-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
command line UAC #15205
Comments
This is not really something that can be done in PowerShell as it's a implementation detail in Windows. For you to elevate your account you need to have an already elevated process to spawn the elevated process itself which is what UAC does. There are definitely workarounds for this as UAC isn't considered a security boundary but they at best a hack or something that already runs as an elevated process. |
"For what is UAC and what UAC does" part , I feel tempted give my opinion.
no standard user can/does elevate his account.
depends on the definition of "security boundary". UAC by design does it's job what it's supposed to do. UAC is not supposed to stop injection with already running as system components. "sequential processes chains isolation" is something windows yet has to provide for high or medium IL processes.
if getting help from already running elevate process like : app combat, injection etc. are considered as workarounds then that's by definition not "UAC bypass or workarounds" actually that's by design and windows allows that. |
The actual step to get the admin token must be done specifically by an account that has the Short of PowerShell implementing a privileged service that runs in the background to handle these requests the only proper way to do this is to use UAC or petition windows to implement what you want. |
I suppose that even if Windows team makes a console UAC dialog instead of a GUI, a new window will open, which again is not what you want. |
exactly , that's why no standard user can/does elevate his account. ever. (i) (ii)UAC = runas in the context of a admin user amongs the admin users and creates High IL process, not the current user. also known as (iii)standard user forever remains as standard user with his by deafult medium IL, if necessary Low IL/AppContainer.
until powershell implements completely command line UAC ? then yes.
actually it's seems to be the other way around. @iSazonov |
I'm not 100% sure the PowerShell team are wanting to do something like this at all. I'm not part of the team so I could be wrong but historically a lot of the security based changes are very conservative and follow the status quo. It's a massive risk security wise to implement their own service for this purpose and fundamentally goes against the standard Windows model where UAC is used. Off the top of my head one of the security benefits you loose from going this approach is the fact that the UAC consent box is prompted on the secure desktop to try and avoid nefarious software from interacting with it/reading the input. Having it interactive on an existing command line window breaks this feature. Put simply I personally doubt PowerShell will implement this at all and think this kind of request is meant to be made against the Windows team which is unrelated to PowerShell. As you said there are 3rd party implementations like gsudo, if you want this functionality then it seems like the common consensus is to just use those. |
UAC in general is a Windows feature. It's designed to be impossible to get around, but that's what you're asking. :-) Change the system settings as you see fit and be happy. :-) |
This issue has been marked as answered and has not had any activity for 1 day. It has been closed for housekeeping purposes. |
Summary of the new feature/enhancement
start-process -verb runas -filepath "complete path of somefile"
invokes UAC which is GUI based and it does take the credentials input within the secure desktop screen, it's super annoying to work with GUI, when already working in powershell.
as a user, want a completely command line powershell implementation of UAC, which will
(i)let me know the executables full file path and publisher info.
(ii) let choose admin users from within command line.
(iii) take credentials from within command line.
basically what UAC gui does today , but from command line.
The text was updated successfully, but these errors were encountered: