get-cred then use cred works in ISE, not in Powershell Studio

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Post Reply
User avatar
mspritke
Posts: 5
Joined: Wed Nov 26, 2014 1:49 pm

get-cred then use cred works in ISE, not in Powershell Studio

Post by mspritke »

I suspect I'm missing something simple. The idea here is to ask for elevated credentials ONCE on loading the form and then users are able to launch various tools; run some custom scripts, etc.
In my globals.ps1 (I also tried in form_load) I request and store a user's elevated password. using $global:elevcred = Get-Credential
In my form I have created several buttons I'd like to launch various apps using the stored elevated credential. One example:
  1. $buttonADUC_Click = {
  2.  
  3.         Start-Process powershell.exe -Credential $global:ElevCred -argumentList "-command Start-Process C:\Windows\System32\dsa.msc -verb runas"
  4.  
  5. }
This exact syntax works in ISE, but fails in Studio with the following error: "start-process : This command cannot be run due to the error: The directory name is invalid."
I've tried providing the full path to the powershell.exe, no change.
I've tried various things like just calling the command, but then you cannot pass the elevated cred and the runas at the same time.
I've tried shortening to: start-process powershell.exe -credential $global:elevcred but that fails as well in Studio.
I've tried providing the credentials both with and without the domain (domain\username vs. username); but if I do not specify the domain I get a bad username/password.

I've searched the forums for launching elevated apps/command prompts etc. But I've only found people storing known credentials using a secure string text file; I don't want all users to be using the same or stored elevated credentials; I want them to use their own credentials but only have to provide it once on load.

As an aside, I can run (without the credential):
  1.  $buttonADUC_Click = {
  2.  
  3.         Start-Process powershell.exe -argumentList "-command Start-Process C:\Windows\System32\dsa.msc -verb runas"
  4.  
  5. }
with no error; however this prompts for credentials for each button. The idea here is to not need to provide credentials 800 times.

jvierra
Posts: 14452
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: get-cred then use cred works in ISE, not in Powershell Studio

Post by jvierra »

You cannot elevate a currently running process. You must request elevation when executing the process.

Adding "RunAs" does not work except for admin accounts. Only and Admin account can request elevation.

User avatar
mspritke
Posts: 5
Joined: Wed Nov 26, 2014 1:49 pm

Re: get-cred then use cred works in ISE, not in Powershell Studio

Post by mspritke »

That is why I call a powershell.exe as the elevated admin credential I stored in the variable. I'm not trying to elevate the current process, but start a new one.

The exact same code works in ISE. What is different about ISE and Studio to cause this disconnect? In ISE I can store credentials, call another powershell.exe with elevated credentials and then call the command for ADUC with Runas and it launches perfectly. If it works there, I should be able to make it work via event.

User avatar
mspritke
Posts: 5
Joined: Wed Nov 26, 2014 1:49 pm

Re: get-cred then use cred works in ISE, not in Powershell Studio

Post by mspritke »

I found the answer. Adding the -workingdirectory parameter fixes the problem.
I'm not allowed to link to the answer but stackoverflow had it.
stackoverflow -dot- com -slash- questions -slash- 7319658 -slash- start-process-raises-an-error-when-providing-credentials-possible-bug

jvierra
Posts: 14452
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: get-cred then use cred works in ISE, not in Powershell Studio

Post by jvierra »

Doesn't make any sense. To elevate you must be logged in as an admin. A subprocess will not get you around that.

To start a new process as elevated just use "-Verb RunAs".

Unfortunately you cannot do this by cascading processes.

jvierra
Posts: 14452
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: get-cred then use cred works in ISE, not in Powershell Studio

Post by jvierra »

Here is one method that will elevate a new process with different credentials:

Code: Select all

 Start-Process powershell -arg {start-process notepad.exe  -verb runas } -Credential $cred
It only works with admin credentials.

jvierra
Posts: 14452
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: get-cred then use cred works in ISE, not in Powershell Studio

Post by jvierra »

No idea what you mean by PowerShell Studio. PSS is just an editor and executes code in PowerShell just like ISE.

What you are saying is that the error is telling you that you need the directory specified for the command.

This does not happen in any version of PSS that I have but PSS does not execute code where you may think it does. It executes in the folder where your PS1/PSF files is located.

Anayazius
Posts: 6
Joined: Tue Jun 23, 2020 5:04 am

Re: get-cred then use cred works in ISE, not in Powershell Studio

Post by Anayazius »

mspritke wrote:
Tue Jun 16, 2020 9:47 am
I suspect I'm missing something simple. The idea here is to ask for elevated credentials ONCE on loading the form and then users are able to launch various tools; run some custom scripts, etc.
In my globals.ps1 (I also tried in form_load) I request and store a user's elevated password. using $global:elevcred = Get-Credential
In my form I have created several buttons I'd like to launch various apps using the stored elevated credential. One example:
  1. $buttonADUC_Click = {
  2.  
  3.         Start-Process powershell.exe -Credential $global:ElevCred -argumentList "-command Start-Process C:\Windows\System32\dsa.msc -verb runas"
  4.  
  5. }
This exact syntax works in ISE, but fails in Studio with the following error: "start-process : This command cannot be run due to the error: The directory name is invalid."
I've tried providing the full path to the powershell.exe, no change.
I've tried various things like just calling the command, but then you cannot pass the elevated cred and the runas at the same time.
I've tried shortening to: start-process powershell.exe -credential $global:elevcred but that fails as well in Studio.
I've tried providing the credentials both with and without the domain (domain\username vs. username); but if I do not specify the domain I get a bad username/password.

I've searched the forums for launching elevated apps/command prompts etc. But I've only found people storing known credentials using a secure string text file; I don't want all users to be using the same or stored elevated credentials; I want them to use their own credentials but only have to provide it once on load.

As an aside, I can run (without the credential):
  1.  $buttonADUC_Click = {
  2.  
  3.         Start-Process powershell.exe -argumentList "-command Start-Process C:\Windows\System32\dsa.msc -verb runas"
  4.  
  5. }
with no error; however this prompts for credentials for each button. The idea here is to not need to provide credentials 800 times.
this is very useful, thank you!

Post Reply