Announcement

Collapse
No announcement yet.

batch copy to "program files" (Win7/8)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • batch copy to "program files" (Win7/8)

    I'v got a little problem when I try to copy files with the use of a batch file to Win7/8 workstations...

    When I lower the UAC on Win7 workstations no problems any more, BUT when I do this on a Win8 workstation I get troubles with it's apps, so that's no solution...

    This is what i've got / trying to do:
    Code:
    @ECHO OFF
    SETLOCAL ENABLEEXTENSIONS
    REM SETLOCAL ENABLEDELAYEDEXPANSION
    
    
    :OS_Check
    IF EXIST "%ProgramFiles(x86)%" (GOTO x64) ELSE IF EXIST "%ProgramFiles%" (GOTO x86) ELSE GOTO ERROR
    GOTO EXIT
    
    
    :x64
    Reg.exe IMPORT "\\dc01.lksvdd.local\netlogon\Fix\Foxit_settings\Foxit6_language.reg" > NUL 2>&1
    Start "TIM_Foxit6-Language" /D"%WinDir%\system32\" /MIN /B xcopy.exe "\\dc01.lksvdd.local\netlogon\Fix\Foxit_settings\DUTCH\*.*" "%ProgramFiles(x86)%\Foxit Software\Foxit Reader\" /s /e /c /Q /h /r /y >NUL 2>&1
    GOTO EXIT
    
    :x86
    Reg.exe IMPORT "\\dc01.lksvdd.local\netlogon\Fix\Foxit_settings\Foxit6_language.reg" > NUL 2>&1
    Start "TIM_Foxit6-Language" /D"%WinDir%\system32\" /MIN /SEPARATE /B xcopy.exe "\\dc01.lksvdd.local\netlogon\Fix\Foxit_settings\DUTCH\*.*" "%ProgramFiles%\Foxit Software\Foxit Reader\" /s /e /c /Q /h /r /y >NUL 2>&1
    GOTO EXIT
    
    
    :EXIT
    echo.
    ECHO %DATE% %TIME%: Foxit Reader 6.x Custom DUTCH Language Update... > "%systemroot%\LOGS\LKSVDD\Tim\Foxit6_Language-4-%UserName%.txt" 2>&1
    echo.
    PAUSE
    GOTO:EOF
    
    
    :ERROR
    CLS
    echo.
    echo.
    ECHO ERROR:
    ECHO No "Program Files (x86)" and/or No "Program Files" path found?
    echo.
    PAUSE
    GOTO:EOF
    When I run this (or my logon gpo) I get the famous access denied result when the batch file is trying to copy to the program files directory.

    I tried to search and find this question but couldn't find a working solution, hopefully I didn't overlook it?

    With kind regards, Tim

  • #2
    Re: batch copy to "program files" (Win7/

    Logon scripts will run with an administrative user’s full token (elevated). Therefore when UAC is enabled, there is a difference between manually running the script and having the script executed during his/her logon process when the user is a member of the administrators group.


    Not a clear answer, but here are a few things you can play with,
    • In a batch that requires to run elevated it seems the START command sometimes give problems (Not sure I can explain that, just seems that it did helped me in a few occasions. The issue with cmd.exe is that it not silently elevate (like regedit.exe doesn't do that too). The START command fires the executable in a separate command environment).
      The batch sample below does not use START commands.
      -or-
      Convert the script to pure VBS or powershell.

    • Check if the user (who is member of the domain admins group) is allowed to access the shared folder from his computer without any warning popups, also try this when it is using his FULL token to access the share.

    • Don't use the slider to configure UAC, with a GPO you have more granular controls to set the UAC behavior (i.e. Administrator Aproval Mode => Enable: Elevate without prompting , what is not the same as Disable: run all admins in admin approval mode (=disabling UAC))

    • Do not run the script as logon script => try running it as startup script or, configure it to run by a scheduled task (GPP) "at logon" "with the highest priviliges".

    • Create a users group in the domain for your admin account, and configure that group in the ntfs security of the program files folder (not that you really should do this :P , just that it could solve the issue with coping files to the program files directory).


    Code:
    :: Here is the batch without the START commands,
    
    @ECHO OFF
    SETLOCAL ENABLEEXTENSIONS
    
    call SET "logsPath=%systemDrive%\LOGS\LKSVDD\Tim"
    
    :OS_Check
    IF NOT DEFINED PrOgramFiles(x86) CALL SET "ProgramFiles(x86)=%ProgramFiles%"
    
    CALL :IMPORT > NUL 2>&1
    If NOT "%ERRORLEVEL%" EQU "0" GOTO :ERROR
    GOTO :QUIT
    
    :IMPORT
    Reg.exe IMPORT "\\dc01.lksvdd.local\netlogon\Fix\Foxit_settings\Foxit6_language.reg" ||EXIT /b 1234
    xcopy.exe "\\dc01.lksvdd.local\netlogon\Fix\Foxit_settings\DUTCH\*" "%ProgramFiles(x86)%\Foxit Software\Foxit Reader\" /s /e /c /Q /h /r /y ||EXIT /b 5678
    MKDIR "%logsPath%"
    EXIT /b 0
    
    :QUIT
    > "%logsPath%\Foxit6_Language-4-%UserName%.txt" 2>&1 (
        echo.
        ECHO.%DATE% %TIME%: Foxit Reader 6.x Custom DUTCH Language Update...
        echo.
    )
    ENDLOCAL
    GOTO:EOF
    
    
    :ERROR
    echo.Error!
    If %ERRORLEVEL% EQU 1234 echo.   Registry import failed. Script did not continued.
    If %ERRORLEVEL% EQU 5678 echo.   Failed copying foxit reader files
    echo.
    pause
    GOTO:EOF
    /Rems
    Last edited by Rems; 8th July 2013, 21:08.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: batch copy to "program files (x86)" (Win7/

      The user has admin.rights in Windows8x64PRO (is added to administrators group)

      I did tweak UAC (comp.config) with GPO:
      User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting
      User Account Control: Detect application installations and prompt for elevation Disabled
      User Account Control: Only elevate UIAccess applications that are installed in secure locations Disabled

      => the batch file (.cmd) is now run from GPO: User.Config-Policies-Admin.Templ.-System-Logon-Run these programs at user logon-Enabled:Foxit_language.cmd

      I could try and change this to: Comp.Config-Windows Settings-Scripts (startup/shutdown)-startup:Foxit_language.cmd

      "weird"? thing:
      when logged in on a Win8 workstation as a user with admin.rights (user is added to the windows administrators group) I can't create files too in \Program files (86)\
      I can create a folder though but not a file? When I copy/paste a file I also get a ,,you need admin.rights to copy to this folder'' message/warning, kinda odd imo because I'm already in the admin.group???

      => When I ,,Take OwnerShip'' over \Program Files\ and/or \Program Files (x86)\ the problem is solved, it does sound a little bruteforce but it seems a "good" workaround, not sure if it's the best/correct way to do it?

      PS.
      BUT the ,,Take OwnerShip'' trick doesn't fix it definitely :'( every new folder does get the wrong owner by default, so you have to ,,take ownership'' again of that new folder...
      Is there a way to correctly put this in a script before copying files? when I try: takeown /F "%PrgFiles%\irfanview" /R /D Y it doesn't work:
      => the current logged on user does not have ownership privileges on the file (or) folder "c:\Program Files (x86)\irfanview"

      Workaround? This seems to work pretty fine:
      Code:
      :::::::::::::::::::::::::::::::::::::::::
      :: Automatically check & get admin rights
      :::::::::::::::::::::::::::::::::::::::::
      @echo off
      CLS 
      ECHO.
      ECHO ===================
      ECHO Running Admin shell
      ECHO ===================
      ECHO.
      
      :checkPrivileges 
      NET FILE 1>NUL 2>NUL
      if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges ) 
      
      :getPrivileges 
      if '%1'=='ELEV' (shift & goto gotPrivileges)  
      ECHO. 
      ECHO *************************************
      ECHO Invoking UAC for Privilege Escalation 
      ECHO *************************************
      
      setlocal DisableDelayedExpansion
      set "batchPath=%~0"
      setlocal EnableDelayedExpansion
      ECHO Set UAC = CreateObject^("Shell.Application"^) > "%temp%\OEgetPrivileges.vbs" 
      ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs" 
      "%temp%\OEgetPrivileges.vbs" 
      exit /B 
      
      :gotPrivileges 
      ::::::::::::::
      ::  START!  ::
      ::::::::::::::
      setlocal & pushd .
      
      REM ***put here code as you like***
      source: http://stackoverflow.com/questions/7...c-admin-rights
      Last edited by APOC; 18th July 2013, 14:43. Reason: Takeownership, PS. & Workaround

      Comment


      • #4
        Re: batch copy to "program files (x86)" (Win7/

        Originally posted by APOC View Post
        The user has admin.rights in Windows8x64PRO (is added to administrators group)

        [...]

        => the batch file (.cmd) is now run from GPO: User.Config-Policies-Admin.Templ.-System-Logon-Run these programs at user logon-Enabled:Foxit_language.cmd

        [...]
        aah that explains the behavior, the "Run these programs at user logon" policy at Computer or User - Configuration\Administrative Templates\System\Logon is not the policy to configure a logon script.
        The policy to configure logon scripts and what will executed using the full token (elevated) of the user is at User configuration\Windows settings\Scripts\Logon



        Originally posted by APOC View Post
        [...]

        [/I]"weird"? thing:
        when logged in on a Win8 workstation as a user with admin.rights (user is added to the windows administrators group) I can't create files too in \Program files (86)\
        I can create a folder though but not a file? When I copy/paste a file I also get a ,,you need admin.rights to copy to this folder'' message/warning, kinda odd imo because I'm already in the admin.group???

        => When I ,,Take OwnerShip'' over \Program Files\ and/or \Program Files (x86)\ the problem is solved, it does sound a little bruteforce but it seems a "good" workaround, not sure if it's the best/correct way to do it?
        It is the expected behavior (caused by UAC). Best to not change persissions and setting on folders and files in system folders.
        You can edit files as an administrator in those folders only by using and elevated proces.

        /Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: batch copy to "program files" (Win7/

          is it possible to hide the output also?

          I tried: ShellExecute "!batchPath!", "ELEV", "", "runas", 0
          instead of: ShellExecute "!batchPath!", "ELEV", "", "runas", 1

          source: http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx

          But that doesn't cut it so it seems...

          Comment


          • #6
            Re: batch copy to "program files" (Win7/

            Do you mean hide the window or hide the output?

            You can add >nul to the end of the line the commands you want to hide the output.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: batch copy to "program files" (Win7/

              more like a minimize window action, like ie.
              Code:
              @ECHO OFF
              if not "%minimized%"=="" goto :minimized
              set minimized=true
              start /min cmd /C "%~dpnx0"
              goto :EOF
              :minimized
              rem Anything after here will run in a minimized window
              I don't know if it's possible to add such thing to the ":getPrivileges" section perhaps? The checkPrivileges/getPrivileges & invoke UAC lines restart the current batchfile with elevation, it would be really great if it did restart itself hidden or minimized (instead of in a normal window).

              Comment


              • #8
                Re: batch copy to "program files" (Win7/

                Originally posted by APOC View Post
                is it possible to hide the output also?

                I tried: ShellExecute "!batchPath!", "ELEV", "", "runas", 0
                instead of: ShellExecute "!batchPath!", "ELEV", "", "runas", 1

                source: http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx

                But that doesn't cut it so it seems...
                If you configure the batch as logon script (at, User configuration\Windows settings\Scripts\Logon) the script by default is lauched in a hidden window.
                (if not, then you might have to look at the policy "Run logon scripts visible").

                If you configure the batch as logon script (at, User configuration\Windows settings\Scripts\Logon) the script will be executed by default with the full token of an administrator, so you don't need the extra vbs code in the batch that will re-start the script if is wasn't launched elevated. And you don't want a logon script to be re-launched - because then actually it is technically no longer a logonscript that is running so it can behave different, that may cause other issues.

                /Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: batch copy to "program files" (Win7/

                  Clear...

                  But I did split some things, I run a startup.cmd from gpo "User configuration\Windows settings\Scripts\Logon" I didn't add the file with copy to location inhere (with browse) though, I just added the (unc)path at "Add.../Script Name:" to the startup script, that doesn't hurt its workin? or does it? (I hope you understand what I exactly mean?)

                  From this startup.cmd I call a second big-ass clean&uninstall.cmd batchfile, which has this elevation script at the top, thats why I like to hide/suppress/hide the output (or else the window is open a little too long imo).
                  So that's why I was hoping if I could give some sort of additional hide/minimize option to the vbs part perhaps? Or in some other way to the clean&uninstall.cmd batch perhaps? (I used: CALL "clean&uninstall.cmd" >nul 2>&1 from ,,startup.cmd'')

                  Probably not the smartest thing to split things up, but the startup.cmd script got a little bulky imo and the bigass clean&uninstall.cmd will run only once (from time to time) so it's not really necessary directly in the startup.cmd

                  Comment


                  • #10
                    Re: batch copy to "program files" (Win7/

                    If it's being called by a logon script then, like Rems said, it will run with the full token which means that the scripts it calls will also be run with the full token. There should be no need for the VBS to elevate the privileges.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: batch copy to "program files" (Win7/

                      I'll give this a test drive, should probably indeed work as you 2 explained...
                      (can't test this on the Win8 workstations at this moment, but wil tet this soon and post the results)

                      Does "Comp.configuration\Windows settings\Scripts\Logon" also run with the full token which means that the scripts it calls will also be run with the full token?

                      If I don't add the file with copy to location in "User configuration\Windows settings\Scripts\Logon" (with browse) and just added the (unc)path at "Add.../Script Name:" to the specific startup script, that doesn't hurt its working? Or does it? (Or else I have to copy the script everytime something changes, this way I can just edit the file @ its (unc)path and that's it)

                      Comment


                      • #12
                        Re: batch copy to "program files" (Win7/

                        Originally posted by APOC View Post
                        Does "Comp.configuration\Windows settings\Scripts\Logon" also run with the full token which means that the scripts it calls will also be run with the full token?
                        This is a Startup Script, runs under the system account, and only runs when the computer starts, not at user logon.

                        Originally posted by APOC View Post
                        If I don't add the file with copy to location in "User configuration\Windows settings\Scripts\Logon" (with browse) and just added the (unc)path at "Add.../Script Name:" to the specific startup script, that doesn't hurt its working? Or does it? (Or else I have to copy the script everytime something changes, this way I can just edit the file @ its (unc)path and that's it)
                        Using a UNC path is fine. Also, the scripts are copied to the NETLOGON folder of the domain so you can just reference them by name there and edit them from there if you like.
                        Regards,
                        Jeremy

                        Network Consultant/Engineer
                        Baltimore - Washington area and beyond
                        www.gma-cpa.com

                        Comment


                        • #13
                          Re: batch copy to "program files" (Win7/

                          In addition, the system account has full permissions locally. Over the network it acts as the computer account to access resources (the computer account is member of the "Authenticated Users").
                          Neither the System account nor the built-in Administrator account are subject to UAC.


                          When a user belonging to a known Administrative group logs on, Windows creates a token representing the standard-user version of the user’s administrative identity.
                          The new token is stripped-of most of the privileges assigned to the user, what's left are the default standard user privileges.
                          In addition, any of the administrator-type groups are marked with the USE_FOR_DENY_ONLY flag in the new token - meaning his/her administrative group membership is disabled in the list of SIDs for security groups that include the user, and enabled only during elevation. (FYI Metro apps do not run for admins when UAC is disabled because apps cannot run under full administrator token).


                          When your script is running with the admin's full token or as the system account it has sufficient rights.


                          (Note, you cannot succesfully map printers or drives for an admin account with a script that is running with the full access token. The mapping is done but it will not be available for the admin when standard stripped token is active again)


                          /Rems
                          Last edited by Rems; 24th July 2013, 19:46.

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment


                          • #14
                            Re: batch copy to "program files" (Win7/

                            awesome guys, thanks for the lessons and support, truly appreciated

                            Comment


                            • #15
                              Re: batch copy to "program files" (Win7/

                              If the script is making machine setting or configurations for all users, and not user-specific settings the script it is more a startup script than logon script.

                              Originally posted by APOC View Post
                              [...]

                              From this startup.cmd I call a second big-ass clean&uninstall.cmd batchfile, which has this elevation script at the top, thats why I like to hide/suppress/hide the output (or else the window is open a little too long imo).

                              So that's why I was hoping if I could give some sort of additional hide/minimize option to the vbs part perhaps? Or in some other way to the clean&uninstall.cmd batch perhaps? (I used: CALL "clean&uninstall.cmd" >nul 2>&1 from ,,startup.cmd'')

                              Probably not the smartest thing to split things up, but the startup.cmd script got a little bulky imo and the bigass clean&uninstall.cmd will run only once (from time to time) so it's not really necessary directly in the startup.cmd
                              You can also split one bulky script up by configuring more than one logon script in the GPO. In the GPO you can set the order in which the scripts should run.

                              I prefere using the (good old) path "\\domain.local\sysvol\domain.local\scripts" (that was the NETLOGON folder. Its is replicated between dc's) for all my logonscripts and startup scripts.


                              Alternatively, you could configure the scripts also as scheduled task(s) under Prefences in the GPO to be run at strartup or at logon. You can use a "service account" to run the scripts and "with highest priveliges".


                              /Rems

                              This posting is provided "AS IS" with no warranties, and confers no rights.

                              __________________

                              ** Remember to give credit where credit's due **
                              and leave Reputation Points for meaningful posts

                              Comment

                              Working...
                              X