我正在Windows 8计算机上的高安全性企业环境中工作。
我没有pipe理员权限,但是是开发人员。
我不会进入这个荒谬的事情。 简而言之, 有一些我需要pipe理员权限的程序。 用Apache启动XAMPP是一个好处,因为它打开需要特权的端口。
在Windows 8中是否有方法我可以像XAMPP一样configuration程序以预先批准的pipe理权限开始?
有两种方法。
禁用UAC。 整个系统适用于全球的钝器方法。 从整体安全angular度来看,这是不理想的。
使用另一个可执行文件启动应用程序,该可执行文件启用默认情况下禁用的pipe理员权限 您可以创build自己的,并使用类似ProcessPrivileges的东西来启用禁用的权限,或者使用SysInternals的psexec等其他工具。
值得一提的是,将EXE作为计划任务运行,并指定“以最高权限运行”可以实现同样的function,但是您可能不希望被限制为将其作为计划任务运行。 然而,这对于系统pipe理员来说是一个有用的方法,可以在每个应用程序的基础上提供这个function,并给予另一个人权限来运行计划任务,这样他们就不需要额外的权限。
例如:
psexec.exe -h yourprogram.exe 或者你甚至可以像本地系统一样运行进程:
psexec.exe -s yourprogram.exe
或者以本地系统运行进程,即可以与桌面交互:
psexec.exe -s -i yourprogram.exe
更多信息:
PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com PsExec executes a program on a remote system, where remotely executed console applications execute interactively. Usage: psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-ns][-l][-s|-e][-x][-i [session]][-c [-f|-v]][- w directory][-d][-<priority>][-an,n,...] cmd [arguments] -a Separate processors on which the application can run with commas where 1 is the lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4, enter: "-a 2,4" -c Copy the specified program to the remote system for execution. If you omit this option the application must be in the system path on the remote system. -d Don't wait for process to terminate (non-interactive). -e Does not load the specified account's profile. -f Copy the specified program even if the file already exists on the remote system. -i Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session. -h If the target system is Vista or higher, has the process run with the account's elevated token, if available. -l Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity. -n Specifies timeout in seconds connecting to remote computers. -p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. -s Run the remote process in the System account. -u Specifies optional user name for login to remote computer. -v Copy the specified file only if it has a higher version number or is newer on than the one on the remote system. -w Set the working directory of the process (relative to remote computer). -x Display the UI on the Winlogon secure desktop (local system only). -priority Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different priority. Use -background to run at low memory and I/O priority on Vista. computer Direct PsExec to run the application on the remote computer or computers specified. If you omit the computer name PsExec runs the application on the local system, and if you specify a wildcard (\\*), PsExec runs the command on all computers in the current domain. @file PsExec will execute the command on each of the computers listed in the file. program Name of application to execute. arguments Arguments to pass (note that file paths must be absolute paths on the target system). You can enclose applications that have spaces in their name with quotation marks eg psexec \\marklap "c:\long name app.exe". Input is only passed to the remote system when you press the enter key, and typing Ctrl-C terminates the remote process. If you omit a user name the process will run in the context of your account on the remote system, but will not have access to network resources (because it is impersonating). Specify a valid user name in the Domain\User syntax if the remote process requires access to network resources or to run in a different account. Note that the password is transmitted in clear text to the remote system. Error codes returned by PsExec are specific to the applications you execute, not PsExec.
我有一个解决scheme,但它取决于几件事情:
IT人员如何精通技术
如果你正在尝试运行,可以从命令行调用
基本上,他们可以编译一个exe程序,调用你需要运行的程序,同时传递必要的凭据以提升模式运行。 .net可以用于这个,这是相当微不足道的。 由于exe被编译(相对于脚本),用于运行exe的帐户凭证不是纯文本的。
不,你不能这样做。 或者更准确地说,你不应该这样做。 这个网站上的大多数人都是 IT部门,因此并不热衷于讨论如何规避IT部门的法规和控制。 您的IT部门不希望您拥有pipe理员访问权限,否则他们会将其提供给您。
尝试通过正确的渠道(即与您的pipe理员交谈),向他们解释您需要pipe理员权限才能有效地完成工作。 他们可能无法根据公司政策为您提供pipe理员访问权限,但他们可能会在实验室中为您提供虚拟机来玩游戏。
PS:对不起,如果我听起来脾气暴躁。 还没有足够的咖啡。