Skip to main content
Solved

ps_automate for application launching in admin context

  • March 14, 2025
  • 5 replies
  • 272 views
M

Hi All ,

 

Thanks in advance for your input .

i am trying to launch powershell_ise.exe as admin in managed application session but when i send subsequent command it doesn’t work, same task sequence works when powershell_ise.exe launch as normal window.

following is my script block 

--------------------------

[General]
EnableLogging=4
LogMethod=2
LogPath="D:\Log"
;RunApp="powershell -Command "Start-Process PowerShell_ISE -Verb RunAs "
RunApp="C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ISE.exe"
;AppWindowTitle="Administrator: Windows PowerShell ISE"

[TaskSequence1]
SequenceDelay=40000
Sendkeys=^i

 

 

Any suggestion?

 

Regards,

Maulik

Best answer by Pierre Zschocke

Hey Maulik,

Password Safe does not offer an out-of-the-box feature to inject credentials during an active session.

One option to consider is using the Password Safe API. Since your goal is to utilize managed credentials within a script, you could implement a predefined code block that retrieves the credentials from Password Safe using the user’s own credentials while specifying the Managed Account/Managed System. Keep in mind that a high volume of API requests might grow your audit logs, so you may want to consider using a password cache to offload API calls.

Since users will likely be able to see the credentials in plain text when they are injected, another option could be to allow them to retrieve the password directly from the Password Safe UI instead.

I’ve seen a customer build a custom launcher application (that is run by ps_automate) that continues running after launching the target application, allowing the user to copy the credentials even after the target application has started. This could be a viable option if you have the resources to develop a similar solution, that fits your needs.

That said, all these approaches come with the downside of potentially exposing credentials to the user. Therefore, implementing a robust rotation scheme is critical.

    5 replies

    P
    BeyondTrust Employee
    • Pierre Zschocke
    • BeyondTrust Employee
    • March 14, 2025

    Hello ​@maulik shah
    I just gave it a try in my lab and to me it looks like you are missing  one “ at the end of the RunApp line. 

    Here is the ini content I used:

    [General]
    EnableLogging=4
    LogMethod=2

    RunApp="powershell -Command "Start-Process PowerShell_ISE -Verb RunAs""

    AppWindowTitle="ISE"

    [TaskSequence1]
    SequenceDelay=40000
    Sendkeys=^i

    I tested it with the following command in cmd:

    ps_automate.exe ini=ise.ini username=User password=pass

    and the ISE started as Admin.

     

     

    Pierre, from the TAM team.
    M
    • maulik shah
    • Author
    • Trailblazer
    • March 16, 2025

    Hi Pierre, Thanks for trying . I had powershell_ISE working launched in admin mode but i cannot pass any command laer on 

     

    i.e 

    [TaskSequence1]

    SequenceDelay=40000

    Sendkeys=”Hello World”

     

    P
    BeyondTrust Employee
    • Pierre Zschocke
    • BeyondTrust Employee
    • March 17, 2025

    Hello Maulik,

    Got it now. I must have missed that part as the actual question. Unfortunately, I don't think it will work the way you're hoping. Windows generally prevents non-elevated processes from sending data to elevated processes. So, once ps_automate launches ISE with elevated privileges, it can no longer control the window.

    You can make the test work if you run ps_automate from an elevated CMD, but that would require ps_automate itself to be launched with elevation from the start. That doesn't seem like a good general recommendation.

    Additionally, using SendKeys wouldn't be advisable. There’s a risk of sending keystrokes to the wrong part of ISE, for example if the Command Add-ons panel is open (View → Show Command Add-on). I’m not sure about your specific use case, but you might want to explore an alternative approach, such as loading an existing script instead of relying on SendKeys.

    Pierre, from the TAM team.
    M
    • maulik shah
    • Author
    • Trailblazer
    • March 18, 2025

    Hi Pierre ,

     

    My use case is to provide secure managed credential in memory for staff to use in future script block which could be connecting online services. 

     

    I can see you are from beyond trust TAM team, does Password safe has such a out of box future where user can inject credential securely in to managed session or managed application session when needed. 

     

    Regards,

    Maulik

    P
    BeyondTrust Employee
    • Pierre Zschocke
    • BeyondTrust Employee
    • Answer
    • March 18, 2025

    Hey Maulik,

    Password Safe does not offer an out-of-the-box feature to inject credentials during an active session.

    One option to consider is using the Password Safe API. Since your goal is to utilize managed credentials within a script, you could implement a predefined code block that retrieves the credentials from Password Safe using the user’s own credentials while specifying the Managed Account/Managed System. Keep in mind that a high volume of API requests might grow your audit logs, so you may want to consider using a password cache to offload API calls.

    Since users will likely be able to see the credentials in plain text when they are injected, another option could be to allow them to retrieve the password directly from the Password Safe UI instead.

    I’ve seen a customer build a custom launcher application (that is run by ps_automate) that continues running after launching the target application, allowing the user to copy the credentials even after the target application has started. This could be a viable option if you have the resources to develop a similar solution, that fits your needs.

    That said, all these approaches come with the downside of potentially exposing credentials to the user. Therefore, implementing a robust rotation scheme is critical.

    Pierre, from the TAM team.

      Badge Earners

      • BCA: Privileged Remote Access
        GroSanhas earned the badge BCA: Privileged Remote Access
      • Core Concepts - Privileged Remote Access
        Ahmed Butthas earned the badge Core Concepts - Privileged Remote Access
      • BCA: Password Safe
        Abdelhamid.Saberhas earned the badge BCA: Password Safe
      • BCA: Remote Support
        DQ2has earned the badge BCA: Remote Support
      • BCA: Endpoint Privilege Management - Windows
        CHRISK1has earned the badge BCA: Endpoint Privilege Management - Windows
      Show all badges
      Terms & ConditionsCookie settingsAccessibility statement