Does this sound familiar? You’re connected to someone else’s Windows computer logon session via Remote Assistance.  Maybe you initiated it from the GUI or from “msra.exe /offerra blah blah”, it doesn’t matter. You requested control of their mouse and they foolishly accept. Moo-ha-ha-haaa!  You right-click on something and choose “Run as administrator”, and then the session window goes black. Nothing.

wpid-wp-1409886754092.jpeg
Looking North underneath Great Neck Bridge and West Great Neck Bridge, spanning over Bay Island, Virginia Beach, Virginia.

The first time this happens to someone they get that look like the ATM ate their credit card and says “Thank you!“.  This is the default behavior of R.A. when it runs into the UAC brick wall.

There are several ways around this, and turning off UAC should *not* be one of those ways.  Here is one option:

Use Sysinternals’ PsExec.exe to launch the app on the remote session using alternate credentials. The catch here is that this is still not a panacea. If the actions to be performed by the application you launch will only be applied against that local machine, you’re in good shape.

If they require access to external resources, such as shares, folders, web sites, and so on, you may need to take a few additional steps.  You may also need to enable a few Windows services on the remote computer.

Basic Steps

1. Open a local CMD console using "Run as administrator"
2. CD to the folder where psexec.exe resides
3. Invoke PsExec with /s /i /d options along with the local path of the file to be launched.  You can also string along additional arguments.**
4. Eat a fresh doughnut and wash it down with something caffeinated.

** I recommend you wrap multi-part statements inside a script file to make it easier to type all that on the command line.

Examples:

Open IE on remote computer DT1234

psexec.exe \\DT1234 /s /i /d "c:\program files\Internet Explorer\iexplore.exe"

Open CMD on remote computer LT5005

psexec.exe \\LT5005 /s /i /d cmd

Easy as buying a cake.  But what about more complicated stuff like registering DLL’s and adding registry keys?  Mmmmkay.

1. Create a batch script and dump your awesomeness in it.
2. Save the batch script somewhere accessible.
3. Invoke the script using PsExec.
4. Have another doughnut.  Why not?

If you intend to run the process as the local SYSTEM account, be sure to adjust permissions to allow the process to work in that context.

This results in three (3) locations:  [1] You, at your computer, [2] the remote computer you are trying to make happy, and [3] the shared folder where you put files to invoke on the remote computer.

Register a few DLL’s

@echo off
title Register DLL components
cd "c:\program files\crapware"
regsvr32 crapware1.dll /s
regsvr32 crapload.dll /s
regsvr32 garbage.dll /s
regsvr32 stinky.dll /s

Add Some Registry Keys

@echo off
title Adding Registry Stuff
SET KEY1=HKLM\SOFTWARE\CrapWare
IF EXIST %WINDIR%\SYSWOW42\user.exe (
  reg add %KEY1%\alpha /v Stuff /d "Cat" /t REG_SZ /reg:64 /f
) ELSE (
  reg add %KEY1%\alpha /v Stuff /d "Cat" /t REG_SZ /f
)
echo All done!

Then…

psexec.exe \\LT5005 /s /i /d \\server\share\regkeys.bat

The code looks dumb and lame, I know, but you get the idea.  It’s like having a Lego kit to make your own helicopter attack base and it’s Christmas morning.  PsExec is like duct tape to a seasoned construction worker.  There’s always a use for it somewhere.

In case you’re wondering about WinRM and WinRS, yes, I’m going to cover that approach soon as well.

Namaste.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s