Edit Hosts File at Login

Started by officevision, January 23, 2019, 09:48:59 AM

Previous topic - Next topic

officevision

Hello,

I am trying to edit the hosts file at login to add a single line to the file. My problem is that I require elevated privileges to edit the file as local administrators are the only users with permission to change / edit this file. I have tried having a small program executed as part of the logon process that calls another program using RunWithLogon but cannot get past error 1932 which talks about the Elevated Privilege requirement. I have also tried ShellExecute as mentioned in the error message but am not sure I understand the concept or how to make it work as an elevated task.

Any help would be appreciated.

Fred

td

Too many unknowns.  You need to indicate which method of starting a script at login you are using since there are several and they can cause your script to run in different security contexts and indicate whether or not the user has the ability to interact with a script's UI.  You also need to indicate which versions of Windows and WinBatch you are using. 

It would also be wise to get a better grasp of scripting in a UAC environment.   The Tech Database and the Consolidated WIL Help file have a good deal of information on the subject.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

officevision

Thank you for the response. Let me see if I can answer your questions. The systems are running Windows 10 1803. WinBatch is 2018B. The script is called from a program that runs as the logon script defined in Active Directory in the user's profile. That program reads a text file that can be used to "instruct" the logon program to run other programs. I was originally trying call a third program and use the RunWithLogon function to edit the hosts file. That fails with an indication that the program requires elevated privilege which it must not have.

td

That is a bit convoluted.  You certainly can't use RunWithLogon to elevate or escalate privileges. You can escalate a process by using a combination of RunWithLogon and ShellExecute.  Basically, RunWithLogon switches the process to a restricted Asmin and ShellExecute then elevates the Admin process.  The problem is that it would require user consent or even an admin password depending on how UAC is configured on the system.  There are examples of using RunWithLogon and ShellExecute together in the Tech Database, as well as, other information about UAC:

http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/nftechsupt.web+WinBatch/UAC+RunWithLogon~and~UAC.txt

Generally, MSFT recommends using group policy preferences to create a scheduled task that runs at login and is configured with the desired credentials so you may wish to consider that approach.     

Are you referring to the hosts file in "C:\Windows\System32\drivers\etc"?  If so, WinBatch is more than capable of editing that hosts file directly.  The system account has edit privileges to that file by default so you could possibly just use the system account to edit the file via a scheduled task. 

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

officevision

I'm beginning to get it. Yes - I will be editing the hosts file at the location you mention. I don't have a problem if users are presented with the UAC confirmation prompt. I just don't want them to have to enter administrator credentials that they would not know. I know you mention using the Schdtask route but I'm not sure how that is different. Wouldn't that also require elevated privileges to create the scheduled task? I'll spend some time looking at the articles for running with UAC and the scheduled task. Thank you for your help so far.

td

The default UAC setting for Windows 10 is to require admin consent but not credentials so the Bootstrapper script would not require the user use admin credentials.   However, there is no guarantee that  Windows 10 systems will retain the default UAC settings.  This is particularly true in a corporate environment.

A scheduled task can be configured with admin credentials and elevated privileges.  It can also be configured to run as "system".  Configured either of these ways the task should run without prompt.  The task will need to run without needing to interacting with the desktop in any way if you use the "system" account.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

officevision

TD - Thank you again. I was able to modify the UAC code sample and get it to work for my needs, albeit with the UAC prompt which is fine for this project. I will look at task scheduling for future projects.

Thank you all for your help.

Fred