param([String]$username, [String]$password, [String]$encoded_command, [String]$execution_time_limit) # Try to get the Schedule.Service object. If it fails, we are probably # on an older version of Windows. On old versions, we can just execute # directly since priv. escalation isn't a thing. $schedule = $null Try { $schedule = New-Object -ComObject "Schedule.Service" } Catch [System.Management.Automation.PSArgumentException] { powershell.exe -EncodedCommand $encoded_command exit $LASTEXITCODE } $task_name = "WinRM_Elevated_Shell" $out_file = "$env:SystemRoot\Temp\WinRM_Elevated_Shell.log" if (Test-Path $out_file) { del $out_file } $task_xml = @' {username} <%= options[:interactive] ? 'InteractiveTokenOrPassword' : 'Password' %> HighestAvailable IgnoreNew false false true false false false false true true false false false {execution_time_limit} 4 cmd {arguments} '@ $arguments = "/c powershell.exe -EncodedCommand $encoded_command > $out_file 2>&1" $task_xml = $task_xml.Replace("{arguments}", $arguments) $task_xml = $task_xml.Replace("{username}", $username) $task_xml = $task_xml.Replace("{execution_time_limit}", $execution_time_limit) $schedule.Connect() $task = $schedule.NewTask($null) $task.XmlText = $task_xml $folder = $schedule.GetFolder("\") $folder.RegisterTaskDefinition($task_name, $task, 6, $username, $password, <%= options[:interactive] ? 3 : 1 %>, $null) | Out-Null $registered_task = $folder.GetTask("\$task_name") $registered_task.Run($null) | Out-Null $timeout = 10 $sec = 0 while ( (!($registered_task.state -eq 4)) -and ($sec -lt $timeout) ) { Start-Sleep -s 1 $sec++ } function SlurpOutput($out_file, $cur_line) { if (Test-Path $out_file) { get-content $out_file | select -skip $cur_line | ForEach { $cur_line += 1 Write-Host "$_" } } return $cur_line } $cur_line = 0 do { Start-Sleep -m 100 $cur_line = SlurpOutput $out_file $cur_line } while (!($registered_task.state -eq 3)) $exit_code = $registered_task.LastTaskResult [System.Runtime.Interopservices.Marshal]::ReleaseComObject($schedule) | Out-Null exit $exit_code