Script execution: option to run as logged-in user instead of SYSTEM

[lacymooretx]

Feature Request

Problem

Script executions via POST /api/script-executions always run in SYSTEM context. This makes it impossible to:

• Launch GUI applications in the user's desktop session
• Access user-specific resources (HKCU registry, user profile, AppData)
• Start tray applications or other interactive processes the user can see

Current Workaround

The only way to run something in the logged-in user's session is a scheduled task hack:

$action = New-ScheduledTaskAction -Execute "C:\path\to\app.exe"
$principal = New-ScheduledTaskPrincipal -GroupId "S-1-5-32-545" -RunLevel Limited
Register-ScheduledTask -TaskName "TempLaunch" -Action $action -Principal $principal
Start-ScheduledTask -TaskName "TempLaunch"
Unregister-ScheduledTask -TaskName "TempLaunch" -Confirm:$false

This works but is fragile and doesn't capture output properly.

Proposed Solution

Add a runAsLoggedOnUser (boolean) option to the script execution API:

{
  "adHocScriptContent": "...",
  "scriptType": "PowerShell",
  "targetDeviceIds": ["..."],
  "runAsLoggedOnUser": true
}

When true, the agent should:

1. Identify the interactive user session (e.g., via WTSGetActiveConsoleSessionId or WTSEnumerateSessions)
2. Duplicate the user's token
3. Execute the script using CreateProcessAsUser in that session

Use Case

Deploying and launching GUI applications (like our Aspendora Chat tray app) remotely via the API. The MSI installs fine under SYSTEM, but the app itself needs to run in the user session.

Competitors

ConnectWise ScreenConnect, TeamViewer, LogMeIn, and AnyDesk all support running commands as the logged-in user.

[bitbound]

Linked this to the scripting story. It'll be included.