Re: Some Windows commands that need elevation norm...

markvm2 · ‎01-05-2014

Can somebody explain to me exactly how Invoke-VMScript execution of commands works? I have realized that some Windows commands like editing registry settings with "reg add" and others normally need to be run from an elevated command prompt. However, If I execute the same commands through Invoke-VMScript they seems to work just fine. Why is this? I am trying to figure out exactly what is going on here. I am executing the commands as a domain admin through Invoke-VMScript but if i login locally with the same user account the commands require elevation?

For example, netsh advfirewall commands and editing the registry with reg add require you to run from an elevated command prompt when logged in. Running these commands through Invoke-VMScript work fine without any UAC or permission issues?

markvm2 · ‎01-06-2014

I figured out what is going on here. This has to do with the UAC filtered tokens and running the commands when logged in locally vs remotely. Invoke-VMScript is looked at as a remote connection on the virtual machine and when you connect remotely to a Windows machine with a user that is in the local admin group, you are granted the admin token as described here http://www.teamshatter.com/topics/general/team-shatter-exclusive/connecting-remotely-with-administra...

I further tested this out by running that same commands through a remote powershell session to the target vm using a domain admin and I did not have any permissions or elevation problems. With a remote powershell session I am seeing the same behavior I am seeing with Invoke-VMScript.

Mystery solved

There are multiple ways to connect to a remote machine using Administrative privileges and avoid UAC filtering:

1. Connecting remotely as the local built-in Administrator account

2. Changing registry value “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy” to 1 to turn off UAC globally on the system

3. Using a non-domain local account that is in the Administrators group of the target computer, with UAC adjusted to “Never notify” (this can be done in the UI, or directly in the registry as explained in MSDN Library**) to prevent filtering for that user. The best practice is to create a dedicated local user group or account that will be used for connecting remotely.

4. By connecting remotely using the domain account, the UAC-based problems can be eliminated. In situations when the domain account is in the local Administrators group on the target machine, UAC allows all execution to be done under administrative token – not stopping the execution.

Filtered Token.
When a user with administrative rights, other powerful privileges, or a specific group membership logs on, the Windows operating system creates two access tokens that represent the user account. One has all the user’s group memberships and privileges, while the filtered token represents the user with the equivalent of standard user rights. A filtered token is used to run the user’s programs by default. An unfiltered token is associated only with elevated programs. An account that is a member of the Administrators group and gets a filtered token at logon is called a Protected Administrator account.
When an administrator logs on to a computer that is running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access.

UAC
Unlike earlier versions of Windows, when an administrator logs on to a computer running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user.

LucD · ‎01-07-2014

Thanks for finding this out, very useful !

Small question, don't you mean that anything submitted through Invoke-VMScript is considered a local session ?

Which makes sense, since it is submitted through the local VMware Tools

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

markvm2 · ‎01-07-2014

No, the behavior I am seeing indicates that Invoke-VMScript is considered a remote connection unless something else is going on.

I asked about this over at reddit and this was someones response:

"AFAIK (and I could be way off here if anyone more familiar with the code wants to chime in) the way it works is Invoke-VMScript will create a pipeline containing your credentials, commands you want to run, etc that's passed to the OS.

Invoke-VMScript requires Virtual Machine.Interaction.Console Interaction privileges AND host/vcenter credentials to run besides whatever guest credentials you're passing so while the commands are being executed on the VM the process that actually calls and passes those commands to the OS is coming from a remote source."

LucD · ‎01-07-2014

Can you post a link to the Reddit thread ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

markvm2 · ‎01-07-2014

Just the same question I asked here and I thought it was done locally through VMware tools as well - http://www.reddit.com/r/vmware/comments/1uiq4m/some_windows_commands_that_need_elevation/

markvm2 · ‎01-09-2014

Having problems with this again. I Was playing around tonight with Invoke-VMScript and just realized that it does not work if you specify the credentials with -GuestUser and GuestPassword. It only looks like a remote source if you do not specify the credentials? does that make any sense to anyone? The behavior is different if you specify the credentials vs not specifying them and letting the script use the credentials you are logged in with?

markvm2 · ‎01-18-2014

Anyone have any ideas on this?

markvm2 · ‎02-20-2014

Bump,

Anyone have any ideas?

esxi1979 · ‎05-18-2014

Hi All,

nvoke-VMScript -VM myvm -GuestUser 'local-account\name -GuestPassword 'paswd' -ScriptText "c:\Windows\system32\Shutdown.exe /f"

ScriptOutput

-------------------------------------------------------------------------------------------------------------------------------------------------------------------|

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

The Vm does not shut down... and gives blank o/p

Anyone... what i am doing wrong ?

LucD · ‎05-18-2014

Are there any tasks running that are waiting for a confirmation ?

Even with the force option this seems to happen sometimes.

Did you try the command while in a session on the machine (with the same account) ?

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

All

Some Windows commands that need elevation normally do not with Invoke-VMScript?