execute simple cmd line hidden without file

[einstein1969]

Hi,

I recently use a software that can run/open a program. It accept a 1) program name e 2) parameters to pass at program name.

I used this for simple dos command using the command dos shell cmd.exe in this mode

Name : cmd.exe
Param: /c "...……………"

But this method open a black cmd windows and this is not a behavior that i want.

I don't want use files or other external software for this.

I have found methods for run hidden a file batch https://superuser.com/questions/62525/r ... hidden-way

but i don't want use a file.

I have found also a method for execute a dos command form vbscript https://stackoverflow.com/questions/546 ... m-vbscript

but i not know how to merge this method. If possible...

I have also found that mshta.exe can execute vbscript/jscript with a single line of code but i don't know if this is usable for my scope. viewtopic.php?t=5311 (this cover jscript)

Einstein1969

[penpen]

From command line you could use something like that:

Code: Select all

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "$wshShell = New-Object -ComObject WScript.Shell; $result = $WshShell.Run(\"C:\WINDOWS\system32\cmd.exe /cecho Hello world!^&pause\", 1, $true);"

This test line should open a cmd-window writig sth and pause (tested successfully on my pc) and you could test the commands you want to execute.

If that line works when started with your application, then you could hide the window by setting the 1 to a 0;
you might also want to use $false instead of true; see https://www.script-example.com/themen/r ... script.php.

Sidenote:
You could list all functions of a .COM object by using "$wshShell | Get-Member;" (within powershell):

Code: Select all

Z:\>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. Alle Rechte vorbehalten.

Lernen Sie das neue plattformübergreifende PowerShell kennen – https://aka.ms/pscore6

PS Z:\> $wshShell = New-Object -ComObject WScript.Shell;
PS Z:\> $wshShell | Get-Member;


   TypeName: System.__ComObject#{41904400-be18-11d3-a28b-00104bd35090}

Name                     MemberType            Definition
----                     ----------            ----------
AppActivate              Method                bool AppActivate (Variant, Variant)
CreateShortcut           Method                IDispatch CreateShortcut (string)
Exec                     Method                IWshExec Exec (string)
ExpandEnvironmentStrings Method                string ExpandEnvironmentStrings (string)
LogEvent                 Method                bool LogEvent (Variant, string, string)
Popup                    Method                int Popup (string, Variant, Variant, Variant)
RegDelete                Method                void RegDelete (string)
RegRead                  Method                Variant RegRead (string)
RegWrite                 Method                void RegWrite (string, Variant, Variant)
Run                      Method                int Run (string, Variant, Variant)
SendKeys                 Method                void SendKeys (string, Variant)
Environment              ParameterizedProperty IWshEnvironment Environment (Variant) {get}
CurrentDirectory         Property              string CurrentDirectory () {get} {set}
SpecialFolders           Property              IWshCollection SpecialFolders () {get}


PS Z:\> exit

Z:\>

penpen

[einstein1969]

Hi penpen and thanks,

I tried and from a dos window it works but from the software it doesn't. Opens the blue powershell window!
I had to slightly modify the command that went into error for my software.

Code: Select all

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "$wshShell = New-Object -ComObject WScript.Shell; $result = $WshShell.Run(\"C:\WINDOWS\system32\cmd.exe /c echo Hello world! & pause\", 1, $true);"

[aGerman]

Well, you already use a 3rd party tool. Would it be OK then if you just use a HTA script instead?

run_hidden.hta

Code: Select all

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="x-ua-compatible" content="IE=9">
    <title>Run Hidden</title>
    <script type="text/javascript">
      var objService = new ActiveXObject('WbemScripting.SWbemLocator').ConnectServer('.', 'root\\cimv2'),
          objStartup = objService.Get('Win32_ProcessStartup'),
          objProcess = objService.Get('Win32_Process');
      function runcmd() {
        var objConfig = objStartup.SpawnInstance_(),
            objInParams = objProcess.Methods_('Create').InParameters.SpawnInstance_(),
            objStatus = document.getElementById('status');
        objConfig.ShowWindow = 12; // hidden
        objInParams.CommandLine = document.getElementById('cmd').value;
        objInParams.ProcessStartupInformation = objConfig;
        var objOutParams = objProcess.ExecMethod_('Create', objInParams);
        if (objOutParams.ReturnValue === 0)
        {
          objStatus.style.color = 'green';
          objStatus.innerHTML = 'Process with PID ' + objOutParams.ProcessId + ' created.';
          document.getElementById('cmd').value = '';
        } else {
          objStatus.style.color = 'red';
          objStatus.innerHTML = 'ERROR - ';
          switch (objOutParams.ReturnValue) {
            case 2: objStatus.innerHTML += 'access denied'; break;
            case 3: objStatus.innerHTML += 'insufficient privilege'; break;
            case 8: objStatus.innerHTML += 'unknown failure'; break;
            case 9: objStatus.innerHTML += 'path not found'; break;
            case 21: objStatus.innerHTML += 'invalid parameter'; break;
            default: objStatus.innerHTML += 'other';
          }
        }
        return false;
      }
      function init() {
        window.resizeTo(1200, 230);
        document.getElementById('cmd').focus();
      }
      function enter(evt) {
        var charCode;
        if (evt && evt.which) {
          charCode = evt.which;
        } else if (window.event) {
          evt = window.event;
          charCode = evt.keyCode;
        }
        if (charCode === 10 || charCode === 13) {
          runcmd();
        }
      }
    </script>
    <style type="text/css">
      body {color: black; background-color: #EEF8FF; font-family: Tahoma, sans-serif; font-size: 10pt; margin: 10px 20px 10px 20px;}
      input {font-size: 10pt; padding-left: 10px; padding-right: 10px;}
      #cmd {color: #EEEEEE; background-color: black; font-family: Consolas, sans-serif;}
      #run {color: black; background-color: #BBC8CF; font-family: Tahoma, sans-serif; font-weight: bold;}
      #status {font-family: Tahoma, sans-serif; font-size: 8pt;}
    </style>
  </head>
  <body onload="init()"><hr><h4>Enter your command line:</h4><p><input type="text" id="cmd" size="150" onkeypress="enter(event)"></p>
  <p><input type="button" id="run" value="Run" onclick="runcmd()"></p><hr><p id="status">&nbsp;</p><hr></body>
</html>

Steffen

//EDIT code updated

[Eureka!]

You could list all functions of a .COM object by using "$wshShell | Get-Member;" (within powershell):

Thank you for this! Very useful!


BTW, another way to start a process hidden from PowerShell:

Code: Select all

Start-Process -filepath "cmd.exe" -argumentlist "/c pause" -WindowStyle Hidden

(Don't know in which version of PS -WindowStyle Hidden was introduced)

[einstein1969]

Well, you already use a 3rd party tool. Would it be OK then if you just use a HTA script instead?

run_hidden.hta

Code: Select all

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="x-ua-compatible" content="IE=9">
    <title>Run Hidden</title>
    <script type="text/javascript">
      function runcmd() {
        try {
          new ActiveXObject('WScript.Shell').Run(document.getElementById('cmd').value, 0, false);
        } catch(e) {
          alert('Unable to run the command.');
        }
        return false;
      }
      function init() {
        window.resizeTo(1200, 210);
        document.getElementById('cmd').focus();
      }
      function enter(evt) {
        var charCode;
        if (evt && evt.which) {
            charCode = evt.which;
        } else if (window.event) {
            evt = window.event;
            charCode = evt.keyCode;
        }
        if (charCode===10 || charCode===13) {
            runcmd();
        }
      }
    </script>
    <style type="text/css">
      body {color : black; background-color : #EEF8FF; font-family : Tahoma, sans-serif; font-size : 10pt; margin : 10px 20px 10px 20px;}
      input {color : black; font-size : 10pt; padding-left : 10px; padding-right : 10px;}
      #cmd {color : #EEEEEE; background-color : black;font-family : Consolas, sans-serif; }
      #run {background-color : #CCCCCC; font-family : Tahoma, sans-serif; font-weight : bold;}
    </style>
  </head>
  <body onload="init()"><hr><h4>Enter your command line:</h4><p><input type="text" id="cmd" size="150" onkeypress="enter(event)"></p>
  <p><input type="button" id="run" value="Run" onclick="runcmd()"></p><hr></body>
</html>

Steffen

Hi Steffen, very nice HTA! Do you use a tool to write HTA?

unfortunately I have to use the software because it does many things and I have to insert dos batch commands to implement functions that it doesn't have.

However since you are an HTA expert I will soon open a question on the forum to do two HTAs that interact with dos batch.

[hacxx]

This is from my coding vault, need some tweaks as it is a bit old...

Code: Select all

mshta "javascript:document.write('<html><script language=\"VBScript\">Set objShell = WScript.CreateObject(\"WScript.Shell\") : objShell.Run(\"cmd.exe /c calc.exe\"), 0, True</script></html>');close()"

It uses JavaScript to start a document.write that calls the vbs code and runs cmd.exe hidden from the user.

[aGerman]

I updated the code above to have a status bar with some more information. Just in case someone has a use for it.

@einstein1969
I don't use any tool besides of a text editor with syntax highlighting. I'm certainly not an HTA expert, just gained some experience with Windows scripting over the years.

@hacxx
Doesn't work for me (v. 10.0.18363.657, x64). No message, simply nothing. Also tried with notepad.exe just to ensure calc.exe wasn't the culprit (because the actual name is calculator.exe now) but still no process in the task manager.

Steffen

[penpen]

Code: Select all

mshta "javascript:document.write('<html><script language=\"VBScript\">Set objShell = WScript.CreateObject(\"WScript.Shell\") : objShell.Run(\"cmd.exe /c calc.exe\"), 0, True</script></html>');close()"

The jscript in hta doesn't seem to support the "WScript" object (if that code worked for you, then MS probably changed that), but you still could use "CreateObject" instead.

It took me some time until i found out what went wrong with your code (beside the "WScript" object)...
It really is tricky because 4 parsers are involveed there (for mshta, cmd.exe, jscript, vba), but once i saw it the reason was trivial... :
The first parameter of mshta ends after the 'cmd.exe'.

You might better see that in the following two examples (first works, second doesn't because of that split; added the 'chr(34)'-code to avoid getting a misleading vbs-error message):

Code: Select all

mshta "javascript:document.write('<html><script language=\"VBScript\">Set objShell = CreateObject(\"WScript.Shell\") : objShell.Run chr(34)&\"cmd.exe\"&chr(34)&\"/cpause\", 1, True</script></html>');close()"

Code: Select all

mshta "javascript:document.write('<html><script language=\"VBScript\">Set objShell = CreateObject(\"WScript.Shell\") : objShell.Run chr(34)&\"cmd.exe\"&chr(34)&\" /cpause\", 1, True</script></html>');close()"

Beside that from the jscript part perspective there is no need to escape the doublequotes in a single quoted string.

But to avoid that mshta 'breaks' the first parameter in pieces, you should use an escape code for the doublequotes (which conveniently also takes issues with console tokenization 'out of the way'):

Code: Select all

mshta "javascript:document.write('<html><script language=\x22VBScript\x22>Set objShell = CreateObject(\x22WScript.Shell\x22) : objShell.Run \x22cmd.exe /ccalc.exe\x22, 0, True</script></html>');close()"

Thank you for this! Very useful!

You're welcome.

BTW, another way to start a process hidden from PowerShell:

Code: Select all

Start-Process -filepath "cmd.exe" -argumentlist "/c pause" -WindowStyle Hidden

(Don't know in which version of PS -WindowStyle Hidden was introduced)

Nice! But sadly it has the same issue as my code above.

However, i liked the "-WindowStyle Hidden" idea and tested if you also could use that when calling powershell.exe:
It worked, but as i feared (because of the blue shell popping up, as einstein1969 mentioned) powershell is a console application;
before the command line parameters are processed, a new shell window already opened and then is hidden again, which is better as before, but i don't know if that's sufficient, because the hta solution seems to avoid that.

penpen

[einstein1969]

thank you all!

I have probed to semplify and this is the result:

Code: Select all

mshta.exe vbscript:CreateObject("WScript.Shell").Run("cmd /c calc.exe",0)(Window.Close)

Thank you.

[aGerman]

The jscript in hta doesn't seem to support the "WScript" object

Good call. As long as I remember it never did.

@einstein1969 If you have to use quotes in the command line you want to execute, just double them.

Code: Select all

mshta vbscript:(CreateObject("WScript.Shell").Run("cmd /c ""calc.exe""",0))(Window.Close)

Steffen

[Eureka!]

Nice! But sadly it has the same issue as my code above.

It wasn't intended to be a solution; just sharing some tips.


@einstein1969 already found a fitting solution, but I would keep it simple:
- Create a shorctut to cmd /c ...
- and configure this shortcut to run minimized.
- In this mysterious software, configure to start the shortcut (.lnk)

[einstein1969]

@aGerman
Thanks

@Eureka!
it was a nice solution, because the execution was faster, but the mysterious software does not take shortcuts. The software, however, is called "macro recorder"