Windows 10:获得远程访问权限后，以 .\Administrator 身份远程启动 Quick Assist，无需 UAC，或暂时禁用 UAC [英] Windows 10: after gaining remote access, remotely start Quick Assist as .\Administrator without UAC, or temporarily disable UAC

问题描述

我希望在这种情况下使用脚本:

I'd like a script to be used in this situation:

1. 无需管理员权限即可获得远程访问权限
2. 以 .\Administrator 的身份远程启动 Quick Assist 而不是进行 UAC 对话.

1. gain remote access without admin privileges
2. remotely start Quick Assist as .\Administrator and not have a UAC dialogue.

第 1 步通常使用 Quick Assist 完成，有时使用 Teams 屏幕共享完成.

Step 1 is usually made with Quick Assist, sometimes made with Teams screen sharing.

我知道我可以在文件资源管理器中找到 quickassist.exe 然后使用 Shift 和上下文菜单来以不同用户身份运行，但是我想要一种脚本化的方法.

I'm aware that I can locate quickassist.exe in File Explorer then use Shift and the context menu to Run as a different user, however I'd like a scripted approach.

这有效，但有一个是/否 UAC 对话:

This works, but there's a Yes/No UAC dialogue:

$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if ( -not $isElevated ) {
    Start-Process powershell.exe -Credential Administrator -NoNewWindow -ArgumentList {
        Start-Process quickassist.exe -Verb RunAs ;
    } ;
}

实验 B

我犯了很多错误，不知道如何改正.(我正在尝试逐渐学习 PowerShell，但我在学习时很容易感到困惑；有点阅读障碍.)

Experiment B

I make multiple mistakes, don't know how to correct them. (I'm trying to learn PowerShell, gradually, but I'm easily confused whilst learning; slightly dyslexic.)

$isElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if ( -not $isElevated ) {
  Start-Process powershell.exe -Credential Administrator {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 0 -Force;
    };
  Write-Host "UAC (user account control) is weakened for a Quick Assist session …" -ForegroundColor Red;

  Start-Process powershell.exe -Credential Administrator -NoNewWindow -ArgumentList {Start-Process quickassist.exe -Verb RunAs -Wait};
  Write-Host "… Quick Assist session complete …" -ForegroundColor Red;

  Start-Process powershell.exe -Credential Administrator {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1 -Force;
    };
  Write-Host "… UAC is strengthened." -ForegroundColor Red;
}

• 未发生对注册表的两项预期更改
• 第三个凭据对话框出现得太快了 - 我希望它不出现，直到 Quick Assist 会话结束之后.
• the two intended changes to the registry do not occur
• the third credential dialogue appears too soon – I want it to not appear until after the end of the Quick Assist session.

此外，从概念上讲，在 UAC 暂时减弱的情况下，可能不需要以管理员身份运行 Quick Assist.

Also, conceptually, there's probably no need to run Quick Assist as Administrator whilst UAC is temporarily weakened.

https://stackoverflow.com/a/2258134/38108 (2010-02-13) 我看到使用-Credential 和 Invoke-Command 但是当我尝试做类似的事情时，对于注册表的更改，我弄得一团糟.

https://stackoverflow.com/a/2258134/38108 (2010-02-13) I see use of -Credential with Invoke-Command but when I try to do something similar, for changes to the registry, I make a mess.

https://stackoverflow.com/a/47516161/38108 (2017-11-27) 自升PowerShell 脚本.

https://stackoverflow.com/a/47516161/38108 (2017-11-27) self-elevating PowerShell scripts.

https://superuser.com/a/1524960/84988 (2020-02-12) 和 https://serverfault.com/a/1003238/91969 (2020-02-15) 很有趣——两者的脚本相同答案 - 但是我需要类似 -Credential Administrator 之类的东西来代替 -ComputerName.

https://superuser.com/a/1524960/84988 (2020-02-12) and https://serverfault.com/a/1003238/91969 (2020-02-15) are interesting – the same script in both answers – however I need something like -Credential Administrator in lieu of -ComputerName.

https://stackoverflow.com/a/60292423/38108 (2020-03-07) 通过 https://stackoverflow.com/a/60263039/38108

https://stackoverflow.com/a/60292423/38108 (2020-03-07) via https://stackoverflow.com/a/60263039/38108

PowerShell 命令 - PowerShell - SS64.com

https://github.com/okieselbach/Intune/blob/master/DisablePromptOnSecureDesktop.ps1 (2020-11-13) 通过 快速协助 Windows 10 中的内置远程控制 – 现代 IT – 云 – 工作场所

https://github.com/okieselbach/Intune/blob/master/DisablePromptOnSecureDesktop.ps1 (2020-11-13) via Quick Assist the built-in Remote Control in Windows 10 – Modern IT – Cloud – Workplace

推荐答案

简短的回答是不要.获取真正的远程管理工具或让某人点击 UAC 是提示.

The short answer is don't. Get a real remote management tool or have someone hit the UAC yes prompt.

这更像是一个 windows 的东西而不是 powershell，因为 windows 明确拒绝在不通过 UAC 的情况下本地提升进程(并且有充分的理由！).你过去可以做这样的事情:

This is more of a windows thing than powershell, as windows explicitly denies elevating a process locally without going through UAC (and for good reason!). You used to be able to do things like this:

# Use Enter-PSSession to start a "remote" session 
# This may still support elevation if you specify CredSSP and configure credential delegation):
New-PSSession MyPCName -Auth CredSSP -cred (get-credential)

# Create a scheduled task with RunAs/elevated permissions:
Register-ScheduledTask -Action $action -User .\Administrator -TaskName "Admin-Stuff" -RunLevel Highest

现在在本地运行时会给出胖访问被拒绝的消息.您也无法在没有提升的情况下在 HKLM: 中编辑注册表设置，因此暂时禁用 uac 不是一个选项.

Which now give fat access denied messages when running locally. You also are not able to edit registry settings within HKLM: without elevation, so disabling uac temporarily is not an option.

您也许可以利用这个 exploit 允许管理员用户绕过 uac，但我认为您仍然必须以其他用户身份运行您的 shell 才能使用它.

You may be able to make use of this exploit that allows admin users to bypass uac, but I think you still have to Run-as-other-user your shell to use it.

这篇关于Windows 10:获得远程访问权限后，以 .\Administrator 身份远程启动 Quick Assist，无需 UAC，或暂时禁用 UAC的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！