Note: This script is a part of Rigutils tool set. GitHub: AntiVirusTest.bat

Description

Some of bat scripts should be executed with so called elevated admin rights. Most of the times, then you just double click on a bat file a cmd.exe command prompt with non elevated rights starts, and bat file executes without sufficient rights. There is a way to automate the elevating process from script itself, but it may trigger false alert message from Windows Defender (see Trojan:Win32/Powessere.G).

Never trust any file even from trusted sources. Always use virustotal.com service for checking of all of your downloads.

Consider the following code: 

set "self=%~s0"

whoami.exe /groups | findstr.exe "S-1-16-12288" >nul 2>&1 || (
  mshta.exe "javascript: var shell=new ActiveXObject('shell.application'); shell.ShellExecute('%self:\=\\%','','','runas',1); close();"
  exit /b
)

echo I'm running in elevated environment!

Let's go through it part by part:

  1. set “self=%~s0” - assign to a variable with name 'self' the short (without spaces) file name of our script itself.
  2. whoami.exe /groups - Display group information for the user who is currently logged on to the local system (see official whoami manual). whoami is a system program located in C:\Windows\System32
  3. | findstr.exe “S-1-16-12288” >nul 2>&1 - search for well known S-1-16-12288 group name in whoami output. findstr is a system program located in C:\Windows\System32. The sign “vertical bar” has its own name “pipe” and is used for redirecting text output stream (stdout) from one program to text input stream (stdin) of another program.
  4. || (…) - if S-1-16-12288 was not found (findstr return false result) it means that our script is running in non elevated environment and expression in parentheses should be executed. Double pipes read as “logical or” operation.
  5. mshta.exe - is a standard windows program located in C:\Windows\System32\ It is used for running MS proprietary HTML applications (HTA for short). mshta is a system program located in C:\Windows\System32
  6. “javascript: . . .” - is a javascript code executed by mshta
  7. var shell=new ActiveXObject('shell.application'); - create an instance of shell.application object
  8. shell.ShellExecute('%self:\=\\%',,,'runas',1); - execute our script given by variable self (expression %self:\=\\% just replaces single slash with double slash since this is js code) with admin rights. See ShellExecute documentation for more details.
  9. close(); - just close mshta and exit
  10. exit /b - exit from non privileged part of our script
  11. echo I'm running in elevated environment! - self-explanatory statement
    Well, why indeed Windows Defender think that this harmless code is a virus? It's because of the ShellExecute method call. There are known viruses/trojans which infect computers using exactly the same technique for getting into the elevated environment with admin rights.

After finishing the above text an idea came to my mind: Hey, let's try to fool Windows Defender by a simple trick - copy mstha.exe with a different name… And it turns out that this method works perfectly! So AntiVirusTest.bat was born. Get a copy of it and run from cmd.exe shell.

To my mind, such a Windows Defender bypass method is clearly a bug (not critical, but bug), feel free to submit it to MS bug bounty program and share your reward with me 8-)

Seriously speaking, this trick may stop working in future. But luckily, Windows Defender has an exclusions list for trusted files and folders. If you ever got a message from Defender that mshta.exe pose a security risk to your system and block it from execution then you have to (re)enable it. After adding mstha.exe to the whitelist (see instruction below) of Windows Defender you may once again test your setup with AntiVirusTest.bat

Instruction

STEP 1. Launch command prompt via cmd_rigutils.bat

STEP 2. Run AntiVirusTest.bat

1. Type AntiVirusTest.bat (case of letters doesn't matter)

2. Press Enter

You may start typing Anti and then press the Tab key on your keyboard. cmd.exe will search for commands in current directory starting with Anti and expand it to it's full name automatically.

3. Confirm your action in this User Account Control dialog by clicking the Yes button. We will disable this annoying User Account Control messages later.

4. If you see a popup windows with the message Hello, this is admin speaking! then it means that AntiVirusTest passed successfully and you don't have to do anything special about Windows Defender at the moment. Just click OK and that's it.

If you see something different please continue to the next Step 3 "Troubleshooting"

AntiVirusTest.bat

attachmentantivirustest_00.pdn

AntiVirusTest.bat

attachmentantivirustest_08.pdn

AntiVirusTest.bat

attachmentantivirustest_09.pdn

AntiVirusTest.bat

attachmentantivirustest_10.pdn

STEP 3. Troubleshooting

1. Most probably, you will see something similar to the screenshot - the message Looks like Windows Defender blocks the script and the popup window Threats found. If it is so then just click the blue popup window. Don't worry if the window dismissed too fast just follow these simple steps to open antivirus settings dialog and return back to this troubleshooting instruction.

AntiVirusTest.bat

attachmentantivirustest_01.pdn

Threat history

2. Click See full history.

AntiVirusTest.bat

attachmentantivirustest_02.pdn

3. Unfold an item in the history list

AntiVirusTest.bat

attachmentantivirustest_03.pdn

4. Show details window, just to be sure that your are going to whitelist the right file.

AntiVirusTest.bat

attachmentantivirustest_04.pdn

5. Verify that mshta.exe present in Affected items section.

6. Click the OK button

AntiVirusTest.bat

attachmentantivirustest_05.pdn

7. Click the Allow button

AntiVirusTest.bat

attachmentantivirustest_06.pdn

8. Confirm your action by clicking the Yes button. We will disable this silly User Account Control dialog later.

AntiVirusTest.bat

attachmentantivirustest_07.pdn

GitHub: AntiVirusTest.bat