Access Files Using Elevated Permissions

For certain processes our Information Security team has requested the use of elevated credentials when accessing certain directories. I can’t find an obvious way to do this. I would retrieve elevated credentials from Orchestrator using a “Get Credential” activity.

I just need to get the following activities to work on a directory which required elevated credentials to access:

*“Move File” (either To or From)

*“Copy File” (either To or From)

*“Path Exists”

*“Delete”

  • Directory.GetFiles command

I don’t know PowerShell, but I am wondering if that might be the way to do it? Any input on that or other ideas would be appreciated. Thanks!

1 Like

The biggest issue is going to be the UAC :frowning: (!!) The UAC keeps us safe from nefarious folks and their unscrupulous codes :slight_smile:

Basically - yes you can ask powershell to run something using a different account, but the UAC window is going to pop up asking for credentials and the robot will not be able to interact with that.

It is possible to disable UAC, please do not ask the security team to do that :wink:

If you are able to experiment with the robot was running under the elevated account to perform that specific operation you might get your AHAH! moment but there is definitely going to be some tinkering to confirm that it works for your stack.

@cursive AHAH! I am testing something now- might have some goodies for you in 30
This might not be the most efficient way of doing this but it sure seems effective :slight_smile:

I used the Start Process Activity
I’m starting powershell, but then I’m telling powershell to open powershell as a different user (-credential)

Then we get this lovely prompt (we can interact with it! (¡Yas!))
image

And then we pass our even more lovely secure string that you grabbed from the orchestrator
image

Bam! you have powershell running as a different account

Secondary Logon (Sc.exe) Disabled
Access is denied
If secondary logon is disabled you will get this error message

@cursive I was able to start powershell as a different user and copy a file using the Start Process activity and the below argument:

image

“start-process powershell.exe -credential domain\username -ArgumentList " + “”“copy-item””" + " , " + “”“C:\TopSecretDocs\HappyCincoDeMayo.gif”"" + " , " + “”"-destination""" + " , " + “”“H:\SharedDocs\HappyCincoDeMayo.gif”""

there are many many quotes to mind, might work on a prettier version

Thank you for taking the time! This has been very helpful and will probably be the technique that I use. I will do some experimenting on my end and follow up if I have more questions. I really appreciate it!

1 Like

Doh! I got the secondary logon is disabled error. I will reach out to the InfoSec team and see if we can enable this, but it looks promising.

Noicee you got this!

As for formatting, I don’t see why you have all the + signs when you can create a single string. Also, I’ve found that PowerShell allows use of ’ in place of " in most cases, so with those 2 things in mind I came up with:

String.Format(“start-process powershell.exe -credential ‘{0}’ -ArgumentList ‘copy-item’ , ‘{1}’ , ‘-destination’ , ‘{2}’”,userName, sourceFilePath, destinationFilePath)

where username, sourceFilePath, and destinationFilePath are string variables.

The only outstanding issue I’ve run into is the on the VM the bot runs from the file path <C:\Users*BotName*.nuget\packages*ProcessName**ProcessVersion*\lib\net45> and the which is where PowerShell tries to default and the elevated account lacks access. I am looking into working is a systems administrator to simply change the PowerShell default directory. Once that’s settled it should just flow.

Anyway, thanks again, this was really helpful!

1 Like

Your way is much easier on the eyes, gonna use that going forward :slight_smile: