Search code examples
windowspowershellpasswordsadminrunas

How to make windows' runas.exe take password from credential manager with no prompt?

I am trying to create a shortcut that would take credentials from the credential manager, like so

cd C:\code\Kodex-1.4.3\EPD_Prerequisite\Anaconda2\
$line1 = "cd C:\Code\EPMD\Kodex-1.4.4\Applications\Bin\EpmdTaskManager"
$line2 = "start EpmdTaskManagerGui.exe hide"
$line1 | out-file auto1.bat -Encoding Ascii
$line2 | Out-File -append auto1.bat -Encoding Ascii
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("C:\Users\matanv.HOBART\Desktop\Kodex 1.4.4.lnk")

$Shortcut.TargetPath = """C:\WINDOWS\system32\runas.exe"""
$argA = "/user:%computername%\Admin /savecred"

$argB = """C:\code\Kodex-1.4.3\EPD_Prerequisite\Anaconda2\auto.bat"""
$Shortcut.Arguments = $argA + " " + $argB
$Shortcut.Save()

This works fine, with one problem: The first time I run the script, I get promted for password.

I want to never get prompted for password, and to store it in the credential manager using some (maybe other) script.

How can it be done?

Thanks

Solution

  • Moving from comment to here for OP

    Here's the thing to keep in mind with this savecred thing. It's really dangerous, depending on where you are using it. Once you do it, like you've noted, AL you have to do is pass the account name and never get prompted, which means, anyone with even the simplest of skills, could walk up to and take over this machine, even if you delete the shortcut that started it, those creds are always live, and once can create any shortcut, set the properties, and they are off to the races.

    Hence, though savecred is really convenient, it should be limited to only machines in absolute control of the person using it. For Example.

    Anyway, you an get creds into CredMan, without using RunAs /SaveCred, yes, even with PowerShell. The a many scripts online to show you how, even ones directly from the TechNet Powershell Gallery, and the MS powershellgallery.com.

    How to add credentials to the Windows Vault (PowerShell)

    This PowerShell script shows how add credentials for specific users.

    Download : addwindowsCredential.zip

    CredentialManager 2.0

    From powershellgallery.com, via your PowerShell session.

    Find-Module -Name '*credentialmanager*' | Format-Table -AutoSize

Version Name                          Repository Description                                                                        
------- ----                          ---------- -----------                                                                        
2.0     CredentialManager             PSGallery  Provides access to credentials in the Windows Credential Manager                   
1.1.1.0 IntelliTect.CredentialManager PSGallery  Provides an easy-to-use interface to the Windows Credential Manager via PowerShell.
1.0.9   pscredentialmanager           PSGallery  This module allows management and automation of Windows cached credentials.        
1.0.0.0 BAMCIS.CredentialManager      PSGallery  Provides a PowerShell wrapper around the Windows Credential Manager Win32 APIs.

    See also:

    Manipulate credentials in the Windows 8/2012 PasswordVault using Powershell

    This module demonstrates how to use the new Windows 8/2012 PasswordVault API from Powershell.

    Download : PasswordVault.psm1

    You can also do this with the built-in cmdkey.exe

    Creates, lists, and deletes stored user names and passwords or credentials.

    But you would need to run in the user context to do this, and that is what MS SysInternals PSExec can provide. Just create a ScheduledTask for RunOnce / at startup to fire off the command to do this.

    OK, I digress. So, all-in-all, there are a few ways to set up Kiosk Mode on windows and MS has documented Kiosk mode for some time now

    (You don't say what OS you are targeting - as similar articles exits for them).

    For Win 10 it is here:

    Set up a single-app kiosk

    The above provides direct instructions how to set this mode up in PowerShell, snippet of those steps below, but be sure to read the entire document.

    Set up a kiosk using Windows PowerShell

    App type: UWP OS edition: Windows 10 Pro, Ent, Edu Account type: Local standard user

    You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. Before you run the cmdlet:

    1. Log in as administrator.
    2. Create the user account for Assigned Access.
    3. Log in as the Assigned Access user account.
    4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
    5. Log out as the Assigned Access user account.
    6. Log in as administrator.

    To open PowerShell on Windows 10, search for PowerShell and find Windows PowerShell Desktop app in the results. Run PowerShell as administrator.

    # Configure assigned access by AppUserModelID and user name
Set-AssignedAccess -AppUserModelId <AUMID> -UserName <username>

# Configure assigned access by AppUserModelID and user SID
Set-AssignedAccess -AppUserModelId <AUMID> -UserSID <usersid>

# Configure assigned access by app name and user name
Set-AssignedAccess -AppName <CustomApp> -UserName <username>

# Configure assigned access by app name and user SID
Set-AssignedAccess -AppName <CustomApp> -UserSID <usersid>

    Note To set up assigned access using -AppName, the user account that you specify for assigned access must have logged on at least once. Learn how to get the AUMID. Learn how to get the AppName (see Parameters).