Script execution: option to run as logged-in user instead of SYSTEM #118
Description
Feature Request
Problem
Script executions via POST /api/script-executions always run in SYSTEM context. This makes it impossible to:
- Launch GUI applications in the user's desktop session
- Access user-specific resources (HKCU registry, user profile, AppData)
- Start tray applications or other interactive processes the user can see
Current Workaround
The only way to run something in the logged-in user's session is a scheduled task hack:
$action = New-ScheduledTaskAction -Execute "C:\path\to\app.exe"
$principal = New-ScheduledTaskPrincipal -GroupId "S-1-5-32-545" -RunLevel Limited
Register-ScheduledTask -TaskName "TempLaunch" -Action $action -Principal $principal
Start-ScheduledTask -TaskName "TempLaunch"
Unregister-ScheduledTask -TaskName "TempLaunch" -Confirm:$falseThis works but is fragile and doesn't capture output properly.
Proposed Solution
Add a runAsLoggedOnUser (boolean) option to the script execution API:
{
"adHocScriptContent": "...",
"scriptType": "PowerShell",
"targetDeviceIds": ["..."],
"runAsLoggedOnUser": true
}When true, the agent should:
- Identify the interactive user session (e.g., via
WTSGetActiveConsoleSessionIdorWTSEnumerateSessions) - Duplicate the user's token
- Execute the script using
CreateProcessAsUserin that session
Use Case
Deploying and launching GUI applications (like our Aspendora Chat tray app) remotely via the API. The MSI installs fine under SYSTEM, but the app itself needs to run in the user session.
Competitors
ConnectWise ScreenConnect, TeamViewer, LogMeIn, and AnyDesk all support running commands as the logged-in user.