远程启动程序

背景

昨天遇到一个问题：本地电脑(Win7 x64)想要远程启动另一台电脑(Windows Server 2012 R2)上的一个程序(为*.exe程序)，要求是：在不改变远程电脑配置的前提下，被启动的程序能弹出console界面，并有run as administrator的效果(类似于右击某个程序->Run as administrator)

注意：当以Domain Admins group中某一域账户登录某台电脑后，选择某个程序->右击->Run as administrator，其实是赋予了这个程序elevated privilege，这个程序的owner仍是此域账户，并不是local admin。具体的解释请见下面的链接：

https://msdn.microsoft.com/en-us/library/windows/hardware/dn653293(v=vs.85).aspx

In Windows® XP, Windows Server® 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents who are looking for a way to elevate their own privilege level.

In Windows Vista®, Windows Server 2008, and later versions of Windows, the operating system mitigates this security risk by isolating services in Session 0 and making Session 0 noninteractive. Only system processes and services run in Session 0. The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services never run in the same session as users’ applications and are therefore protected from attacks that originate in application code.

解决方案一

Telnet -- 只能本地回显，达不到要求

解决方案二

PsExec

具体用法请见https://technet.microsoft.com/en-us/sysinternals/psexec.aspx

 

PsExec.exe -i -u domainname\username -p Password \\IPAddress c:\*.exe  ----被启动的程序只能以进程的形式显示在task manager里，不显示console界面

PsExec.exe -h -i -u domainname\username -p Password \\IPAddress c:\*.exe ----即使加上了-h，被启动的程序仍只能以进程的形式显示在task manager里，不显示console界面