Security – Windows 7: Update a file in the system32 folder via GPO

group-policySecurityuacvbscript

I'd need to update a Windows file in the system32-folder
I've made a script to do this task. When I run it locally on a system (from a prompt with elevated privileges) it works fine.

I've created a GPO where this script is set under computer policies > Windows settings > Scripts > Startup (as I recall this will run the script at startup with the SYSTEM account which has all needed privileges)

The script executes , but the file is not updated. I know this is because of the UAC preventing this.

Is there a method of achieving this (without turning off the UAC)?

Best Answer

Do you need to run the script each time to update the file or do you need to run it just once locally? If the latter, the solution would be to use a very crafty console-based application, PSexec. Please note that you must be an administrator on the machine you are running the script on.

Then you create a folder on a local/mapped drive containing:

  1. The master batch file that you will run
  2. The PSexec application itself
  3. The "payload" that will be run on the remote computer - like the file you need to update and a local batch file that PSexec will run.

My normal PSexec payloads are:

  1. create a temp file/folder on a remote computer
  2. run the PSexec pointing to the temporary location
  3. delete all the files created

an example launcher goes like this:

@echo off    
CLS

set /p PCName=Type the Domain Name or IP address of PC:
echo.

COPY local_payload.cmd \\%PCName%\c$\Temp
psexec \\%PCName% C:\Temp\local_payload.cmd

REM after the payload has been launched you can view the output
REM edit: if it does not want to work, try adding an -s switch that will make it run as a system account.

pause

REM here you delete everything after you are finished
DEL \\%PCName%\c$\Temp\SMS_LOCAL.cmd

pause

:eof
Related Topic