Link to home
Create AccountLog in
Avatar of mce-man-it

asked on

Regsvr32 via a script using runas

I'm trying to register two components using AppSense policy on Windows 7 locked down builds. So @User logon, a custom script (powershell) exectues to run:

regsvr32 /s "c:\windows\downloaded program files\IPLWeb.ocx"
regsvr32 /s "c:\windows\downloaded program files\iplwebtbl.dll"

The custom script is set to run as 'system' and that's the issue. The components above are not registering. If I remote to one of the Windows 7 builds and run cmd as administrator and run the above regsvr32 commands (without the /S) the components are registered and the web page works.

I'm thinking now I should use the same custom powershell script in AppSense policy, but use some runas syntax and run as the local administrator? (not domain as this is locked down).

Anyone any thoughts please?
Avatar of SStory
Flag of United States of America image

I'm sure this a UAC issue.  There is probably no way around it. When you are registering things you should have to be an admin. The only exception would be to use the Microsoft Compatibility Toolkit (maybe) to create an exception, but even that may not work.
Since ActiveX is a security nightmare for admins, I think Microsoft purposely requires an admin to allow this.
Avatar of James Rankin
James Rankin
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
A quick extra note - if UAC is enabled and you want it enabled, you could even use the AppSense EM policy to disable UAC, run the script (nested inside the disable UAC Action) and then re-enable UAC afterwards. That's assuming you can find the Registry keys to disable and re-enable UAC, as I don't think the UAC policy is controlled via ADMX (although it might be, so maybe you could do a standard AppSense GPO import)
Avatar of mce-man-it


Thanks I'll try that. I'm sure disable UAC is:

Well, I can't recommend disabling UAC, but that is up to each person. It is there for a reason.
I just wanted you to know the probable cause.
UAC is there for a reason.  Keep in mind you are lowering machine security and integrity by disabling it.