1

I seem to have some issue with running elevated administration using powershell.

To be honest, im not that good with powershell.

So im running this script [powershell -command "Start-Process iexplore -Verb -RunAs"].

I understand that powershell Start-Process cmdlet has the parameter -Credential.

But when i do Get-Help Start-Process , it doesnt explain this parameter and google didnt bring me anywhere close.

Running -RunAs at the end calls my local admin instead of my AD admin ID , this is fine.

I would like to know how to actually insert my User ID/Password in the powershell Start-Process line.

Running RunAs within Command Prompt isnt going well, but i do know it is easier there with "/User:[user] password".

Improve this question
2
  • you can't use -credential and -verb in the same start-process command. I'd use -credential (get-credential) or use encrypted password to automate this: adminarsenal.com/blog/…. Keep in mind, -verb RunAs Creates an admin token to get rid of an UAC dialog, but will run as the current user. -credential will run as the specified user, but won't surpress the UAC dialog.
    – SimonS
    Commented Mar 23, 2017 at 14:46
  • @SimonS - oh hei there.. thx! i was trying to figure out how to do it. so then how do i launch iexplore in Admin without using -Verb RunAs?
    – Mohd Nasrul Iwan Fajaruddin
    Commented Mar 23, 2017 at 14:58

2 Answers 2

Reset to default
2

The -credential parameter is used like this:

-credential "ComputerNameOrIP\admin"

Examples: 

-credential "192.168.1.1\admin\"

-credential "SomeComputerName\SomeUsername"

In the case of domain accounts, just use the domain name instead of computer name and it works just the same.

If you use this correctly, when started, it will spawn a logon screen where you just have to type the password and click OK.

You can store the password in an external file and then use it in the script.

 read-host -assecurestring | convertfrom-securestring | out-file C:\pass.txt

$password = get-content C:\pass.txt | convertto-securestring

$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "UserName",$password
Improve this answer
12
  • 1
    Currently after running my current script , the logon screen does pop up , and it is using my local admin. I do prefer using my local admin access as the application running requires local admin instead of my Domain admin. Would like to know how to save the password in the line , or maybe we have something like /SaveCred in cmd.
    – Mohd Nasrul Iwan Fajaruddin
    Commented Mar 23, 2017 at 10:48
  • 1
    Added a way to use password to the answer.
    – Overmind
    Commented Mar 23, 2017 at 10:55
  • 1
    so i use the script above , save it as pass.txt? Asking the real question. heh. as i've seen this script via google , but thats the problem, i have no idea how the -credential works. now with this , i would like to ask , i save it as pass.txt as example. then in my script how do i add the -Credential? is it [powershell -Command "Start-Process iexplore -Credential pass.txt -Verb -RunAs"] ?
    – Mohd Nasrul Iwan Fajaruddin
    Commented Mar 23, 2017 at 11:02
  • 1
    Saving passwords in cleartext anywhere is one of the worst possible security practices anyone could possibly conceive of (if not the worst).
    – Jeff Zeitlin
    Commented Mar 23, 2017 at 11:28
  • 1
    but of course , i can always put the path to my Synology NAS on an admin only folder.
    – Mohd Nasrul Iwan Fajaruddin
    Commented Mar 23, 2017 at 11:50
0

The -Credential parameter can also be used with a System.Management.Automation.PSCredential object, and this is much more secure. Within Powershell, you can create an object of this type with

$UserName = 'domainpart\userIdPart'
$SecureStringPassword = Get_Password $UserName
$Credential = New-Object System.Management.Automation.PSCredential($UserName,$SecureStringPassword)
Start-Process $SomeExe -Credential $Credential ...

Then you must implement a function Get_Password to retrieve the password in some secure manner. Reading a clear-text password from a text file is NOT the way to go. As Zeitlin says above, it is perhaps the worst security practice one could conceive of - even worse that putting your password on a sticky on your screen.

Instead, store the password as an encrypted string in the .txt file as follows. First, get a password as input, encrypt it, and store the encrypted string:

function Global:Get_PasswordFileName($Username)
{
    $baseName = "encrypted_$UserName.txt" -replace '\','_'
    "${env:LOCALAPPDATA}\$baseName"
}

$encryptedString = Read-Host -AsSecureString "Enter password for $UserName" | convertfrom-securestring
$passwordFileName = Get_PasswordFileName $Username
[System.IO.File]::WriteAllLines($passwdFileName, $encryptedString)

There are many ways to write the file, [System.IO.File]::WriteAllLines is just one, and Get_PasswordfileName can be tweaked to use any reasonable directory.

Then define Get_Password as

function Global:Get_Password($UserName)
{
    $passwordFileName = Get_PasswordFileName $Username
    $EncryptedString = Get-Content $passwordFileName
    ConvertTo-SecureString $EncryptedString
}
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .