PowerShell Remoting Project Home

Friday, January 27, 2006

Dreaming of SU in MSH?

(Added on Mar 6th) There is a follow up post on this topic here.

Shame on myself! I should do more research before posting a blog entry. MoW already had a similar script a couple of months ago.

Want to run a MSH script as another windows user? You got it now! I am not talking about Runas.exe. It is a MSH script to start new msh.exe process with a differnt windows identity. Just like su.exe in Linux.

###########################################
# File Name: su.msh
# Launch a new msh.exe with someone else's identity
# from tony http://mshforfun.blogspot.com/
###########################################
$SuAccount = get-credential
$StartInfo = new-object System.Diagnostics.ProcessStartInfo
$StartInfo.FileName = "msh.exe"
$StartInfo.UserName = $SuAccount.UserName
$StartInfo.Password = $SuAccount.Password
$StartInfo.LoadUserProfile = $true
$StartInfo.UseShellExecute = $false
$StartInfo.WorkingDirectory = (get-location).Path
[System.Diagnostics.Process]::Start($StartInfo)

Added on 23rd Feb 2006, 08:40
Jeffrey Snover Suggested to add the following line:
$StartInfo.Arguments="-noexit -command `$Host.UI.RawUI.WindowTitle=\`"Microsoft Command Shell ($($SuAccount.UserName)) \`""
Added on 23rd Feb 2006, 08:40


Added on 27th Jan 2006, 15:46
In Monad beta3 version, the default behavior of get-credential was changed to "CredUI". "CredUI returns a username with "\" prepended. When passing that to the Process.Start method, it has intermittent difficulty dealing with that form of a username. " --Lee Holmes
To change it back to CLI, run following script:
new-property HKLM:\SOFTWARE\Microsoft\MSH\1\ShellIds `
-property ConsolePrompting -value "True" -force

See newsgroup thread here for details. Also checkout ::: MSH ::: Blog Entry for this issue.
/Added on 27th Jan 2006, 15:46

So if you were a non-privilege user "testac" , you run id.msh:
UserSID= S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx (Domain\testac)
AuthenticationType= NTLM
ImpersonationLevel= None
Token= xxxx
Groups=
GroupSID= S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx (Domain\None)
GroupSID= S-1-1-0 (Everyone)
GroupSID= S-1-5-32-545 (BUILTIN\Users)
GroupSID= S-1-5-4 (NT AUTHORITY\INTERACTIVE)
GroupSID= S-1-5-11 (NT AUTHORITY\Authenticated Users)
GroupSID= S-1-2-0 (LOCAL)


After su to an Administrator user "tony". Then you run id.msh again in new msh.exe window:
UserSID= S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx (Domain\tony)
AuthenticationType= MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
ImpersonationLevel= None
Token= xxxx

Groups=

GroupSID= S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx (Domain\None)

GroupSID= S-1-1-0 (Everyone)

GroupSID= S-1-5-32-544 (BUILTIN\Administrators)
GroupSID= S-1-5-32-545 (BUILTIN\Users)
GroupSID= S-1-5-4 (NT AUTHORITY\INTERACTIVE)
GroupSID= S-1-5-11 (NT AUTHORITY\Authenticated Users)

GroupSID= S-1-2-0 (LOCAL)

Have Fun!

[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.]

Tags:       


Comments:
No shame I did worse with my imageviewer LOL ;-)

b.t.w. did you see the solution from Marcel Ortiz in the NG,
in the thread : How to impersonate as a different user? (MSH)

that is wat I'm using to get a nested prompt at the moment, real cool.

I'm thinking about re-doing it as a cmdlet sometime ;-)

gr /\/\o\/\/
 
You might consider adding the following line to your SU.MSH script. It will set the window Title so you know who you are running as.

$StartInfo.Arguments="-noexit -command `$Host.UI.RawUI.WindowTitle=\`"Microsoft Command Shell ($($SuAccount.UserName)) \`""

Jeffrey Snover
Monad Architect
 
To Jeffrey:

That is a nice tip. Thanks.
 

Post a Comment





<< Home