4 Replies Latest reply on Oct 15, 2020 8:37 AM by SBaldridge

    DEM - Privilege Elevation & Elevated Tasks

    SBaldridge Enthusiast

      I am trying to use DEM (v2006) to write to the HKLM and HKU hives when a user logs on.  I've created an Elevated Task like this:

       

      >Executable:  C:\Windows\System32\cmd.exe

      >Arguments:  /c REG ADD "HKLM\path to the key" /t REG_SZ /v NewValue /d 2 /f

      >I checked the Run Async check box.

       

      There is a logon task to run the elevated task which should run after profile import, run asynchronously.  I've tried putting quotes around the registry path and it doesn't help.

       

      Problem - it does not fire and I see this logged:

       

      [ERROR] Invalid settings for privilege elevation (TheTask.xml')

      [DEBUG] Skipping disabled DEM privilege elevation setting ('TheTask.xml')

      [INFO ] No privilege elevation settings applied

       

      I have verified that Privilege Elevation is enabled in the Global Settings section in DEM.  I need some ideas on where to check and troubleshoot.  I followed this article to the letter and I just can't get it to work.  https://www.vjal.nl/dynamic-environment-manager/using-the-new-elevated-task-feature-in-dem-to-manage-registry-keys-in-hk…

        • 1. Re: DEM - Privilege Elevation & Elevated Tasks
          DEMdev Master
          VMware Employees

          Hi SBaldridge,

           

          If that happens with DEM agent 2006 (10.0), that's quite strange... Can you provide the XML config file for that elevated task, either in the forum or via direct message?

          • 2. Re: DEM - Privilege Elevation & Elevated Tasks
            SBaldridge Enthusiast

            Here is the XML:

             

            <?xml version="1.0" encoding="utf-8"?><userEnvironmentSettings><setting type="privilegeElevation" elevate="C:\Windows\System32\cmd.exe*/c REG ADD HKU\.DEFAULT\Control Panel\Keyboard /t REG_SZ /v InitialKeyboardIndicatorsTEST /d 2 /f" elevationType="et" subType="elevatedtasks" async="1" /></userEnvironmentSettings>

            • 3. Re: DEM - Privilege Elevation & Elevated Tasks
              DEMdev Master
              VMware Employees

              Hi SBaldridge,

               

              I just tested with your XML, and there are a few issues:

              • You need to put quotes around HKU\.DEFAULT\Control Panel\Keyboard, due to that space between Control and Panel. Without those quotes, REG.exe will fail.
              • You configured cmd.exe as the executable to elevate, but did not check Also elevate child processes, so even with those quotes it would not work as REG.exe (cmd.exe's child process) wouldn't be elevated...
                There's actually no need for the cmd.exe /C approach here (that's only required when you want to run commands that are built into cmd.exe), so I would use something like this instead:
              • Not related to DEM itself, but I'm wondering whether changing anything in HKU\.DEFAULT serves a purpose after logon? The user's profile will already have been created from the default profile at that time.

               

              However... The error messages you quoted point to some issue in parsing the config file, but the XML was actually perfectly fine from a syntax perspective. Just to make sure, can you double-check that the DEM agent is indeed version 2006 (10.0)?

              • 4. Re: DEM - Privilege Elevation & Elevated Tasks
                SBaldridge Enthusiast

                Thank you for the answer and tips.  Elevating child processes was my issue on the test pool I was using.  As you mentioned, I was writing to HKU as a test, I don't think it would have any effect.

                 

                I appreciate your time.  As it turns out in my prod pool, my DEM agent was not v10 as I thought, so that also answers my question.