I'm creating a powershell script that does some automatic setup of new computer deployments. I'm in a situation where I want to launch an executable as a regular non-admin user from an elevated admin powershell console instance. The reason why is because if I launch from an elevated prompt/script, the executable generates an error. Here's the structure of the command:
Start-Process -FilePath (${Env:CommonProgramFiles(x86)} + "\sample.exe") -ArgumentList "/PRODUCT:sample", "/VERSION:2.0", "/MODE:1"
I did some searching and found the opposite of what I need (non-admin to admin) here https://technet.microsoft.com/en-us/library/hh849848.aspx but I only saw RunAs to elevate to admin.
Setup:
- Windows 10 Education
- PS 5
Resolution
Since psexec didn't offer a solution for suppress login, I ended up starting the process as follows:
$username = Read-Host "Please enter in a valid username "
$password = Read-Host "Please enter in a the account password " -AsSecureString
Start-Process -Credential (New-Object System.Management.Automation.PSCredential($username, $password)) -FilePath (${Env:CommonProgramFiles(x86)} + "\sample.exe") -ArgumentList "/PRODUCT:sample", "/VERSION:2.0", "/MODE:1"
It doesn't solve the issue perfectly, but the user can stay in the script at least.
Best Answer
It depends on what the issue is. If you are not running under a user context at all, like under the SYSTEM account, then you might need to run as a particular user, which typically means specifying a username and password, which is often problematic.
If the issue is that you currently have admin rights, but need to run something without those admin rights, then this should be possible using PSExec or similar methods without needing a Username & Password.
psexec -accepteula -l <CMD>-lRun process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity.It should be possible to call PSExec within PowerShell and have PSExec call the original application. It may also be possible to do this through PowerShell directly.
It may also be possible to do this with PSExec without needing a username / password to be entered by executing something within the session of the target user as long as they are already logged in.
psexec -accepteula -i <session> <CMD>