wheelgunr
asked on
Run a bat file to elevate CMD, run a script, then close after responding
We've moved out VAMT server to a new one, however we can't do a DNS redirect from the server one to the new server due to another process being run on the old server.
I want to run a batch file as a GPO to send the computers using keys to the new server (some computers are MAK, some are DVLK, some are CSVLK - Support Desk sets these up).
So far, I've been using slmgr /skms <FQDN of new server>:1688. I've been told by my manager that this will cause issues in the future, and he wants me to use slmg /ckms
Both of these need elevated CMD privileges.
I have this so far:
start %windir%\system32\cmd.exe
powershell.exe -Command "Start-Process cmd -Verb RunAs"
cd\c:
cscript slmgr /ckms
1) After starting the batch file, I get the UAC prompt "Do you want to allow changes....this needs to be accepted
2) After execution, the response to the command completion needs a click to finish: Please see the screen shot.
3) After manually closing the response prompt, there are CMD screens left open. These need to close at completion
I would really love to have this as a silent operation during boot up as a GPO.
I'm not versed in scripting at all.
Thanks in advance.
Doc1.docx
I want to run a batch file as a GPO to send the computers using keys to the new server (some computers are MAK, some are DVLK, some are CSVLK - Support Desk sets these up).
So far, I've been using slmgr /skms <FQDN of new server>:1688. I've been told by my manager that this will cause issues in the future, and he wants me to use slmg /ckms
Both of these need elevated CMD privileges.
I have this so far:
start %windir%\system32\cmd.exe
powershell.exe -Command "Start-Process cmd -Verb RunAs"
cd\c:
cscript slmgr /ckms
1) After starting the batch file, I get the UAC prompt "Do you want to allow changes....this needs to be accepted
2) After execution, the response to the command completion needs a click to finish: Please see the screen shot.
3) After manually closing the response prompt, there are CMD screens left open. These need to close at completion
I would really love to have this as a silent operation during boot up as a GPO.
I'm not versed in scripting at all.
Thanks in advance.
Doc1.docx
ASKER
That stopped one screen, but I still get the UAC and script completion screens, and still leaves 2 cmd windows open...but a good start!
If its a batch/cmd file @echo off suppresses the commands and "exit" (without quotes) at the end should close the windows.
@echo off
powershell.exe -windowstyle hidden -Command "Start-Process cmd -Verb RunAs"
cd\c:
cscript slmgr /ckms
exit
Try the updated file above.
ASKER
OK, that's getting better. UAC screen still pops up, that need to be acknowledged and suppressed as well as the information screen at the end. Also, the elevated cmd screen still stays on...
Ahhhh I see you are doing a run as. Do you have credentials that you are going to be adding to this?
ASKER
Can 1 add the local administrator, but as a generic without the computer name ? As in run as administrator vs. runas <compuyername>\administrat or ?
Are you running the on the users machine locally?
ASKER
This will run as a logon script. I would like to use the local machine administrator since sometimes Support Desk forgets to add the user to the Administrators Group...
Does this cmd file need admin rights to run? Are you making any modifications?
If you want to run this under a specific account, you need to create a task in Task Scheduler that runs at computer startup using the account you want, and check the box "Always run with highest privileges".
The program would be cscript.exe as script name, and "C:\Windows\System32\slmgr .vbs /ckms" (without the double quotes) the arguments.
The program would be cscript.exe as script name, and "C:\Windows\System32\slmgr
ASKER
Yes, slmgr needs the elevated command prompt to run...
Is the admin group on all the machines? If so can't you add the users to the admin groups in AD? Then you can take the runas out of the script.
ASKER
When computers are issued out, the Administrators group should have all of the admin groups as well as the person's logon name being issued the computer. However, there are occasions when this doesn't happen.
Using this method, I can guarantee that the best available admin account is being used. There should be a VB script that will cause a pseudo button push to say OK to the end of the process button as well as closing the cmd screens left...
Using this method, I can guarantee that the best available admin account is being used. There should be a VB script that will cause a pseudo button push to say OK to the end of the process button as well as closing the cmd screens left...
I may have another solution. If you right click on the command file and go to properties there is an option to run as administrator, under the compatibility tab. You can check that off see if that works.
ASKER
I have over 800 computers and 50+ virtual and physical servers to run this on. A good quantity have Deepfreeze running on them, especially the student lab computers. Your idea, while correct is not practical in my situation.
I can force the CMD to become elevated, the slmgr line works, I just need to have the elevated prompt to go away as well as the response promt that shows up at the end to go away. Also the cmd desktop leftover cmd screens to go away.
I can force the CMD to become elevated, the slmgr line works, I just need to have the elevated prompt to go away as well as the response promt that shows up at the end to go away. Also the cmd desktop leftover cmd screens to go away.
ASKER
Look at the document I uploaded to see what I'm getting as a residual response
Then we can take out the powershell runas command and see if that gets rid of the prompt.
ASKER
Here's what I finally got to work:
start %windir%\system32\cmd.exe
SET __COMPAT_LAYER=WINXPSP3
powershell.exe -windowstyle hidden -Command "Start-Process cmd -Verb RunAs"
cd\c:
cscript slmgr /ckms
taskkill /F /IM cmd.exe /T
start %windir%\system32\cmd.exe
SET __COMPAT_LAYER=WINXPSP3
powershell.exe -windowstyle hidden -Command "Start-Process cmd -Verb RunAs"
cd\c:
cscript slmgr /ckms
taskkill /F /IM cmd.exe /T
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for wheelgunr's comment [url="https://www.experts-exchange.com/questions/28943911/Run-a-bat-file-to-elevate-CMD-run-a-script-then-close-after-responding.html?anchorAnswerId=41584756#a41584756"]#a41584756[/url]
Assisted answer: 500 points for epamias's comment [url="https://www.experts-exchange.com/questions/28943911/Run-a-bat-file-to-elevate-CMD-run-a-script-then-close-after-responding.html?anchorAnswerId=41579660#a41579660"]#a41579660[/url]
for the following reason:
Research and testing on my part and using some of the input I received
Accepted answer: 0 points for wheelgunr's comment [url="https://www.experts-exchange.com/questions/28943911/Run-a-bat-file-to-elevate-CMD-run-a-script-then-close-after-responding.html?anchorAnswerId=41584756#a41584756"]#a41584756[/url]
Assisted answer: 500 points for epamias's comment [url="https://www.experts-exchange.com/questions/28943911/Run-a-bat-file-to-elevate-CMD-run-a-script-then-close-after-responding.html?anchorAnswerId=41579660#a41579660"]#a41579660[/url]
for the following reason:
Research and testing on my part and using some of the input I received
I am glad you got it it working. :)
Sorry, but that script makes no sense at all, and has errors.
All you need is a scheduled task with a single command, as I mentioned in https:#a41579500 (which you may have overlooked, as it was in the middle of a busy discussion).
As to your script:
start %windir%\system32\cmd.exe
You're just starting a new instance of cmd.exe (this is the window that will remain open), and it doesn't do anything at all.
SET __COMPAT_LAYER=WINXPSP3
powershell.exe -windowstyle hidden -Command "Start-Process cmd -Verb RunAs"
You're starting yet another new, hidden, and elevated instance of cmd.exe, which doesn't do anything at all, either. I can't reproduce any different UAC behavior with __COMPAT_LAYER set to WINXPSP3. That aside, the original batch script (which will be running the slmgr command) will not be elevated by this.
cd\c:
This command is syntactically incorrect: The filename, directory name, or volume label syntax is incorrect.
This should be 'cd /d C:\' or 'cd /d C:\Windows\System32'
cscript slmgr /ckms
This command is syntactically incorrect: Input Error: There is no file extension in "C:\slmgr". Even with the file extension, it would (probably, unless you happen to start cmd.exe in system32, where it would stay because the 'cd' doesn't work) error out, as cscript.exe doesn't search %Path% for scripts, you have to provide the full path if the script isn't in the working directory.
taskkill /F /IM cmd.exe /T
This will kill all instances of cmd.exe, including those still doing useful things and (depending on permissions) those started by other accounts.
Once corrected, the complete net functionality of your current script comes down to this:
If this needs to run elevated, no matter which user is logging on, you need to setup a scheduled task triggered at logon as I described in https:#a41579500.
All you need is a scheduled task with a single command, as I mentioned in https:#a41579500 (which you may have overlooked, as it was in the middle of a busy discussion).
As to your script:
start %windir%\system32\cmd.exe
You're just starting a new instance of cmd.exe (this is the window that will remain open), and it doesn't do anything at all.
SET __COMPAT_LAYER=WINXPSP3
powershell.exe -windowstyle hidden -Command "Start-Process cmd -Verb RunAs"
You're starting yet another new, hidden, and elevated instance of cmd.exe, which doesn't do anything at all, either. I can't reproduce any different UAC behavior with __COMPAT_LAYER set to WINXPSP3. That aside, the original batch script (which will be running the slmgr command) will not be elevated by this.
cd\c:
This command is syntactically incorrect: The filename, directory name, or volume label syntax is incorrect.
This should be 'cd /d C:\' or 'cd /d C:\Windows\System32'
cscript slmgr /ckms
This command is syntactically incorrect: Input Error: There is no file extension in "C:\slmgr". Even with the file extension, it would (probably, unless you happen to start cmd.exe in system32, where it would stay because the 'cd' doesn't work) error out, as cscript.exe doesn't search %Path% for scripts, you have to provide the full path if the script isn't in the working directory.
taskkill /F /IM cmd.exe /T
This will kill all instances of cmd.exe, including those still doing useful things and (depending on permissions) those started by other accounts.
Once corrected, the complete net functionality of your current script comes down to this:
cscript.exe C:\Windows\System32\slmgr.vbs /ckms
So your current script does not elevate anything (except for the one cmd.exe instance that doesn't do anything), and if elevation is required, there is no way to suppress the UAC prompt (if UAC is enabled); it was designed that way.If this needs to run elevated, no matter which user is logging on, you need to setup a scheduled task triggered at logon as I described in https:#a41579500.
ASKER
It seems to work on our systems. Using that batch file has cleared several test computer's VAMT direction. But thanks for your input.
Could you open a command prompt, then start that script without the "taskkill"?
Do you get that "Windows Script Host" popup that appears in your screen shot (btw: it is a lot nicer for everybody reading here to upload pictures directly than to wrap them in a Word document)?
What is the content of the original window in which you started the script?
Do you get that "Windows Script Host" popup that appears in your screen shot (btw: it is a lot nicer for everybody reading here to upload pictures directly than to wrap them in a Word document)?
What is the content of the original window in which you started the script?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found a way around the issue using a locally generated GPO
powershell.exe -windowstyle hidden -Command "Start-Process cmd -Verb RunAs"
Test it of course and see how it works.