UAC Control

[Michael-s3it]

Hello, we are testing your great tool to provide remote support to our users. Because we don't like to have a permanent installation of the client on our computers it would be important to have administrator rights in case of emergency even without the installation.

When using the client without installation, is it possible to obtain administrator rights on the connected computer via UAC? The secure desktop does not transfer the input fields for the login.

When using the client with installation this was possible without any problems. Have we missed something?

Bei Teamviewer gibt es einen Artikel der mein Problem mit Lösung beschreibt. Teamviever Knowledge Base

Hat das Tool auch diese Fähigkeit?

[martadams89]

When you are installing then you are letting the app run as a service under admin logins - if you don't install then it is an unprivileged app and runs under the normal user context, therefore UAC doesn't work.

I don't think this is something Ylainst can fix (I may be wrong) because the app runs under the current user context.

[krayon007]

When you run the app directly and you click connect, it is supposed to pop up a UAV prompt and ask for elevation. Accepting should cause the agent to run with privs, and denying will cause the agent to ignore and run without privs.

Is this not working for you? If not, what OS version are you running?

[Michael-s3it]

This works locally, the user who starts the tool is only a user and does not know the administrator's data. Therefore I asked if the rights of the tool can be increased at runtime. Unfortunately the tool does not transfer the secure desktop, so I can enter the appropriate administrator data during the transfer. The user should have nothing to do with it.

I hope I made myself clear

We try to replace proprietary software with OpenSource. Unfortunately the possibility to get admin rights on a system maintained by us without a permanent installation on the guest system is a hurdle that does not work with Meshcommander. Unfortunately the security concepts do not allow normal users to get admin rights. A permanent installation is unfortunately not possible.

Thanks

[krayon007]

Ok, got it... This will take some time to experiment and test, as currently using the existing mechanism it is not possible because the secure desktop cannot be injected/scraped without admin rights. However, I think I can spawn another process with admin rights if the user (of the web interface) supplies admin credentials. I'll have to experiment, and then run it by @Ylianst to make sure that whatever mechanism I come up with is secure.

[Michael-s3it]

@krayon007 That would be fantastic if it worked. Many thanks for the support

[hesne]

@krayon007 May you have a look at pcvisit. They check if user has admin priv. If yes: start UAC to get admin priv If no: Ask the supporter to insert admin credentials, so that the remote session is executed with admin priv. (maybe with runas /user:... or runasspc or psexec) From that the supporter is able to control UAC requests.

[Michael-s3it]

@krayon007 Could you already think about a solution?

[hesne]

@krayon007 Any news? Would be very interesting for us.

[krayon007]

I have tried several different tricks, but none of them worked. The closest I got, was using a pseudo console to execute the RunAs command while specifying a username and password. (Normally RunAs does not allow the password to be piped, which is why I had to use a pseudo console). However, when I did it in this fashion, I was able to spawn a process as a user in the administrator group, however the process was not elevated. In order to elevate, it would need to pop the UAC prompt. However, this user was not "logged" into the desktop, so the secure desktop would not display. I'm still trying to find a viable solution...

[hesne]

Thanks for update. Hmm Iam wondering how pcvisit or teamviewer can handle this. I know, that if the client is not member of an AD, the user has to confirm the UAC. If you use a Domain Admin, the UAC will not appear.

[Michael-s3it]

Hello @krayon007 , have you been able to find a solution yet?

[hesne]

@krayon007 I think i can help a little bit:

Other tools will do the following. They create a task with runas and admin credentials, which will start short while after creating. Task is in a xml file:

`<?xml version="1.0" encoding="UTF-16"?>

pcvisit software ag \AsLiftRightsForClient_SessionSessionId2 S-1-5-18 LeastPrivilege IgnoreNew false true true true false PT10M PT1H true false true true false false false PT72H 7 C:\Users\User\AppData\Local\pcvisit Software AG\caloa\pcvisit.Support.guest\release\21.1.7.1111\pcvisit_service_client.exe --StartMode AsLiftRightsForClient --session 2 C:\Users\User\AppData\Local\pcvisit Software AG\caloa\pcvisit.Support.guest\release\21.1.7.1111 ` Would be really great if you can test it. We would love to use meshcentral in future, but we really need this feature.

[krayon007]

One of the first tests I did was to use RunAs and Task, neither of which worked. However, I never tried to combine the two by using RunAs to create the Task... I'll try that... If this works tho, it will only work on Windows 10 and newer, because RunAs normally doesn't allow piping passwords, so I had to use a pseudo console to do it, but pseudo consoles are only supported with window's ConPTY API, which is only available on Windows 10 Oct'18 release and newer.

[hesne]

@krayon007 Thanks a lot we will further investigate if we can find the full command that the software is using.

[hesne]

@krayon007 Any news? We also done a capture with processmonitor during the process. If you would like to have the file, please let me know.

[mvolkm]

Hello @krayon007,

could you already find out something about this topic? We would like to test your program productively. Taking over the administrator rights without installation is the last obstacle for us.

[Michael-s3it]

Hello @krayon007

could you see if the idea you mentioned would work? Even if it would only work from WIN10 Oct`18 release.

For our purposes that would be a real win. The problem is that I can't give the passwords to the user who needs support to enter them. At the same time the support does not allow permanent tools to be installed.

Thanks a lot @krayon007

[m4zl]

I would be also very pleased with this feature if this would be possible with the temporary Client and the Assistant. We are trying to replace our current remote software tool (TeamViewer) and this is one of the most needed features. The mesh assistant is like e.g. TeamViewerQS and is working beautiful, just the lack of this UAC bypass/credential feature is a little bit a show stopper. Once this is working like the example TeamViewerQS then it will be more awesome than it already is!

I am looking forward to hear news regarding this! @krayon007 is this right now worked on or left behind for some other important features/bugs? Thanks in advance.

[krayon007]

OK, so I made some progress on this, but it is still not usable... I was able to get to use supplied credentials and spawn an elevated agent... I was able to get the UAC prompt to show as interactive, however I was NOT able to get the KVM process to be able to inject input into the UAC prompt, unless the agent was running as LocalSystem.

Kinda kludgy, but one possible work around, is to use the provided credentials to be able to install the agent as a background service that auto-uninstalls when the interactive dialog box is closed or the user clicks disconnect?

[JSuenram]

Any progress on this? Coming from ScreenConnect where this feature was already implemented and worked very well. Maybe we can share some "hints" how they did it in ScreenConnect as our Installation is still running for this while we are migrating to MeshCentral.

[silversword411]

Because screenconnect can handle multiple sessions, I think it collects ID/pass from user with the non-elevated application window. Then uses that data to fire a "run as" with provided credentials (like sysinternals psexec).

[JSuenram]

Because screenconnect can handle multiple sessions, I think it collects ID/pass from user with the non-elevated application window. Then uses that data to fire a "run as" with provided credentials (like sysinternals psexec).

Yeah, this is described in a link in #3496 which I closed as duplicate....

[CapriPL]

@krayon007 Hello, First of all, thanks for such great software. Can you programmatically change the Windows Registry with administrator credentials? There is a branch there that is responsible for UAC, changes in it require administrator privileges, but apart from 'EnableLUA', they take effect immediately. They allow you to control many aspects of UAC behavior, maybe this will allow you to run MC Assistant as an administrator? Below is the link to the MS documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=reg#user-account-control-configuration

Regards, G.

[si458]

not sure if it helps, but install the meshagent. go into the Console tab of a device and you can run uac this gets the UAC for PromptOnSecureDesktop

> uac
Proper usage: uac [get|interactive|secure]
> uac get
UAC mode: Secure Desktop

[CapriPL]

Thanks for the tip, I'll check it out.

G.