I'm attempting to remote-install a graphics driver on a headless embedded Windows7 system. I have several systems in the field that need repair; I can upload an installer script and execute it as an unprivileged user on those systems. The driver installation requires elevated privileges, however, so I've tried to create a task that will run under a privileged account:
schtasks /Create /XML GraphicsUpdate.xml /ru <username> /rp <password> /tn GraphicsUpdate
This works great when <RunLevel> is set to LeastPrivilege but returns
ERROR: Access is denied.
when attempting to use HighestAvailable.
Attempts to install the driver using the LeastPrivilege run level result in the error "This operation requires an interactive window station," i.e., the UAC dialog; it's hard to click through the UAC on a headless system.
Is there any way to allow an unprivileged user to create a task from the command-line that will run as a privileged user from the command-line at the highest available privilege? Or are there better ways to install a driver headlessly?
Update
Systems in the field run a server that can be upgraded by the user over their LAN (direct Ethernet connection or over wired switch). The subnets I am testing with are exactly the same (e.g., 172.20.81.0/24).
I'd to create a package that will contain the driver and installation script, but the server runs in an unprivileged account. We need to find a solution for escalating privileges from this account in order to install the driver.
Best Answer
I'm going to add this as an additional answer because the other one might still help people in a domain scenario.
You cannot do this without having a domain or pre-configuring UAC to allow you to do this. (e.g. https://support.microsoft.com/en-us/kb/951016 )
Microsoft in the name of security has blocked self-escalation outside of the UAC prompt from every way they can think of. PSExec can't work when connecting locally because of loopback protection, and admin shares are blocked remotely by default on non-domain machines. (Which PSExec relies on)
Options that would allow you to do anything in this type of scenario would all require pre-setting something up on the target machine such as Remote Desktop, or the above link.
In a domain environment, PSExec isn't blocked from the network because the admin shares aren't blocked. But outside of a domain environment and without having set something up in person, this is not possible to the best of my knowledge.