Here is a neat workaround you can use in Windows to run a batch script or any other command that would regularly require elevated administrator credentials. Using this method, you can essentially bypass UAC and allow a script to be ran as a standard user without them having to enter in an admin password. In theory, you could probably even use this same approach to install software as a regular user if you wanted to. For my example below, I was able to allow a standard user to kill processes and then restart the services.
The problem that I had to overcome was that one of my VPN users who used Shrewsoft VPN client would occasionally get disconnected and then never be able to fully connect again. Oddly enough, the client would show connected on the user’s end and immediately disconnect but it never made a connection on the server side. The problem was that the “iked” process would get hung up and then the VPN client would subsequently never fully connect all the way.
Since there is no way to restart services without elevating and having to enter in a password, I was able to come up with a workaround using two batch scripts and setting up a an on demand job to run the script in Windows Task Scheduler using saved admin credentials. The batch script that gets called by the task scheduler itself contains all of the elevated commands to force kill and restart the services and the other batch script simply acts as just a shortcut to run the task scheduler job.
First create your script that requires admin credentials to run. In my case, this simple script force kills both of Shrewsoft VPN Client’s two main processes and then restarts them. You can put this script wherever you like, but you will have to make sure the path is correct inside of your task scheduler job.
%SYSTEMROOT%\System32\taskkill.exe /F /IM "iked.exe" /T %SYSTEMROOT%\System32\taskkill.exe /F /IM "ipsecd.exe" /T net start iked net start ipsecd
Next create a job in Windows Task Scheduler that can be run on demand and make sure to set the task to be ran as a privileged user such as administrator. I’m not going to go in major detail here on how to set up a task scheduler job with screenshots and what not. I am assuming you have the basic knowledge of how to set up a task, if not, do a quick internet search and find a tutorial.
Name: Restart Shrewsoft VPN Under Security Options, select a privileged user to run the task - Example: YourDomain\Administrator Select the radio button: Run whether user is logged on or not Check the box, Run with highest privileges Under Configure for: Select your Operating System - Example: Windows 8.1
Begin the task: On a schedule Settings: One time - Set a date, it doesn't matter what you put here. Check the box, Stop task if it runs longer than: Some limit - Example: 30 minutes Check the box: Enabled
Actions Tab – Here make sure you set your correct path from above
Action: Start a program Settings Program/Script: %SYSTEMROOT%\System32\cmd.exe Add arguments: /c "C:\Users\someguy\Documents\restartshrewvpn.bat"
Uncheck the box: Start the task only if the computer is on AC power
Check the box: Allow task to be run on demand Check the box: Stop the task if it runs longer than: Some limit - Example: 1 hour Check the box: If the running task does not end when requested, force it to stop Under If the task is already running...Select: Do not start a new instance
Upon exiting the create new task dialog, it will ask you to enter in your elevated user’s password.
This last script basically just acts as a shortcut that you can place on the user’s desktop or wherever to call on the task scheduler job or you can simply just type this line at the run prompt to run the job without having to use another script. Here you just need to make sure you enter the same job name that you set when you created your Windows Task Scheduler job.
%SYSTEMROOT%\System32\schtasks.exe /Run /TN "Restart Shrewsoft VPN"
Please bear in mind that it would be possible to create the entire scheduled task using the schtasks.exe command inside of this batch file as well, if you wanted to skip that whole step above, but you would have to store your plain text administrator username and password in there, which isn’t ideal.