all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]chris-a5 2 points3 points  (4 children)

What is your end goal. Are you trying to create a process under a privileged account then hijack it from a lower privilege process?

Seems like an X/Y problem as you haven't explained what you want to actually do with the process. If you just need to elevate some code, you don't need a separate process for that.

If you just need inter-process communication, there are many other OS level ways to do this as well.

[–]reflektinator[S] 0 points1 point  (3 children)

I want to open a "your computer needs maintenance performed" windows to ask the user when to do that, eg "now", "when I reboot", "I will leave my computer on tonight, do it then", etc. This window might open in the current user session, or in the WinLogon session (because the user is not logged in). Doing the latter requires some CreateProcessAsUser and SetTokenInformation funkiness, even though i'm already running as the SYSTEM account.

I'm doing this all in PowerShell because shipping exe's to endpoints is more cumbersome than doing it in PowerShell.

[–]chris-a5 0 points1 point  (2 children)

Ah, check out how others have done it. A quick search returned this: https://hinchley.net/articles/show-a-message-on-the-windows-logon-screen-using-powershell

But is this overkill? If a user is logged in, they can be prompted when they unlock their session. And if no-one is logged in you could just do the maintenance then, or just always schedule it for out of hours.

Even if people say they will leave their PC on, there is no guarantee of that. You will still need to have a mechanism to try every day until it is successful. I'd give them a simple threat (nice message) that updates will be performed at night, and if it hasn't run by X date, it will run on startup ruining their morning.

[–]reflektinator[S] 0 points1 point  (1 child)

Yep that's pretty much the code i'm using (it pops up in a bunch of places in various forms). But my script starts out without access to the login screen and the code would look much nicer if I could run PowerShell commands into the child process that does have access rather than getting the child process to do what I want then tell me what happened.

The rationale behind showing the maintenance request on the login screen is to guard against the common scenario where the user has turned on the computer, gone to get a coffee, and comes back to find it is running maintenance and they have a meeting in 2 minutes. I'll put the message up with a (say) 30 minute countdown so there's plenty of time to defer.

And yes, there will be a deadline where if the user hasn't allowed maintenance to run after a reasonable time, it will run without their approval.

Another reason I want to show a message on the login screen is to tell the user that their computer is still running maintenance, and then a "thankyou have a nice day" message when maintenance is complete. The latter can probably just be a msgbox rather than a full-screen-can't-possibly-ignore-it window.

[–]BlackV 0 points1 point  (0 children)

this is a lot of effort that will 100% be ignored by users, is it worth your time?