?
Solved

How to run a VBScript as Administrator on Windows 7

Posted on 2011-05-05
27
Medium Priority
?
21,923 Views
Last Modified: 2012-05-11
Hi,

I need to change the Network Provider Order on Windows 7 Computers via a VBScript that is in our Novell Login Script but it fails as the VBScript executes with insufficient rights on Windows 7.

I've got the VBScript, it works perfectly on Windows XP Computers but when executing the script on Windows 7 (even with UAC set to it's lowest) it returns a VBScript error 80070005 which is "Access Denied" because the VBScript runs with insufficient rights.

The Windows 7 Computers are not currently on Active Directory, so a GPO is not an option, they are part of a workgroup. The Network O/S is currently Novell NetWare 6.5 so I will run the VBScript from the Novell Login Script.

Things I've come accross on GOOGLE but could not get it to work is to use a so-called "RunAsHighest fix" (not sure how to use it...), using the "runas" command in DOS (but this prompts the user for the password defeting the object)

I do have the local Administrator passwords of the PCs if this might help in any way...

How does one make a VBScript (first prize) or even a batch file to silently modify the registry (second prize) run on Windows 7 with sufficient rights and also without prompting the users with any messages (UAC is currntly set to it's lowest on all the Win 7 PCs).

Thanks,
Reinhard.
0
Comment
Question by:ReinhardRensburg
  • 10
  • 6
  • 5
  • +3
27 Comments
 
LVL 31

Expert Comment

by:merowinger
ID: 35697030
start a cmd box with admin privileges then type in:
cscript.exe yourscript.vbs
0
 

Author Comment

by:ReinhardRensburg
ID: 35697227
Hi merowinger,

Thank you for your comment.

What I need to figure out is what to use (either inside the VBScript or in a batch file) to tell the script to "Run as Administrator" but doing so via a Login Script and not sitting in front of the PC.

The reason is that there's about 50 PCs that needs to run this script (to re-arrange the Network Provider Order) so we want to avoid going to each PC and doing it manually.

What I've also determined now is that a lot of the PCs' Administrator accounts are still disabled (as this is the default for Windows 7) so I need to somehow achieve this by running the VBScript from a Login Script but logged in as the user that logs into the PC (who is a member of the Administrators group but not the "Administrator" user).

So it comes back again to: How do one run a VBScript "as Administrator" or give it enough rights at time of execution that it can change the registry.

Thanks,
Reinhard
0
 
LVL 31

Expert Comment

by:merowinger
ID: 35697251
The only think is to prompt for user elevation. See here:
http://www.winhelponline.com/articles/185/1/VBScripts-and-UAC-elevation.html

with this methode the user will be prompted.
If there shell not be a user prompt you have to reconfigure your UAC settings on the client/domain
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Expert Comment

by:merowinger
ID: 35697257
Thats sounds that this is a machine configuration which you want to configure, so why don't you use a domain startup script which runs as Local System?!
0
 

Author Comment

by:ReinhardRensburg
ID: 35697291
Hi merowinger,

The Computers are not part of a Domain, so how would one get a domain startup script to run on them? Secondly, how would one make a script run as "Local System" ?

Thanks,
Reinhard.
0
 
LVL 31

Expert Comment

by:merowinger
ID: 35697389
Then use the local startup script.
Start -> Run -> gpedit.msc -> Comp. Configuration -> Scripts

But that makes not much sense because during the time where you configure the startup script on each client you could also do your networtk config :)

How do you run a LogonScript if the Machines are not part of the domain?!
0
 

Author Comment

by:ReinhardRensburg
ID: 35697454
Allthough the Computers are not part of an Active Directory domain and "stand alone" (part of a Work Group) we run the Novell NetWare 6.5 as network operating system, so all the PCs have the Novell NetWare client loaded and upon Windows Login they login to Novell aswell and Novell then executes the Novell Login Script.

With a Novell Login script one can map drives, execute batch files and execute VBScripts.

I am executing the VBScript on all the Windows XP Computers via the Novell Login Script, it runs because Windows XP has no UAC and just lets the VBScript run without asking questions.

Windows 7 on the other hand starts the VBScript from the Novell Login Script but it refuses the VBScript to make changes to the registry due to the VBScript not running elevated (in other words insufficient rights, access denied to make changes to the registry).

I need a way to execute a VBScript on a Windows 7 PC as Administrator (elevated command prompt)...

Thanks,
Reinhard.
0
 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 400 total points
ID: 35697460
You are tryng to run a startup script on workgroup computers? How were you able to do this with the XP boxes? Does it HAVE to run as startup script?

The only thing I can think of trying to do is using something like PsExec with the local admin credentials to execute the script. But again, I don't know how well that will work with Windows 7.
0
 

Author Comment

by:ReinhardRensburg
ID: 35697480
Hi ThinkPaper,

The script executes via our Novell Login Script, the PCs are all part of a Novell Network (they run Windows XP / Windows 7 on the workstations, but ontop of that a Novell NetWare client is loaded).

So when they login it also logs into Novell and Novell the executes a Login Script, in this way I can make things execute at login (on both XP and Win 7) but I need it to "Run as Administrator" at time of execution so that Windows 7 allows the .bat or .vbs to make the changes to the registry.

Thanks,
Reinhard
0
 
LVL 31

Expert Comment

by:merowinger
ID: 35697711
does Novell has an Option to run something in admin mode?
Do you have a client mgmt solution like sccm?
I agree with ThinkPaper the only option then is to use something like psexec.exe
0
 

Author Comment

by:ReinhardRensburg
ID: 35697744
Hi Merowinger,

Novell itself does not have an option to run stuff in "admin mode", it is simply a client loaded on a PC so that it can talk to a Novell Server and execute a Novell Logon script (to map drives, execute batch files etc.) but the Novell part itself does not have any "rights" on the PC, it merely launches the files as the current logged on user.

For what it's worth: I've picked up from articles that I read that because I am trying to modify the HKey Local Machine Registry Hive I need the VB Script to launch in a Startup script and not a logon script or somehow to allow the non-manifested or unsigned code in my VB Script to run with a full administrative access token (elevated) but this seems to be a problem as it will either prompt the user to click "allow" or it will try and bypass UAC and then fail with "Access Denied" error.

I am not sure if one could perhaps use the Novell Login Script to copy a batch file (or my VBScript file) to the correct place on the Win 7 PC so that it will run as a startup script the next time the PC starts up, but then again I would then have to somehow edit the local Group Policy to tell it to run that startup script and I am going to guess that I would also need some form of Admin rights to do this from a Logon Script... :)

Thanks for any more ideas.

Regards,
Reinhard.
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 400 total points
ID: 35698382
I don't see any option except of running commands from remote with psexec.exe
0
 
LVL 3

Expert Comment

by:Frank_Alphaserveit
ID: 35698587
you can run the vb script in an elevated script host:

runas /profile /user:domain\userame:password "cscript.exe \\server\netlogon\script.vbs"
0
 

Author Comment

by:ReinhardRensburg
ID: 35704054
Hi Frank Alphaserveit,

Dos your suggestion (run vb script in an elevated script host) require the PCs to be on a Domain?

As mentioned those PCs are not on a domain, they are part of a workgroup and have the Novell Client loaded and logs into a NetWare 6.5 Server (which can run a Logon Script at Login but not a startup script), then most of the PCs' Administrator accounts are still disabled because they are disabled by default on Win 7 and the LAN Admin at that site left them disabled.

I've tested something with the VBScript on my own Win7 PC and would like to ask advice on the following:

When I set my UAC to it's lowest (same as the PCs I need to run the VBScript in) it allows me to open an elevated command prompt (cmd.exe) and does not promt me to allow/disallow and this still works even though my local Administrator account is disabled. So what I gather from this is that an elevated command prompt can be opened (without being prompted) provided that UAC is set to it's lowest and the local Administrator account on the PC can even be disabled at the time.

Now all that I need to know is how does one tell Windows to open an elevated command promt from a batch file (i.e.: to open it manually one would right-click Command Prompt and choose "run as administrator" or one could Ctrl+Shift+Doubleclick the cmd.exe and it opens an elevated command prompt) - there must be a DOS Command or switches one could add to a line in a batch file that runs cmd.exe elevated.

If I can achieve this then I can run the VBScript from that elevated command prompt and it won't ask the user to allow it, it just runs (I tested it on my PC, if the VBScript is run from the elevated command promt it just executes and successfully writes to the HKey Local Machine Registry Hive).

Thank you.

Reinhard.
0
 
LVL 3

Expert Comment

by:Frank_Alphaserveit
ID: 35704433
the script should still work if you replace "domain" with the machine name (eg. LAP01\administrator).  The definition of an elevated command prompt is "technically" a command prompt "run as an administrator" so that should work.
0
 

Author Comment

by:ReinhardRensburg
ID: 35704489
Hi Frank,

That sounds exactly like what I need to do! :)

I take it that if the Administrator account is still disabled on the PC where this is tried it won't work, so we would have to enable all the Administrator accounts on the Win7 PCs?

There's one thing that still confuses me. On my PC: even though my Administrator Account is disabled I can still right-click "Command Prompt" and choose "Run as Administrator" - what I gather from that is that it does not run it as the .\Administrator account as such but it just runs an elevated command prompt which is different than running it as the .\Administrator account (it must be because that account is disabled so it can't be using it).

So is there no way to "run cmd.exe in elevated mode" from a batch file or VBScript without having an enabled Administrator account (like I do manually on my PC with my Administrator account disabled) ?

Thanks,
Reinhard.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35707524
No, actually it does run with admin context. When you right click cmd.exe and select "Run as Administrator" your just granting a higher priveledge token to the process. When you run a program remotely it automatically sets a restricted token for the process, so it needs to be 1.) already locally on the computer 2.) Either run by "runas" or accessing the token prior to execution and raising it's privileges to a 500 set.

Having said that you will need a vbscript like so.

[code]
'VBRUNAS.VBS
'v1.3 March 2003
'Jeffery Hicks
'jhicks@jdhitsolutions.com      http://www.jdhitsolutions.com
'USAGE:  cscript|wscript VBRUNAS.VBS Username Password Command
'DESC: A RUNAS replacement to take password at a command prompt.
'NOTES: This is meant to be used for local access.  If you want to run a command
'across the network as another user, you must add the /NETONLY switch to the RUNAS
'command.

'      *********************************************************************************
'      * THIS PROGRAM IS OFFERED AS IS AND MAY BE FREELY MODIFIED OR ALTERED AS        *
'      * NECESSARY TO MEET YOUR NEEDS.  THE AUTHOR MAKES NO GUARANTEES OR WARRANTIES,  *
'      * EXPRESS, IMPLIED OR OF ANY OTHER KIND TO THIS CODE OR ANY USER MODIFICATIONS. *
'      * DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED IN A SECURED LAB *
'      * ENVIRONMENT. USE AT YOUR OWN RISK.                                            *
'      *********************************************************************************

On Error Resume Next
dim WshShell,oArgs,FSO

set oArgs=wscript.Arguments

 if InStr(oArgs(0),"?")<>0 then
   wscript.echo VBCRLF & "? HELP ?" & VBCRLF
   Usage
 end if

 if oArgs.Count <3 then
   wscript.echo VBCRLF & "! Usage Error !" & VBCRLF
   Usage
 end if

sUser=oArgs(0)
sPass=oArgs(1)&VBCRLF
sCmd=oArgs(2)

set WshShell = CreateObject("WScript.Shell")
set WshEnv = WshShell.Environment("Process")
WinPath = WshEnv("SystemRoot")&"\System32\runas.exe"
set FSO = CreateObject("Scripting.FileSystemObject")

if FSO.FileExists(winpath) then
 'wscript.echo winpath & " " & "verified"
else
 wscript.echo "!! ERROR !!" & VBCRLF & "Can't find or verify " & winpath &"." & VBCRLF & "You must be running Windows 2000 for this script to work."
 set WshShell=Nothing
 set WshEnv=Nothing
 set oArgs=Nothing
 set FSO=Nothing
 wscript.quit
end if

rc=WshShell.Run("runas /user:" & sUser & " " & CHR(34) & sCmd & CHR(34), 2, FALSE)
'new code from Nick Staff (nstaff@angelsin.com) to loop until window opens.

Do until WshShell.AppActivate (WinPath)
Wscript.Sleep 5
WshShell.AppActivate (WinPath)
loop
WshShell.SendKeys sPass


set WshShell=Nothing
set oArgs=Nothing
set WshEnv=Nothing
set FSO=Nothing

wscript.quit

'************************
'*  Usage Subroutine    *
'************************
Sub Usage()
On Error Resume Next
msg="Usage: cscript|wscript vbrunas.vbs Username Password Command" & VBCRLF & VBCRLF & "You should use the full path where necessary and put long file names or commands" & VBCRLF & "with parameters in quotes" & VBCRLF & VBCRLF &"For example:" & VBCRLF &" cscript vbrunas.vbs jdhitsolutions\jhicks luckydog e:\scripts\admin.vbs" & VBCRLF & VBCRLF &" cscript vbrunas.vbs jdhitsolutions\jhicks luckydog " & CHR(34) &"e:\program files\scripts\admin.vbs 1stParameter 2ndParameter" & CHR(34)& VBCRLF & VBCRLF & VBCLRF & "cscript vbrunas.vbs /?|-? will display this message."

wscript.echo msg

wscript.quit

end sub
[/code]

Sine you doing this on the network you will need to add /NETONLY to the run command of this script.
0
 
LVL 20

Expert Comment

by:ltlbearand3
ID: 35710547
Reinhard,

As I read through this, it sounds like you just want the script to run with Elevated UAC.  To do this you make the script call itself and signal it should have elevated privileges.  However, it will prompt the User to OK the elevated privileges.  Try:

If WScript.Arguments.length =0 Then
  Set objShell = CreateObject("Shell.Application")
  'Pass a bogus argument with leading blank space, say [ uac]
  objShell.ShellExecute "wscript.exe", Chr(34) & _
  WScript.ScriptFullName & Chr(34) & " uac", "", "runas", 1
Else
	' Put your original Script code Here . . .
End If

Open in new window


-Bear
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35712503
Bear, curious as I am not a computer to test this right now. How does entering UAC with wscript.exe help? It is a interesting concept to run it with parameters already set. That is not what he is wanting though. He wants a option, so the process is elevated not just signaling for a higher token but to bypass the safe virtual protection mode that dimes the background and prompts you with a UAC elevation prompt so it can be ran as a login script to be automated on there network. :)
0
 
LVL 20

Expert Comment

by:ltlbearand3
ID: 35712574
Russell,

I may have missed the point on what he wanted.  My experience has been at times that depending on the settings, the script will not run and it never prompts for elevation.  The script I posted just forces Windows to consider the script as a program that needs elevation.  This will than at least prompt windows to request elevation from the user and then the script can finish.

Bear
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35712632
Aah! I was thinking maybe you had something like if the program calls itself UAC wouldn't be called. Interesting you say sometimes it won't run. Even with parameters already in place as a the argument? Maybe it reads the arguments wrong. Like spacing etc. Anyways. Thanks for responding. It's a good suggestion never the less.
0
 
LVL 20

Expert Comment

by:ltlbearand3
ID: 35713376
Russell,

This script with the UAC parameters runs fine.  It is when I do not have the self calling code that elevates for UAC where I have problems.  The problems depend on the UAC settings where sometimes UAC prevents the script from running at all without elevation.

Bear
0
 

Author Comment

by:ReinhardRensburg
ID: 35716351
Hi Russel and Bear,

Thanks for all suggestions and help, I will give it all a try on Monday when I am at the office again and provide some feedback.

Reinhard
0
 

Author Comment

by:ReinhardRensburg
ID: 35718109
Hi Russel,

I am trying out your script posted on 06/05/11 06:23 PM (ID: 35707524).

When I create the vbrunas.vbs do I also leave the "Usage Subroutine" part (line 72 onwards) in the vbrunas.vbs or does this become a separate script where the command is put into? I am a bit confused with the part where the command is used.

my script that I need to run is called npo.vbs (short for network provider order .vbs) - would it be possible to please help me with the command that I would use to run the aformentioned .vbs file and also where the /NETONLY part would fit into the script please? The Administrator accounts of the PCs where the script should run is all set to password "admin" (just for now).

Thank you in advance

Regards,
Reinhard.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 1200 total points
ID: 35722687
On line 72 it is used for error control and usage. I would just leave it for good measure.  On line 55 you would need to have it look like this:

rc=WshShell.Run("runas /NETONLY /user:" & CHR(34) & sCMD & CHR(34), 2, FALSE)

Assuming you have already done a: net user administrator active:yes from a elevated command prompt earlier and the administrator account password is "admin" your command should now look like this as a regular command w/o the script to show you how it is run.

Runas /netonly /user:domain\Administrator "cmd.exe"

This will prompt for a password. Now for the using the script.

Cscript vbrunas.vbs domain\Administrator admin "C:\<directory to script>\Npo.vbs"

This will runas a built-in local administrator account and send the password to the console command prompt and hit enter by itself.

So all in all this is assuming that all the pc's administrator accounts are named "Administrator" and consequencially this is the drawback for making this compatible with All "XP, VISTA, and W7".
0
 

Author Closing Comment

by:ReinhardRensburg
ID: 35723853
ThinkPaper & merowinger: Thanks, psexec looks like the best 3rd party solution, one has to unfortunately then have the local Administrator Account enabled and password set (which is disabled and not set by default), so great solution if admin account is enabled on all PCs and one knows the password.

Russel, thanks a lot for all the effort with the VBScript, I've tested it on Win 7 and it seems to work without prompting the user for anything. only thing I would have liked more is if a DOS box did not pop up and "hang" there while it executed my VBScript, some users might fiddle with it or close it before the VBScript completes, but also a workable solution, thanks a lot. Once again one needs all the Administrator accounts on the PCs enabled and passwords set, but I've learned some other powerful features about VBScript in this excercise.

Regards,
Reinhard.

Reinhard.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35724134
There are ways to make it not popup. I use a c++ program to make this run as administrator and it sends a show_window to false to the cmd window. I haven't messed around with vbscript to find out if WINAPI is supported. I mainly code software.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question