0 Replies Latest reply on Jul 13, 2017 5:12 PM by Roger1

    Task Manager Elevation

    Roger1 Apprentice

      We had a request to elevate taskmgr.exe for all users to allow them to view processes from all users, use Resource Monitor, use Services, disallow run as admin checkbox.  This small project turned into a day and half long rabbit hole.  Task manager can easily be elevated without child processes and common dialogs to allow non-admin users to view/kill processes and not run anything as admin (even when the checkbox is checked).  Elevating Performance Monitor allowed for non-admins to run Resource Monitor from the performance tab in Task Manager.  The services button worked as well - running a non-admin version of services although the services presented within task-manager were elevated.  These can be tuned with AM to prevent admins from tampering - so a non-issue.

       

      The problem revolved around users with admin rights.  I have no clue why but the Services/Resource Monitor didn't work correctly with child processes checked.  I tried a ton of different options without success.  I almost gave up on it when it dawned on me that an admin doesn't need any elevation but a non-admin does.  Being on 8.9 SP3, I have no cool EM-type conditions so I had to resort to scripting something out.  This is what I came up with and it seems to be working.

       

      There's probably an easier way to get the logged in user admin status but this is what finally worked.  Is Administrator in v10+ would be great for this.  If this useful for anyone, can be improved on, or should completely avoided, please drop me a line.

       

      Scripted Rule:

       

      Script Options:

       

      Code:

      $me = whoami /groups /fo csv | convertfrom-csv | where-object { $_.SID -match "S-1-5-32-544" }

      If ($me.'Group Name' -ne "BUILTIN\Administrators")

      {

      # If your script is successful...

      #write-output "Exit 0 for $ENV:USERNAME - No Admin" | Add-Content C:\temp\AM.LOG

      exit 0

      }

      else

      {

      # If your script is unsuccessful...

      #write-output "Exit 1 for $ENV:USERNAME - Has Admin" | Add-Content C:\temp\AM.LOG

      exit 1

      }

       

      Elevated files:

       

       

      Found this old article and tried using it without luck for my scenario.  

      Using URM to run Application Manager console as Administrator