Passing a new command to a Powershell Elevated instance using schtasks.exe in python using subprocess.run

I'm trying to execute dynamically some powershell commands that require admin priviledges in my python application.
But I'm facing problems to obtain the behaviour I want when stacking commands with subprocess.run<br>
So let's discuss the code:<br>
This is an example command that requires admin priviledges(elevated prompt) to be run:

import subprocess
admin_cmd = r'New-NetFirewallRule -DisplayName "Notepad block -Outbound-" -Direction Outbound -Program "C:\Windows\System32\notepad.exe" -Action Block'
subprocess.run(["powershell.exe", "-Command", admin_cmd])

This command will output an error:
New-NetFirewallRule : Accesso negato.

Obviously it runs without a problem in a elevated powershell.<br>
So as a solution I created a task to bypass UAC and run an elevated powershell without workflow interruption.<br>
I can run the elevated shell like this:<br>
subprocess.run(['schtasks.exe', "/run", "/tn", "Powershell_Elevata"])
<br>Or like this:<br>
subprocess.run(["powershell.exe", "-Command", r'Start-Process schtasks.exe -ArgumentList "/run /tn Powershell_elevata"'])<br>
But if i try to pipe admin_cmd with -c or -Command, with any of those I will get an error
cause schtasks.exe knows nothing about New-NetFirewallRule.

So how do I fix the problem? Possibly without the need of creating new files, just python code.
And if possible the Elevated Powershell should run the example command silently without opening a window.

It looks like your intent is to pass PowerShells command ad hoc to an open-ended scheduled task that runs an interactive, elevated PowerShell session.

• Defining such a task is a security risk, as it effectively bypasses UAC.

• You cannot pass arguments or pipe data to a scheduled task on invocation.

  • Any arguments have to be part of the scheduled task itself, as part of an action definition.

  • While you could hypothetically modify the scheduled task with the arguments at hand before every invocation, using PowerShell's Set-ScheduledTask cmdlet, for instance, doing so requires elevation / entering your password if the task is configured to run with elevation, which defeats the purpose for you.

If you have to bypass UAC at all - which is always a security concern - it is best to do it for select commands only, which would mean defining your Powershell_Elevata task (possibly under a more specific name) with the specific New-NetFirewallRule call "baked in", i.e. as part of the task's action.

If you need ad-hoc parameterization of the New-NetFirewallRule command, you'd have to save the dynamic values to a file and have the PowerShell command in the scheduled task read that file.