Author Posts

March 13, 2017 at 3:04 pm

I have a PowerShell script executing commands on a remote server in a remote session.
I can execute normal PowerShell commands.
I need to run an .exe program as well, but I need to run it as Administrator (I mean the Administrator user of the remote server).
Can anybody plese provide the right syntax?
Regards
marius

March 13, 2017 at 4:27 pm

Runas.exe? Start-Process?

March 14, 2017 at 12:06 pm

Looking around the forums I wrote the following code, and it works fine if I run it on the targert server:

$username = "mydomain\administrator"
$Passwordtext = "mypassword"
$password = $Passwordtext | ConvertTo-SecureString -AsPlainText -Force
$mycredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Start-Process powershell -credential $mycredentials -ArgumentList '-noprofile -command &{Start-Process "c:\dir1\myprogram.exe" -verb runas}' 

If I run it from a client I get the following error:

This command cannot be executed due to the error: Accesso negato.
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
    + PSComputerName        : x.y.z.t

I am sure there is some error, but how can I troubleshoot it?
Regards
marius

March 14, 2017 at 1:50 pm

Well, that means "Access Denied," which means you don't have permissions. So it depends a great deal on HOW you are running it on the client. Are you sending it via Invoke-Command, for example? In that case, the credential provided to Invoke-Command should be one that has permission on the remote machine, rather than passing credentials to Start-Process.

March 14, 2017 at 3:49 pm

Many thanks for your hints.
I made a test by providing to Invoke-Command the credentials of the remote Administrator but I still get the same error, either while using tue same syntax as before:

$username = "mydomain\administrator"
$Passwordtext = "mypassword"
$password = $Passwordtext | ConvertTo-SecureString -AsPlainText -Force
$mycredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Start-Process powershell -credential $mycredentials -ArgumentList '-noprofile -command &{Start-Process "c:\dir1\myprogram.exe" -verb runas}' 

or simply starting the program with the following syntax:

Start-Process -FilePath 'c:\dir1\myprogram.exe'  

Given that myprogram.exe requires Administrator's right, what syntax should I use?
Regards
marius

March 14, 2017 at 3:55 pm

So you've done:

$username = "mydomain\administrator"
$Passwordtext = "mypassword"
$password = $Passwordtext | ConvertTo-SecureString -AsPlainText -Force
Invoke-Command -Script {
 Start-Process "c:\dir1\myprogram.exe" -verb runas'
} -ComputerName whatever -Credential $mycredentials

? I don't understand why you're starting PowerShell to run Start-Process, which is why I'm trying to clarify what you're actually running.

March 14, 2017 at 9:02 pm

Many thanks again.
To be honest, I copied the code from a blog...
Anyway, it works if I logon locally (as Administrator) on the remote server and run it.
What is the right way to start an .exe program that requires Administrator's rights on a remote server?
Regards
Marius

March 15, 2017 at 12:07 pm

Let me start from the beginning.
I need to run an .exe program on a remote server.
I created a PowerShell script like the following one:

#
# Just to check that I am Administrator
#
$env:Computername 
$env:USERNAME
$env:USERDOMAIN
#
# Run a program with the "/s" qualifier to suppress the GUI 
#
start-process -ArgumentList "/s" -FilePath 'c:\mydir\myprogram.exe'

If I logon ad Administrator on my remote server, start PowerShell and execute it, it works fine and it performs the required actions that includes producing an output file.
I inserted the same code as a ScroptBlock inside a script I run from a client, and the script looks like:

$mytarget = "192.168.1.1"
$username = "mydomain\administrator"
$Passwordtext = "mypassword"
$password = $Passwordtext | ConvertTo-SecureString -AsPlainText -Force
$credadm = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Set-Item WSMan:\localhost\Client\TrustedHosts  -Value $mytarget -Force
$session = New-PSSession -ComputerName $mytarget -Credential $credadm
Invoke-Command -Session $session  -ScriptBlock{
    #
    # Just to check that I am Administrator
    #
    $env:Computername 
    $env:USERNAME
    $env:USERDOMAIN
    #
    # Run a program with the "/s" qualifier to suppress the GUI 
    #
    start-process -ArgumentList "/s" -FilePath 'c:\mydir\myprogram.exe'
         }
Remove-pSSession -session $session

The script is executed with no error, I see computername, username (Administrator) and domainname of the targert server, but the program on the remote server is not executed and no output file is created.
Now in my mind the critical point looks to be the statement:

   start-process -ArgumentList "/s" -FilePath 'c:\mydir\myprogram.exe'

What is the right way to write it in order to run "c:\mydir\myprogram.exe /s" on the target server?
Regards

marius

March 16, 2017 at 10:44 am

are you sure that program is not executed ? how do you check it ? it is a gui program ? you want to start gui program visible to current logged user ?

March 16, 2017 at 1:22 pm

Thank you for answering.
Let me provide the information:

are you sure that program is not executed ?

No, but I don't see the output file produced by the program. If I run the program on the target server the output file is created as expected.

how do you check it ?

I don't see the output file

it is a gui program ?

It is, but by providing the "/s" argument i suppress the window. By the way, the program is a setup produced by InstallShield

you want to start gui program visible to current logged user ?

No, I just want to get the result.
If I log on the target as Administrator, open PowerShell and just type:

start-process -ArgumentList "/s" -FilePath 'c:\mydir\myprogram.exe'

the program is executed and the file is created. How can I force it to run from my script?

In the meantime I made a further test by creating a script on my target server with the following instructions:

#
# Run a program with the "/s" qualifier to suppress the GUI 
#
start-process -ArgumentList "/s" -FilePath 'c:\mydir\myprogram.exe'

I saved it as 'c:\mydir\myscript.ps1'. again, if I run it from the target it runs with no problem and starts the program.
I attempted to launch it from my client using Invoke-Command but I can't find the right syntax and I get no result...
What is the right syntax?
Regards
marius

March 16, 2017 at 2:50 pm

do you try to launch any nongui program by this script ?
do ypu try to use psexec ?
sometimes gui programs cant start because it can't create gui window (even if it's hidden). in this case the program can launch if you logged into server as the same user.
I recommend check start/stop events in event viewer (do not forget to enable such events)

March 16, 2017 at 4:54 pm

Does the external program need to run in an elevated context to work? If so, maybe the PSSession is not elevated? Try putting the following in your script block:

( New-Object -TypeName Security.Principal.WindowsPrincipal (
    [Security.Principal.WindowsIdentity]::GetCurrent()
    ) ).IsInRole( [Security.Principal.WindowsBuiltinRole]::Administrator )

It should return True if the session is running with elevated privileges.