Does this sound familiar? You’re connected to someone else’s Windows computer logon session via Remote Assistance. Maybe you initiated it from the GUI or from “msra.exe /offerra blah blah”, it doesn’t matter. You requested control of their mouse and they foolishly accept. Moo-ha-ha-haaa! You right-click on something and choose “Run as administrator”, and then the session window goes black. Nothing.
The first time this happens to someone they get that look like the ATM ate their credit card and says “Thank you!“. This is the default behavior of R.A. when it runs into the UAC brick wall.
There are several ways around this, and turning off UAC should *not* be one of those ways. Here is one option:
Use Sysinternals’ PsExec.exe to launch the app on the remote session using alternate credentials. The catch here is that this is still not a panacea. If the actions to be performed by the application you launch will only be applied against that local machine, you’re in good shape.
If they require access to external resources, such as shares, folders, web sites, and so on, you may need to take a few additional steps. You may also need to enable a few Windows services on the remote computer.
1. Open a local CMD console using "Run as administrator" 2. CD to the folder where psexec.exe resides 3. Invoke PsExec with /s /i /d options along with the local path of the file to be launched. You can also string along additional arguments.** 4. Eat a fresh doughnut and wash it down with something caffeinated.
** I recommend you wrap multi-part statements inside a script file to make it easier to type all that on the command line.
Open IE on remote computer DT1234
psexec.exe \\DT1234 /s /i /d "c:\program files\Internet Explorer\iexplore.exe"
Open CMD on remote computer LT5005
psexec.exe \\LT5005 /s /i /d cmd
Easy as buying a cake. But what about more complicated stuff like registering DLL’s and adding registry keys? Mmmmkay.
1. Create a batch script and dump your awesomeness in it. 2. Save the batch script somewhere accessible. 3. Invoke the script using PsExec. 4. Have another doughnut. Why not?
If you intend to run the process as the local SYSTEM account, be sure to adjust permissions to allow the process to work in that context.
This results in three (3) locations:  You, at your computer,  the remote computer you are trying to make happy, and  the shared folder where you put files to invoke on the remote computer.
Register a few DLL’s
@echo off title Register DLL components cd "c:\program files\crapware" regsvr32 crapware1.dll /s regsvr32 crapload.dll /s regsvr32 garbage.dll /s regsvr32 stinky.dll /s
Add Some Registry Keys
@echo off title Adding Registry Stuff SET KEY1=HKLM\SOFTWARE\CrapWare IF EXIST %WINDIR%\SYSWOW42\user.exe ( reg add %KEY1%\alpha /v Stuff /d "Cat" /t REG_SZ /reg:64 /f ) ELSE ( reg add %KEY1%\alpha /v Stuff /d "Cat" /t REG_SZ /f ) echo All done!
psexec.exe \\LT5005 /s /i /d \\server\share\regkeys.bat
The code looks dumb and lame, I know, but you get the idea. It’s like having a Lego kit to make your own helicopter attack base and it’s Christmas morning. PsExec is like duct tape to a seasoned construction worker. There’s always a use for it somewhere.
In case you’re wondering about WinRM and WinRS, yes, I’m going to cover that approach soon as well.