批处理脚本、Powershell 和不触发 Windows 中的 UAC
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6176664/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Batch scripting, Powershell, and not triggering the UAC in Windows
提问by bourne
I am looking for away to run batch files in elevated mode (runas administrator) so that it doesn't trip the UAC to prompt for user interaction. We have some registry edits, among other things, that we do in our login scripts which trigger the UAC to prompt for each registry that is run.
我正在寻找以提升模式(runas 管理员)运行批处理文件,以便它不会触发 UAC 提示用户交互。我们在登录脚本中进行了一些注册表编辑,这些脚本会触发 UAC 提示运行的每个注册表。
I realize that this sort of defeats the purpose of the UAC, but it would be nice if there was some way of running batch files on machines that have UAC enabled.
我意识到这种违背了 UAC 的目的,但是如果有某种方法可以在启用了 UAC 的机器上运行批处理文件,那就太好了。
These batch files need to be able to run without any user interaction (they are mainly login scripts, and some administrative scripts). We are not using an Active Directory domain, so hopefully there is a solution for none AD domains.
这些批处理文件需要能够在没有任何用户交互的情况下运行(它们主要是登录脚本和一些管理脚本)。我们没有使用 Active Directory 域,因此希望有一个针对无 AD 域的解决方案。
The solutions that I have found so far are as follows:
到目前为止,我找到的解决方案如下:
Disable the UAC altogether - We normally do this, but we might be running into some situations where we cannot disable it.
Create a shortcut to the batch file we wish to run in elevated mode. Go to the properties of the shortcut > Shortcut tab > Advaned > Check off "Run as Administrator"
- This solution seems to work, however the initial running of the shortcut causes the UAC prompt to come up. All the commands run within the batch file do not cause the UAC prompt. Close to the solution, but it would be nice not to get any prompts.
完全禁用 UAC - 我们通常会这样做,但我们可能会遇到一些无法禁用它的情况。
创建我们希望以提升模式运行的批处理文件的快捷方式。转到快捷方式的属性 > 快捷方式选项卡 > 高级 > 勾选“以管理员身份运行”
- 此解决方案似乎有效,但是快捷方式的初始运行会导致出现 UAC 提示。在批处理文件中运行的所有命令都不会导致 UAC 提示。接近解决方案,但最好不要收到任何提示。
3. Running the batch file with the 'runas' command.
3. 使用“runas”命令运行批处理文件。
- I have tried this, however it still doesn't see to achieve the elevation to prevent the UAC from prompting.
- Also, using the echo 'password' | runas ..... method to provide the password doesn't seem to work right, so I am always having to type in the password.
- 我已经尝试过这个,但是它仍然没有看到提升以防止 UAC 提示。
- 另外,使用 echo 'password' | runas ..... 提供密码的方法似乎不起作用,所以我总是不得不输入密码。
The other thing that I was thinking, but I haven't really researched yet is, do powershell scripts run/work better in an environment where the UAC is enabled? Does Windows 'trust' certified powershell scripts and allow them to run unimpeded without triggering the UAC?
我在想但我还没有真正研究过的另一件事是,powershell 脚本在启用 UAC 的环境中运行/工作得更好吗?Windows 是否“信任”经过认证的 powershell 脚本并允许它们在不触发 UAC 的情况下不受阻碍地运行?
From what I have read, these is no way around the UAC other then disabling it. But I just wanted to see if anyone might be able to shed some additional light on this topic.
从我读到的内容来看,除了禁用 UAC 之外,这些都无法绕过 UAC。但我只是想看看是否有人能够对这个话题有更多的了解。
Thank you,
谢谢,
Cheers
干杯
采纳答案by Richard
Registry manipulation for which the current user has access will not itself trigger a UAC prompt.
当前用户有权访问的注册表操作本身不会触发 UAC 提示。
However using an application with a manifest that requires elevation if running as un-elevated administrator will prompt.
但是,如果以未提升的管理员身份运行,则使用具有需要提升的清单的应用程序会提示。
Are you trying to use regedit.exeto perform batch operation? If so replace with reg.exe(using cmd.exe) or, better, PowerShell's inbuilt registry support.
您是否尝试使用regedit.exe执行批处理操作?如果是这样,请替换为reg.exe(using cmd.exe) 或者更好的是 PowerShell 的内置注册表支持。
Eg.
例如。
get-itemproperties 'HKLM:\SOFTWARE\Classes\Folder'
will not require elevation (as that key is readable by everyone), but setting a property on that key will require an elevated PSH session.
不需要提升(因为每个人都可以读取该密钥),但是在该密钥上设置属性将需要提升 PSH 会话。
An alternative approach, if you are performing operations that require administrative access (need modify access to some object with ACL that limits modification to administrators). Or, something a non-administrator could never do UAC or not, without enter an administrator's account's credentials.
另一种方法,如果您正在执行需要管理访问权限的操作(需要修改对某些对象的访问权限,ACL 将修改限制为管理员)。或者,在没有输入管理员帐户凭据的情况下,非管理员永远无法执行 UAC 或不执行某些操作。
Consider using Task Scheduler: a trigger of on user logon but configured under a specific elevated administrator account.
考虑使用任务计划程序:触发用户登录但在特定提升的管理员帐户下配置。
Summary: really need to know at least one of the things you are doing that triggers UAC in detail.
总结:确实需要至少详细了解您正在做的一件会触发 UAC 的事情。
回答by fardjad
There is no official way to by-pass the UAC prompt for your application. There are a few ways to run a program as administratorif you have the account password (same as the runas approach).
没有官方方法可以绕过应用程序的 UAC 提示。有几种方法可以像administrator拥有帐户密码一样运行程序(与 runas 方法相同)。
you can use the following Power-Shellscript to start your program as administratorwithout asking the password:
您可以使用以下Power-Shell脚本启动程序,administrator无需询问密码:
You'll need to save the user password somewhere as a secure string:
您需要将用户密码作为安全字符串保存在某处:
$pass = Read-Host -AsSecureString
ConvertFrom-SecureString $pass | out-file pass.txt
Then you can run the file as administratorwith the stored password this way:
然后,您可以administrator使用存储的密码以这种方式运行文件:
$pass = import-SecureString (get-content pass.txt)
$startinfo = new-object System.Diagnostics.ProcessStartInfo
$startinfo.UserName = "administrator"
$startinfo.Password = $pass
$startinfo.FileName = "your batch script file name"
$startinfo.UseShellExecute = $true
[System.Diagnostics.Process]::Start($startinfo)
回答by Kate Gregory
Setting up a scheduled task that will run elevated needs one consent once when you set it up, and never again. Since you mention these are login scripts, a scheduled task that runs on login should meet your need perfectly.
设置将运行提升的计划任务需要在设置时获得一次同意,以后再也不要同意。由于您提到这些是登录脚本,因此在登录时运行的计划任务应该可以完美满足您的需求。
