1 2 Previous Next 19 Replies Latest reply on Sep 5, 2019 10:40 AM by cbaptiste

    Priviledge Elevation

    cbaptiste Enthusiast

      Hey guys,

       

      I am trying to use argument base Privilege Elevation but I can not get it to work. I don't see why. A little help please

       

      Executable: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

      Argument: -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File "\\isilon1.corp.nychhc.org\uemshare$\general\FlexRepository\Scripts\Disable_VMware_Virtual_Mic.ps1"

       

      For now I am creating a shortcut in start menu startup to execute it. The plan is to execute it as a RunOnce through regedit

       

      Target: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

      Argument: -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -File "\\isilon1.corp.nychhc.org\uemshare$\general\FlexRepository\Scripts\Disable_VMware_Virtual_Mic.ps1"

      Start in: %SystemRoot%\system32\WindowsPowerShell\v1.0\

       

       

      One liner script

      $Device = Get-PnpDevice -FriendlyName "VMware Virtual Microphone" | Disable-PnpDevice -Confirm:$false 
      

       

      What am i doing wrong?

        • 1. Re: Priviledge Elevation
          DEMdev Master
          VMware Employees

          Hi cbaptiste,

           

          I performed some experiments, and it looks as if PowerShell itself gets launched correctly with elevation (for instance, I can create a sub key under HKLM\SOFTWARE), but Disable-PnpDevice is failing. That cmdlet seems to be using WMI, and I guess UEM's privilege elevation (temporarily making the user a member of the built-in admins group in a just-in-time fashion) is not sufficient to get WMI to pick up the elevation.

           

          We'll look into this a bit further, but in the meantime: would it be an option to try with Microsoft's DevCon.exe tool? In my tests I was able to disable a device by using UEM argument-based elevation for path\devcon.exe disable mytestdevice.

          • 2. Re: Priviledge Elevation
            cbaptiste Enthusiast

            I have been learning powershell this year so whenever I get a chance I try my best to use it. When this came up I looked at devcon.exe and said "let me figure out how to do this with powershell."
            Little did i know I could have saved a whole day of trying.
            I am going to use it instead. Thank you.

            Let me know if you figure the powershell out. I will keep trying on my end as well. Never know when the lesson learned today may help a great deal tomorrow. I checked "Also elevate child processes" but that didn't seem to help.

            • 3. Re: Priviledge Elevation
              DEMdev Master
              VMware Employees

              Hi cbaptiste,

               

              Well, I definitely learned a bit about both PowerShell and DevCon today

               

              I hope the DevCon workaround does the trick for you now, and hopefully we get "WMI elevation" to work at some point in the future.

              • 4. Re: Priviledge Elevation
                cbaptiste Enthusiast

                I am actually fighting with it. I can not get it to work the way i expect it


                Executable: %SystemRoot%\system32\devcon.exe
                Argument: Disable '*vmwvaudioin

                [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

                "DisableVMwareVirtualMic"="%SystemRoot%\\system32\\devcon.exe Disable '*vmwvaudioin"

                 

                 

                I create a runonce registry key

                 

                [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

                "DisableVMwareVirtualMic"="%SystemRoot%\\system32\\devcon.exe Disable '*vmwvaudioin"

                 

                Nada. Not sure what am i missing here. When i execute %SystemRoot%\\system32\\devcon.exe Disable '*vmwvaudioin from a command prompt in regular user context it says it disables the device but it actually does not.

                • 5. Re: Priviledge Elevation
                  DEMdev Master
                  VMware Employees

                  Hi  cbaptiste,

                   

                  Sorry to hear that.

                   

                  When you log off, do you see something like

                   

                  2019-08-30 15:24:45.369 [INFO ] Privilege elevation statistics:

                  2019-08-30 15:24:45.369 [INFO ]    Elevated C:\Windows\System32\devcon.exe 2 times (path-based)

                   

                  in your log file?

                  • 6. Re: Priviledge Elevation
                    cbaptiste Enthusiast

                    Well i am not doing path-based i am doing argument-based because i don't want potential use of the tool for any other reasons but this use case so my log shows

                     

                    2019-08-30 12:57:46.883 [INFO ] Privilege elevation statistics:

                    2019-08-30 12:57:46.883 [INFO ]    Elevated C:\Windows\System32\devcon.exe 1 time (argument-based).

                    • 7. Re: Priviledge Elevation
                      cbaptiste Enthusiast

                      Thanks for helping me with this by the way

                      • 8. Re: Priviledge Elevation
                        DEMdev Master
                        VMware Employees

                        Hi cbaptiste,

                         

                        I just tried with the following argument-based privilege elevation config:

                         

                        That seems to do the trick for me (I don't have that vmwvaudioin device to test with, unfortunately) :

                         

                        Without elevation, I get

                        so it seem to make a difference.

                         

                         

                        Maybe we should just go back the basics first: does path-based elevation of regedit.exe work for you? If a non-admin user launches regedit.exe, can they create a key under HKLM\SOFTWARE?

                        • 9. Re: Priviledge Elevation
                          cbaptiste Enthusiast

                          I am going to give that a shot again. The device is installed with horizon view.

                          • 10. Re: Priviledge Elevation
                            cbaptiste Enthusiast

                            The only difference i see here is that when you are not using the elevated mode the message return says it can not find the device where as for me it return the message "disabled" regardless of the mode i am in. Obviously never one of them disable it.

                            • 11. Re: Priviledge Elevation
                              cbaptiste Enthusiast

                              Okay for my sanity sake. can you execute that line you have working and validate in device manager that the device is indeed disabled. Because I am receiving the disabled message as well except the device is not really disabled.

                              • 12. Re: Priviledge Elevation
                                DEMdev Master
                                VMware Employees

                                Hi cbaptiste,

                                 

                                I reinstalled the Horizon agent on my test VM to include the virtual audio devices, and I can confirm your findings that DevCon does not seem to be able to disable them, when elevated through UEM

                                 

                                We'll continue to look into this (both the PowerShell/WMI-based approach and DevCon.exe), but for now I don't have any suggestions, I'm afraid.

                                • 13. Re: Priviledge Elevation
                                  cbaptiste Enthusiast

                                  Okay. Well I am glad I am not crazy. In the meantime I scripted something in powershell to do the work. Seems to be working. Crossing my fingers.

                                   

                                  I created a function that checked for active sessions on the VM. Since this is a non-persistent VM, there can only be one. I then take that username and check it again a domain group membership to see if the user is a member. If it returns true I disable the device. The script is running as System from task scheduler. Long weekend so I will not be able to thoroughly tested it until Tuesday but with the limited access I have it appears to be working. I have hope again lol

                                  • 14. Re: Priviledge Elevation
                                    DEMdev Master
                                    VMware Employees

                                    Hi cbaptiste,

                                     

                                    That sounds like a viable workaround; glad to hear it! And apologies for making you have to find one...

                                    1 2 Previous Next