Pass credentials from a smartcard

PowerShell Help
1

Here’s what I’m trying to do and not sure if it’s possible.

Disable a smartcard reader.
Launch IE.
When IE process completes, re-enable smartcard reader.

Issue:
It requires admin credentials from smartcard to disable/enable device.
IE cannot run under admin credentials so running .ps1 as admin will not work.

Here’s what I currently have:
Credentials and IE are commented out for testing.
If ran as an admin the .ps1 will disable smartcard, wait 10 seconds and re-enable.
But IE will not launch that’s why commented out.
When trying to run as non-admin and prompting for credentials it does not work. That’s why $creds is commented out.

[pre]
##get admin credentials from smartcard
#$creds = Get-Credential

##Broadcom smartcard reader
##capture smartcard reader using hardware ID
$d = Get-PnpDevice | where {$_.HardwareID -like “USB\VID_0A5C&PID_5832&REV_0101&MI_01”}

##disable smartcard reader using admin credentials and suppress confirm prompt
$d | Disable-PnpDevice -Confirm:$false #$creds

##starts IE and holds script until process is completed
#start-process -filepath “C:\Program Files\Internet Explorer\iexplore.exe” -NoNewWindow -Wait https://www.google.com

sleep 10 seconds for testing until cert issue resolved

start-sleep -s 10

##enable smartcard reader using admin credentialsand suppress confirm prompt
$d | Enable-PnpDevice -Confirm:$false #$creds
[/pre]

Please let me know if there are any questions.
I would appreciate any assistance.
Micah

2

This is an IE elevation issue, not really a PowerShell code problem.
IE will only run in the context of the currently logged on user.
Run PowerShell as admin, then start IE from the session.

3

Thanks for the suggestion but from I stated it’s not possible to run IE as an administrator. I need to pass credentials from a smartcard to powershell to disable another smartcard reader.

So, are you saying powershell cannot pass credentials from smartcard to a command?

4

PowerShell can pass whatever creds you can collect in to a variable to send to a destination.
My query would be why you are using IE in this use case at all. You are not showing that that IE instance is doing anything other than just starting it. You are not passing cred to IE, etc., or the URL you are using.

However, yes, you can run IE elevated, I do this daily. I simply have a shortcut on my desktop with the advanced properties set to always launch as administrator. You can also launch IE elevated as admin using the normal right click, Run as Administrator. You can see the user token of the IE normal and elevated instances using process explorer.

I’ve had little reason no to do this in code in any use case. Yet, if I did, I could just start that elevated shortcut. or just use this…

start-process -FilePath 'C:\Program Files\internet explorer\iexplore.exe' -Verb RunAs

Also, this is not the first time this smartcard conversation has happened on the Q&A. See this…

https://powershell.org/forums/topic/getting-smartcard-credentials
5

Forget IE. As originally stated “IE cannot run under admin credentials so running .ps1 as admin will not work.” It’s not that I do not know how to do it, it’s that it’s not permitted.

Need to get “Disable-PnpDevice 'USB\VID_0A5C&PID_5832&REV_0101&MI_01” using smartcard credentials.

Tried using the invoke-command but cannot get it to work with disable-pnpdevice.

“PowerShell can pass whatever creds you can collect in to a variable to send to a destination.” if this were the case then the code “$d | Disable-PnpDevice -Confirm:$false $creds” would work.

I get this error:

Disable-PnpDevice : The input object cannot be bound to any parameters for the command either because the command
does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline
input.
At C:\code\powershell\CCE.ps1:10 char:6

  • $d | Disable-PnpDevice -Confirm:$false $creds
  • CategoryInfo : InvalidArgument: (Win32_PnPEntity…6&528937A&0…):PSObject) [Disable-PnpDevice], P
    arameterBindingException
  • FullyQualifiedErrorId : InputObjectNotBound,Disable-PnpDevice

I appreciate your patience and let me know if you require more information.

6

The error you are getting is most likely because you are passing a null value to the pipeline, as can be shown below:

PS C:\Users\Rob> $nothing |  Disable-PnpDevice -Confirm:$false -WhatIf #$creds
Disable-PnpDevice : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:1 char:13
+ $nothing |  Disable-PnpDevice -Confirm:$false -WhatIf #$creds
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Disable-PnpDevice], ParameterBindingException
    + FullyQualifiedErrorId : InputObjectNotBound,Disable-PnpDevice

Maybe add some code to see if the variable is null before sending to the pipeline:

##capture smartcard reader using hardware ID
$d = Get-PnpDevice | where {$_.HardwareID -like "USB\VID_0A5C&PID_5832&REV_0101&MI_01"}

##disable smartcard reader using admin credentials and suppress confirm prompt
if ($d) {
    $d | Disable-PnpDevice -Confirm:$false -WhatIf #$creds
}
else {
    'Device not found'
}
7

##get admin credentials from smartcard
$creds = Get-Credential

##Broadcom smartcard reader
##capture smartcard reader using hardware ID
$d = Get-PnpDevice | where {$_.HardwareID -like “USB\VID_0A5C&PID_5832&REV_0101&MI_01”}

##disable smartcard reader using admin credentials and suppress confirm prompt
if ($d) {
$d | Disable-PnpDevice -Confirm:$false $creds
}
else {
‘Device not found’
}

enable smartcard reader using admin credentialsand suppress confirm prompt
$d | Enable-PnpDevice -Confirm:$false #$creds

 

Added code and no new output. Same error as above. Let me know if added it incorrectly.

Thanks

 

8

Just in case anyone is looking for a way to do this:

[pre]

Disables smartcard reader, launches IE, and re-enables smartcard reader after four minutes.

#####Prompts for admin credentials
$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)

Get the security principal for the Administrator role

$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator

Check to see if we are currently running “as Administrator”

if ($myWindowsPrincipal.IsInRole($adminRole))

{

We are running “as Administrator” - so change the title and background color to indicate this

$Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + “(Elevated)”
$Host.UI.RawUI.BackgroundColor = “DarkBlue”

clear-host

}

else

{

We are not running “as Administrator” - so relaunch as administrator

Create a new process object that starts PowerShell

$newProcess = new-object System.Diagnostics.ProcessStartInfo “PowerShell”;

Specify the current script path and name as a parameter

$newProcess.Arguments = $myInvocation.MyCommand.Definition;

Indicate that the process should be elevated

$newProcess.Verb = “runas”;

Start the new process

Exit from the current, unelevated, process

exit
}

Run your code that needs to be elevated here

#####Disable smartcard
devcon disable “USB\VID_0A5C&PID_5832&REV_0101&MI_01”

#####Start IE as non-admin
$newProc = new-object System.Diagnostics.ProcessStartInfo “Powershell”

Specify what to run, you need the full path after explorer.exe

$newProc.Arguments = “explorer.exe https://www.google.com
System.Diagnostics.Process::Start($newProc)

#####Enable smartcard after four minutes
Start-Sleep -s 240
devcon enable “USB\VID_0A5C&PID_5832&REV_0101&MI_01”

[/pre]