but I'm really intrigued about why this happens.

Thanks

Top 10 Contributor
Posts 640

Without sitting in front of your computer and doing some detailed troubleshooting, I can't guess as to what the problem is. Somehow, the credential objects isn't being created and/or passed properly. Beyond that, I can't tell you - sorry.

Top 500 Contributor
Posts 13

I may have evolved a little bit... or not, at all. I don't know. But, I realized that the user account, from where I want to run the program, has a character in the password, to which PowerShell attributes a special meaning, so I added the escape ` character to the $password variable. This was the first mistake, I suppose. It's actually embarrassing.

I also exchanged Start-Process "C:\Program Files\DNSCrypt\dnscrypt-proxy.exe" -Credential ($credentials) with Invoke-Command ScriptBlock {"C:\Program Files\DNSCrypt\dnscrypt-proxy.exe"} -Credential ($credentials) -ComputerName Localhost

After doing that and running the script from within powershell.exe, I get an error due to WRM. I made sure the service was enabled, and it wasn't. I totally forgot about it, actually. I reenabled it, and I get a new error. I checked Event Viewer, and under Windows Remote Management I can see an error code 2150858770. This error code differs from the previous one.

I can't afford to look into it now. But, will do it so tomorrow. But, I'd say this a progress. Well, I want to believe it is, anyway. lol

 

Cheers

Top 500 Contributor
Posts 13

I got it working!

This is how the script looks like now:

$username = "username"

$password = "password"

$credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))

Start-Process dnscrypt-proxy.exe -WorkingDirectory path_here -Credential ($credentials)

The Invoke-Command wasn't the solution. That would make use of WinRM. I got a very strictly secured system, with many services disabled and firewall rules disabled as well for this kind of thing. Most likely, that's why the script using Invoke-Command was failing.

Anyway, it's working now. That's all I wanted. Now, I'm going to package the script. I also managed to get what I wanted working without PowerShell as well.

I still couldn't make PsExec work, though. I believe it's due to the password as well. I've tried escaping the same character in the batch file, but nothing worked. No big loss. PowerShell is the future. lol

This ended up being a great way to do my first script. lol

 

Thank you for your time Don. :)

Page 1 of 1 (6 items) | RSS
Copyright 2012 PowerShell.com. All rights reserved.