sobota 4. září 2010

Windows 7 sudo alternative

When there is a need to allow unprivileged user to perform certain privileged operation sudo or s-bit are possibilities on UNIX like systems. There is nothing similar on Windows.

Windows 7 (may be even Visto or XP) have EVENT bound scheduled tasks.
The task is scheduled to run under privileged account and is triggered by certain event in event log. The event can be generated by unprivileged account.

How to do it:
As privileged account:

eventcreate /T INFORMATION /L APPLICATION /SO RUN_PRIVILEGED_ACTION
/ID 1 /D "Initial event for source has to be created by privileged account"
schtasks /Create /F /RU SYSTEM /TN PrivilegedTaskRunner /TR c:\windows\system32\privileged-action.cmd
/SC ONEVENT /EC APPLICATION /MO *[System[Provider[@Name='RUN_PRIVILEGED_ACTION']]]


As unprivileged user

eventcreate /T INFORMATION /L APPLICATION
/SO RUN_PRIVILEGED_ACTION /ID 1 /D "running privileged task"