Passing a new command to a Powershell Elevated instance using schtasks.exe in python using subprocess.run

huangapple go评论74阅读模式
英文:

Passing a new command to a Powershell Elevated instance using schtasks.exe in python using subprocess.run

问题

我正在尝试在我的Python应用程序中动态执行一些需要管理员权限的PowerShell命令,但在使用subprocess.run堆叠命令时,我遇到了问题。让我们讨论一下代码:

这是一个需要管理员权限(提升的提示符)才能运行的示例命令:

import subprocess
admin_cmd = r'New-NetFirewallRule -DisplayName "Notepad block -Outbound-" -Direction Outbound -Program "C:\Windows\System32\notepad.exe" -Action Block'
subprocess.run(["powershell.exe", "-Command", admin_cmd])

这个命令会输出一个错误:
New-NetFirewallRule:Accesso negato.
Passing a new command to a Powershell Elevated instance using schtasks.exe in python using subprocess.run
显然,在提升的PowerShell中可以正常运行。

所以,作为解决方案,我创建了一个绕过UAC并运行提升的PowerShell的任务,以避免工作流中断。我可以像这样运行提升的Shell:

subprocess.run(['schtasks.exe', "/run", "/tn", "Powershell_Elevata"])

或者像这样:

subprocess.run(["powershell.exe", "-Command", r'Start-Process schtasks.exe -ArgumentList "/run /tn Powershell_elevata"'])

但是,如果我尝试使用-c或-Command来管道admin_cmd,那么任何一种方法都会导致错误,因为schtasks.exe对New-NetFirewallRule一无所知。

那么,我该如何解决这个问题?如果可能的话,不需要创建新文件,只需使用Python代码。如果可能,提升的PowerShell应该以静默方式运行示例命令,而不会打开一个窗口。

英文:

I'm trying to execute dynamically some powershell commands that require admin priviledges in my python application.
But I'm facing problems to obtain the behaviour I want when stacking commands with subprocess.run<br>
So let's discuss the code:<br>
This is an example command that requires admin priviledges(elevated prompt) to be run:

import subprocess
admin_cmd = r&#39;New-NetFirewallRule -DisplayName &quot;Notepad block -Outbound-&quot; -Direction Outbound -Program &quot;C:\Windows\System32\notepad.exe&quot; -Action Block&#39;
subprocess.run([&quot;powershell.exe&quot;, &quot;-Command&quot;, admin_cmd])

This command will output an error:
New-NetFirewallRule : Accesso negato.
Passing a new command to a Powershell Elevated instance using schtasks.exe in python using subprocess.run
Obviously it runs without a problem in a elevated powershell.<br>
So as a solution I created a task to bypass UAC and run an elevated powershell without workflow interruption.<br>
I can run the elevated shell like this:<br>
subprocess.run([&#39;schtasks.exe&#39;, &quot;/run&quot;, &quot;/tn&quot;, &quot;Powershell_Elevata&quot;])
<br>Or like this:<br>
subprocess.run([&quot;powershell.exe&quot;, &quot;-Command&quot;, r&#39;Start-Process schtasks.exe -ArgumentList &quot;/run /tn Powershell_elevata&quot;&#39;])<br>
But if i try to pipe admin_cmd with -c or -Command, with any of those I will get an error
cause schtasks.exe knows nothing about New-NetFirewallRule.

So how do I fix the problem? Possibly without the need of creating new files, just python code.
And if possible the Elevated Powershell should run the example command silently without opening a window.

答案1

得分: 0

看起来你的意图是将PowerShell命令"ad hoc"传递给一个开放式计划任务,该任务运行一个交互式的、提升的PowerShell会话。

  • 定义这样的任务是一个安全风险,因为它实际上绕过了UAC。

  • 你不能在调用时将参数或数据传递给计划任务。

    • 任何参数必须作为计划任务本身的一部分,在操作定义中。

    • 虽然你可以假设在每次调用之前使用PowerShell的 Set-ScheduledTask cmdlet修改计划任务,以包括参数,但这样做需要提升权限/输入密码,如果任务配置为以提升权限运行,这对你来说没有意义。


如果你必须绕过UAC - 这总是一个安全问题 - 最好只为"选择的命令"绕过它,这意味着定义你的Powershell_Elevata任务(可能使用更具体的名称),并在任务的操作中将特定的New-NetFirewallRule调用"内嵌"。

如果你需要对New-NetFirewallRule命令进行临时参数化,你需要将动态值保存到一个文件中,并让计划任务中的PowerShell命令读取该文件。

英文:

It looks like your intent is to pass PowerShells command ad hoc to an open-ended scheduled task that runs an interactive, elevated PowerShell session.

  • Defining such a task is a security risk, as it effectively bypasses UAC.

  • You cannot pass arguments or pipe data to a scheduled task on invocation.

    • Any arguments have to be part of the scheduled task itself, as part of an action definition.

    • While you could hypothetically modify the scheduled task with the arguments at hand before every invocation, using PowerShell's Set-ScheduledTask cmdlet, for instance, doing so requires elevation / entering your password if the task is configured to run with elevation, which defeats the purpose for you.


If you have to bypass UAC at all - which is always a security concern - it is best to do it for select commands only, which would mean defining your Powershell_Elevata task (possibly under a more specific name) with the specific New-NetFirewallRule call "baked in", i.e. as part of the task's action.

If you need ad-hoc parameterization of the New-NetFirewallRule command, you'd have to save the dynamic values to a file and have the PowerShell command in the scheduled task read that file.

huangapple
  • 本文由 发表于 2023年5月25日 00:38:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/76325736.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定