LOG entry for TCMD/TCC command line

#1
Is it possible to log how TCMD/TCC was started, usually if it's "Run as Administrator" and if there was a "Start In" or CD /D entry? I looked at the LOGS already generated (I have all available LOG entries in OPTION set) and nothing is looking close to my answer.

Might a plugin be created for this need?

TCC 19.10.51 x64 Windows 7 [Version 6.1.7601]
TCC Build 51 Windows 7 Build 7601 Service Pack 1
 
#2
Rex will no doubt know more, but I doubt TCC can be aware of any "Start In" entry anywhere; I believe that just tells TCC's parent what directory to specify when it (the parent) creates the TCC process. As for "CD /D", I believe TCC's start-up command line is available (not sure how) to TCSTART.BTM. From TCSTART, you could log start-up command lines and also check the _ELEVATED variable and log TCC's being run as admin.
 
#4
You can try %@PIDCOMMAND[%_PID]. I don't think it can be guaranteed to always return correct info, but it's worth a shot.
And, according to the help,
With the exception of some initialization switches, the entire startup command line passed to TCC is available to TCSTART as batch file parameters (%1,%2, etc.).
And if you use SYSUTILS, @PSTAT will give it to you.
Code:
v:\> echo %@pstat[.,c]
g:\tc19\tcc.exe /q
 
#8
It's been a couple of years since we last discussed this one.

XenForo's been upgraded more than once since then, but the issue remains....
Yeah, I remembered it too and did a little Googling. Xenforo says it's by design and for security. Considering all it can do (Java, Flash, drag in unlimited third party crap, ...) HTTP seems more dangerous than FTP (which, after all, just transfers files).
 

Charles Dye

Super Moderator
Staff member
May 20, 2008
3,611
46
Albuquerque, NM
prospero.unm.edu
#11
Will it give similar details if it was TCMD and not TCC that was started?
AFAIK, either @PSTAT or @PIDCOMMAND takes a PID to specify the process. Just pass %_PID to get info on the current TCC.

Take Command's PID is harder to figure. %_PPID might be Take Command, but then again it might not. (TCC might have been launched by Take Command, or by Explorer. Or by another instance of TCC, or by CMD.EXE, which might itself in turn have been launched by any of the above.... I suppose you could walk back the chain with @PPID, examining each process with @PSTAT or @PIDCOMMAND until you find one which isn't TCC.EXE or CMD.EXE. That process might or might not be TCMD.EXE.... (And to confuse matters further, you can attach console programs to Take Command manually; these will not have TCMD as an ancester, unless they do.)
 
#12
I use the attached registry.reg.txt exported registry data to specify Elevated status and the directory to open TCMD in. What I am looking for is basically:

C:\Program Files\Jpsoft\TCMD19_x64\tcmd.exe /d "C:\Users\Galloway\Desktop\HoldMe\"

assuming I had RMCed on the HoldMe folder on the desktop....
 

Attachments

#13
Will it give similar details if it was TCMD and not TCC that was started?
With "." (specifying the current process) it will always give TCC's command line. As Charles pointed out you'll have to give it TCMD's PID if you want TCMD's command line.

Does that way of starting TCMD elevated result in a UAC prompt? There's a nice way to do it without the prompt. Make a scheduled task ... no schedule, but run-on-demand and with the highest privileges. Then start the task (named TCMDAdmin) with the likes of
Code:
schtasks.exe /run /tn TCMDAdmin
. I even used EDITBIN to make a GUI version of SCHTASKS.EXE so it wouldn't pop up a momentary console.
 
Likes: Charles G
#14
echo %@PIDCOMMAND[%_PID]

does not seem to be what I want. I want to see the full command that started TCMD. And I start TCMD by the following reg key data:

"C:\Program Files\JPSoft\TCMD21\tcmd.exe" /D "%L"

so if I right clicked on Folder1 on my desktop, it would return

"C:\Program Files\JPSoft\TCMD21\tcmd.exe" /D "%UserProfile%\Desktop\Folder1"

but with %UserProfile% expanded....
 
#15
I don't know about the rest of explorer, but I just started TCMD from Start\Run with this command:
Code:
g:\tc21\tcmd /d "%UserProfile%"
And in its TCC tab I see
Code:
v:\> echo %@pidcommand[%@pid[tcmd.exe]]
"G:\tc21\tcmd.exe" /d "C:\Users\vefatica"
Note that somewhere, quotes were added to the tcmd.exe path ... but %UserProfile% was expanded.