1

Currently, I have a Batch Script which has several functions, one among them is to invoke a PowerShell script. The PS_script basically reads & filters mails from outlook and stores certain data into an excel file.

Certain functions in the BS needs admin rights to run successfully. Whenever the PS_Script is invoked with BS with elevated access it gives error.

new-object : Retrieving the COM class factory for component with CLSID {...} failed due to following error: 8008005 Server execution failed {......

Is there anyway to invoke PS_script from BS without elevated access even if the BS is run with admin rights ?

Currently, i use following command in my BS to invoke the PS_script Test.PS1 :

Powershell.exe -ExecutionPolicy RemoteSigned -File  C:\Users\%UserName%\Desktop\Test.PS1
Lastwish
  • 317
  • 10
  • 21
  • it would promote users to help you if you accept answers that solve your problems – Vincent De Smet May 05 '15 at 13:59
  • 1
    @VincentDeSmet i havent promoted your other answer because i am still working on your script, doing few add-ons & alterations to meet my base requirement. You can look into my other questions, if people have given the required answer, i have accepted & even rated it, but it wasnt next second as soon as someone answers. – Lastwish May 05 '15 at 14:24
  • 1
    I'm trying to develop a different solution involving allowing your script to run as unprivileged, but calling a subroutine to automate escalation of the individual commands that require elevation. In theory, that'll be easier than trying to demote your powershell process to unprivileged within the context of a privileged thread. Not sure whether what I have in mind will work or not though. Still writing and rewriting code, but it's not going as smoothly as I'd hoped so far.... – rojo May 05 '15 at 14:27

2 Answers2

0

If you are sure your problem comes from admin rights you can try to run your powershell script with the username your are executing the script from (or any other user that has the rigths you need)

RunAs /u:domain/username "Powershell.exe -File  C:\Users\%UserName%\Desktop\Test.PS1"

Seems that runas doesn't accept the password. But there are other utilites to do that: Unable to supply password to runas from commandline

Community
  • 1
  • 1
Fabian
  • 1,886
  • 14
  • 13
0

Here's what I've got so far.

  • Wscript.Shell's .ShellExecute method would let you prompt for UAC elevation. If you could break your admin-dependent functions into helper scripts and stick this BatchGotAdmin code at the top of each, that would let you run the rest in the context of a normal user; but it'd still require the user to click "Allow" for each helper script run.

  • On the opposing side of the coin, using Wscript.Shell's .Exec method to do:

    runas /env /netonly /noprofile %userdomain%\%username% "command to run"

    ... results in bypassing the password and prompt, resulting in the command to be run unauthenticated. This is very interesting and unexpected behavior. Because the "Enter password" prompt is bypassed but the command runs in a separate console anyway, I think it runs as a normal user. However, I haven't found any worthwhile tests with which to confirm.

    The problem I've run into with this is that runas called in this way seems to be non-blocking, so it's hard to deal with the output and timing. In case it helps, I'm including my scratch pad test broken code at the bottom of this answer.

  • Another alternative would be to create a Scheduled Task to run your PowerShell snippet un-elevated.

  • There's also Wscript.Shell's .Run method that would let you .SendKeys the password which would let you get around the UAC prompt, but it doesn't block either, and requires you to store a password in your script.

I'm afraid I've applied all my ingenuity to the problem but haven't found any solution which doesn't create another problem -- other than possibly the Scheduled Task solution.

Here's the incomplete WshShell.Exec solution referenced in item 2 above:

@if (@CodeSection==@Batch) @then

@echo off
setlocal

call :runAsNonAdmin "cmd /c dir"
goto :EOF

:runAsNonAdmin <command to run>
setlocal enabledelayedexpansion
cscript /nologo /e:JScript "%~f0" "%userdomain%\%username%" "%~1"
endlocal & goto :EOF

@end    // end batch / begin JScript chimera

var args = {
    user: WSH.Arguments(0),
    cmd: WSH.Arguments(1)
},
    runas = 'runas /env /netonly /noprofile /user:' + args.user + ' "' + args.cmd + '>stdout 2>stderr"',
    osh = WSH.CreateObject('wscript.shell'),
    fso = WSH.CreateObject('scripting.filesystemobject'),
    proc = osh.Exec(runas),
    read = '', file, out = ['stdout','stderr'];

// note: proc.StdOut and proc.StdErr refer *only* to the runas command itself,
// not to the command spawned by it.  The spawned command is essentially sandboxed.
while (!proc.Status || !proc.StdErr.AtEndOfStream || !proc.StdOut.AtEndOfStream) {
    if (!proc.StdErr.AtEndOfStream) {
        WSH.StdErr.WriteLine(proc.StdErr.ReadLine());
    } else if (!proc.StdOut.AtEndOfStream) {
        WSH.StdOut.Write(proc.StdOut.Read(1));
    }
}

for (var i in out) {
    if (fso.fileExists(out[i])) {
        if (fso.GetFile(out[i]).Size) {
            file = fso.OpenTextFile(out[i], 1);
            WSH[out[i]].Write(file.ReadAll());
            file.Close();
        }
        var del = osh.Exec('cmd /c del ' + out[i]);
        while (!proc.Status) WSH.Sleep(10);
    }
}

WSH.Echo(proc.ProcessID + ': status ' + proc.Status + '; exit ' + proc.ExitCode);

WSH.Quit(0);

// Inactive code.  Since .exec skips authentication, the following code results in a broken pipe error.
while (!proc.Status || !proc.StdErr.AtEndOfStream || !proc.StdOut.AtEndOfStream) {
    if (!proc.StdOut.AtEndOfStream) {
        read += proc.StdOut.Read(1);
        if (/Enter the password for .*?:/.test(read)) {
            proc.StdIn.WriteLine(args.pass);
        }
    } else if (!proc.StdErr.AtEndOfStream) WSH.Echo(proc.StdErr.ReadLine());
    else WSH.Sleep(10);
}
Community
  • 1
  • 1
rojo
  • 24,000
  • 5
  • 55
  • 101