I have a small script that performs the build and install process on Windows for a Bazaar repository I'm managing. I'm trying to run the script with elevated, administrative privileges from within the Windows shell (cmd.exe)--just as if I'd right-clicked it and chosen Run as Administrator, but without using any method that requires use of the graphical interface.
How do you run a command as an administrator from the Windows command line?
Asked Answered
A batch/WSH hybrid is able to call ShellExecute to display the UAC elevation dialog...
@if (1==1) @if(1==0) @ELSE
@echo off&SETLOCAL ENABLEEXTENSIONS
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"||(
cscript //E:JScript //nologo "%~f0"
@goto :EOF
)
echo.Performing admin tasks...
REM call foo.exe
@goto :EOF
@end @ELSE
ShA=new ActiveXObject("Shell.Application")
ShA.ShellExecute("cmd.exe","/c \""+WScript.ScriptFullName+"\"","","runas",5);
@end
Could you please, @Anders, tell me what are the requirements for this script to work? a) Windows version, b) Visual Basic or .NET installed, c)Java installed. In a plain sight it seems to me there are none but just a Windows running, but I am not sure. Thanks. –
Chacon
@SopalajodeArrierez: The runas verb was added in Win2000 and cscript.exe was added in Win98/IE4 IIRC. –
Descendent
Thanks, @Anders. Please, a minor question: I am trying to use your script with my own program (calling a .lnk file that executes a Windows shell .exe), and I can not set my preferred icon, as I always do with any .lnk file. This is: the icon gets assigned to the .lnk, but during the execution (after accepting UAC prompt) the running window has the usual CMD icon. Is there a way to solve this? –
Chacon
I think early versions of NT used a undocumented flag in STARTUPINFO to set a icon in the console but support for that died in NT4 or NT5. If you already have your own program, why can't you perform the admin check there? .pif files can probably still set the icon but I don't know if .pif files are supported on 64 bit Windows... –
Descendent
I am dealing with your suggestions about the icon, @Descendent . Meanwhile, another (probably) stupid question: if I save your script as .cmd file, it runs fine. But if I add a first line like
@REM This is my Script I get some Microsoft JScript compilation: invalid character error. If this a batch script, why is this happening? Thanks again. –
Chacon I would be greatly thankful if you could explain the logic behind your script. I was able to understand the first part but i can't understand what does and when it's executed the
ShA.ShellExecute("cmd.exe","/c \""+WScript.ScriptFullName+"\"","","runas",5); command. –
Reina ShellExecute is a Windows API function ( msdn.microsoft.com/en-us/library/windows/desktop/bb762153 ) and by using the "runas" verb we request UAC elevation to start cmd.exe that will execute our script again but this second time it should be elevated... –
Descendent
Can you please edit the answer with some of the lines explained? I'm mostly interested in the magic (
@if-@ELSE-@end and >nul...) that makes this a hybrid. –
Pule The @ prefix in batch files turns off echo'ing of that command and @ is the prefix used for "pre-processor" instructions in Windows Scripting Host ( msdn.microsoft.com/en-us/library/58dz2w55 ). @if (1==1) is legal syntax in both batch and WSH and the rest is there to make the script executes the batch or WSH code depending on which script processor is actually running. (Batch file calls WSH (if required in this case) that calls batch file again, the 2nd time after being executed with a special verb) –
Descendent
@TWiStErRob: the magic of running this as JScript is the fact, that
@ELSE is not a JScript keyword because it's uppercase. So everything on lines 2 to 14 are 'IF' statements of outer @if including inner @if statement, which has it's 'IF' statements on lines 2 to 11. But because inner @if condition is false, it would never run lines 2 to 11. If you change @ELSE to lowercase you will break the whole WSH/batch hybrid. –
Alumna @Descendent nice job, combining WSH and batch using
@if statements and the @ELSE magic. –
Alumna How do you run a command agianst this? What is the client code syntax?
ThisScript.cmd cmd.exe mycmd myarg1 my arg2? I tried that and nothing happens –
Nabila @Nabila change the " REM call foo.exe" line and save my code as a .cmd file –
Descendent
All you have to do is use the runas command to run your program as Administrator (with a caveat).
runas /user:Administrator "cmdName parameters"
In my case, this was
runas /user:Administrator "cmd.exe /C %CD%\installer.cmd %CD%"
Note that you must use Quotation marks, else the runas command will gobble up the switch option to cmd.
Also note that the administrative shell (cmd.exe) starts up in the C:\Windows\System32 folder. This isn't what I wanted, but it was easy enough to pass in the current path to my installer, and to reference it using an absolute path.
Caveat: Enable the admin account
Using runas this way requires the administrative account to be enabled, which is not the default on Windows 7 or Vista. However, here is a great tutorial on how to enable it, in three different ways:
I myself enabled it by opening Administrative Tools, Local Security Policy, then navigating to Local Policies\Security Options and changing the value of the Accounts: Administrative Account Status policy to Enabled, which is none of the three ways shown in the link.
An even easier way to accomplish this:
C:> net user Administrator /active:yes
Is there a way to run as a different user (that has admin rights) instead of as the Administator? This is pretty important for us with work computers... –
Parnell
I imagine so. Try it, and see if it works. But, IDK which specific permissions the user would need in order to run a particular command, or to gain "admin status" in general. –
Avogadro
This works, but it's not completely linux like. I have noticed hiccups during it's use. Also at first there is roughly a 5 sec pause before the command is executed. Use it at your own discretion. –
Feathered
You're right about hiccups! Some programs will not run with elevated privileges unless the shell (
explorer.exe) is also running as an admin user. (E.g: control.exe.) However, for my original purpose (seamless installation), Ander's answer is much better suited. –
Avogadro Press the start button. In the search box type "cmd", then press Ctrl+Shift+Enter
not what the op questioned, but anyway - good to know this shortcut! - thanks –
Hoot
This does not attempt to answer the question as asked, and really shouldn't be the highest rated answer. -1 –
Alf
A batch/WSH hybrid is able to call ShellExecute to display the UAC elevation dialog...
@if (1==1) @if(1==0) @ELSE
@echo off&SETLOCAL ENABLEEXTENSIONS
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"||(
cscript //E:JScript //nologo "%~f0"
@goto :EOF
)
echo.Performing admin tasks...
REM call foo.exe
@goto :EOF
@end @ELSE
ShA=new ActiveXObject("Shell.Application")
ShA.ShellExecute("cmd.exe","/c \""+WScript.ScriptFullName+"\"","","runas",5);
@end
Could you please, @Anders, tell me what are the requirements for this script to work? a) Windows version, b) Visual Basic or .NET installed, c)Java installed. In a plain sight it seems to me there are none but just a Windows running, but I am not sure. Thanks. –
Chacon
@SopalajodeArrierez: The runas verb was added in Win2000 and cscript.exe was added in Win98/IE4 IIRC. –
Descendent
Thanks, @Anders. Please, a minor question: I am trying to use your script with my own program (calling a .lnk file that executes a Windows shell .exe), and I can not set my preferred icon, as I always do with any .lnk file. This is: the icon gets assigned to the .lnk, but during the execution (after accepting UAC prompt) the running window has the usual CMD icon. Is there a way to solve this? –
Chacon
I think early versions of NT used a undocumented flag in STARTUPINFO to set a icon in the console but support for that died in NT4 or NT5. If you already have your own program, why can't you perform the admin check there? .pif files can probably still set the icon but I don't know if .pif files are supported on 64 bit Windows... –
Descendent
I am dealing with your suggestions about the icon, @Descendent . Meanwhile, another (probably) stupid question: if I save your script as .cmd file, it runs fine. But if I add a first line like
@REM This is my Script I get some Microsoft JScript compilation: invalid character error. If this a batch script, why is this happening? Thanks again. –
Chacon I would be greatly thankful if you could explain the logic behind your script. I was able to understand the first part but i can't understand what does and when it's executed the
ShA.ShellExecute("cmd.exe","/c \""+WScript.ScriptFullName+"\"","","runas",5); command. –
Reina ShellExecute is a Windows API function ( msdn.microsoft.com/en-us/library/windows/desktop/bb762153 ) and by using the "runas" verb we request UAC elevation to start cmd.exe that will execute our script again but this second time it should be elevated... –
Descendent
Can you please edit the answer with some of the lines explained? I'm mostly interested in the magic (
@if-@ELSE-@end and >nul...) that makes this a hybrid. –
Pule The @ prefix in batch files turns off echo'ing of that command and @ is the prefix used for "pre-processor" instructions in Windows Scripting Host ( msdn.microsoft.com/en-us/library/58dz2w55 ). @if (1==1) is legal syntax in both batch and WSH and the rest is there to make the script executes the batch or WSH code depending on which script processor is actually running. (Batch file calls WSH (if required in this case) that calls batch file again, the 2nd time after being executed with a special verb) –
Descendent
@TWiStErRob: the magic of running this as JScript is the fact, that
@ELSE is not a JScript keyword because it's uppercase. So everything on lines 2 to 14 are 'IF' statements of outer @if including inner @if statement, which has it's 'IF' statements on lines 2 to 11. But because inner @if condition is false, it would never run lines 2 to 11. If you change @ELSE to lowercase you will break the whole WSH/batch hybrid. –
Alumna @Descendent nice job, combining WSH and batch using
@if statements and the @ELSE magic. –
Alumna How do you run a command agianst this? What is the client code syntax?
ThisScript.cmd cmd.exe mycmd myarg1 my arg2? I tried that and nothing happens –
Nabila @Nabila change the " REM call foo.exe" line and save my code as a .cmd file –
Descendent
@echo off
fsutil dirty query %systemdrive% >nul || (
echo Requesting administrative privileges...
set "ELEVATE_CMDLINE=cd /d "%cd%" & call "%~f0" %*"
findstr "^:::" "%~sf0">"%temp%\getadmin.vbs"
cscript //nologo "%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs" & exit /b
)
rem ------- getadmin.vbs ----------------------------------
::: Set objShell = CreateObject("Shell.Application")
::: Set objWshShell = WScript.CreateObject("WScript.Shell")
::: Set objWshProcessEnv = objWshShell.Environment("PROCESS")
::: strCommandLine = Trim(objWshProcessEnv("ELEVATE_CMDLINE"))
::: objShell.ShellExecute "cmd", "/c " & strCommandLine, "", "runas"
rem -------------------------------------------------------
echo Running script as admin.
echo Script file : %~f0
echo Arguments : %*
echo Working dir : %cd%
echo.
:: administrator commands here
:: e.g., run shell as admin
cmd /k
It also allows passing command line parameters to the batch script.
For a demo: self-elevating.bat "path with spaces" arg2 3 4 "another long argument"
And this is another version that does not require creating a temp file.
@echo off
<!-- : --- self-elevating_no_temp.bat ---------------------
fsutil dirty query %systemdrive% >nul && goto :gotAdmin
echo Requesting administrative privileges...
set "ELEVATE_CMDLINE=cd /d "%cd%" & call "%~f0" %*"
cscript //nologo "%~f0?.wsf" //job:Elevate
exit /b
-->
<job id="Elevate"><script language="VBScript">
Set objShell = CreateObject("Shell.Application")
Set objWshShell = WScript.CreateObject("WScript.Shell")
Set objWshProcessEnv = objWshShell.Environment("PROCESS")
strCommandLine = Trim(objWshProcessEnv("ELEVATE_CMDLINE"))
objShell.ShellExecute "cmd", "/c " & strCommandLine, "", "runas"
</script></job>
:gotAdmin -------------------------------------------------
echo Running script as admin.
echo Script file : %~f0
echo Arguments : %*
echo Working dir : %cd%
echo.
:: administrator commands here
:: e.g., run shell as admin
cmd /k
Edited 11/2023: Corrected the current working directory to "%CD%" instead of "%~dp0" More reliable command to detect if script is run as admin.
The second version is really amazing. Look at that beautify
cscript "self-elevating.bat?.wsf" part. –
Progression The plain-text
.bat and XML .wsh mix-in content is also gorgeous. –
Progression What is the SID from
find "S-1-16-12288"? It does not appear when I use whoami /groups. –
Radiotelegraph That's very cool. I would change the ELEVATE_CMDLINE to cd to %cd% instead so that relative paths in the initial invocation are correct. –
Nelly
Although @amr ali's code was great, I had an instance where my bat file contained > < signs, and it choked on them for some reason.
I found this instead. Just put it all before your code, and it works perfectly.
REM --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
exit /B
:gotAdmin
if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
pushd "%CD%"
CD /D "%~dp0"
:--------------------------------------
Simple pipe trick, ||, with some .vbs used at top of your batch. It will exit regular and restart as administrator.
@AT>NUL||echo set shell=CreateObject("Shell.Application"):shell.ShellExecute "%~dpnx0",,"%CD%", "runas", 1:set shell=nothing>%~n0.vbs&start %~n0.vbs /realtime& timeout 1 /NOBREAK>nul& del /Q %~n0.vbs&cls&exit
It also del /Q the temp.vbs when it's done using it.
This is wicked! Would you mind explaining that line a bit more in depth? –
Avogadro
I would set up a shortcut, either to CMD or to the thing you want to run, then set the properties of the shortcut to require admin, and then run the shortcut from your batch file. I haven't tested to confirm it will respect the properties, but I think it's more elegant and doesn't require activating the Administrator account.
Also if you do it as a scheduled task (which can be set up from code) there is an option to run it elevated there.
Well, my goal mas to do it completely from the command line. I can't expect everyone who uses my installer to follow this process before running my installer. –
Avogadro
@Kate - I actually had the same idea as you and was trying this today on a win2012 server, but unfortunately, it does not work. The command prompt still runs without admin rights even if you set the shortcut up as "run as administrator". This is when I try to use the shortcut via Task Scheduler. Task Scheduler must do something under the covers to prevent it from running as admin, I'm not sure. –
Negrillo
i just created an shortcut in my desktop with this line in target:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command Start-Process -verb RunAs wt
and after pinned in taskbar :)
The shortcut is both unnecessary and unusable in the context of the original question, which was about making an installer to run on an end-user's system. However, the command is interesting. It looks like this is a simplification of the accepted answer. Is that correct? Does it bring up the UAC dialog? –
Avogadro
You can call PowerShell via its CLI, powershell.exe, in order to call its Start-Process cmdlet, which supports starting processes with elevation; doing so has two advantages:
You don't need a hybrid batch file that uses clever, but obscure tricks to combine the languages of two distinct environments in a single file.
You may place
-Waitbefore-Verb RunAs(see below) in order to make the elevated reinvocation synchronous, i.e. to wait for it to exit and communicate its exit code to the caller.
The following borrows techniques from Amr Ali's helpful WSH-assisted answer; save and run as run-elevated.cmd, for instance:
@echo off & setlocal
:: Check if the current session is already elevated.
:: `net session` only succeeds in elevated sessions.
net session >NUL 2>&1 && goto :ELEVATED
:: Getting here means that we must reinvoke with elevation.
:: Add -Wait before -Verb RunAs to wait for the reinvocation to exit.
set ELEVATE_CMDLINE=cd /d "%~dp0" ^& "%~f0" %*
powershell.exe -noprofile -c Start-Process -Verb RunAs cmd.exe \"/k $env:ELEVATE_CMDLINE\"
exit /b %ERRORLEVEL%
:: Getting here means that we are (now) running with elevation.
:ELEVATED
echo === Running in elevated session:
echo Script file : %~f0
echo Arguments : %*
echo Working dir : %cd%
Speaking of Amr Ali's WSH-assisted answer; here is a reformulation that makes passing the arguments through more robust, so that arguments such as "a & b" may be passed, and prevents duplicating "^" characters in arguments by avoiding the use of call - see line set ELEVATE_CMDLINE=...; also, apart from some formatting for readability, it is ensured that none of the original batch statements are accidentally echoed:
<!-- : (":" is required)
@echo off & setlocal
net session >NUL 2>&1 && goto :ELEVATED
set ELEVATE_CMDLINE=cd /d "%~dp0" ^& "%~f0" %*
cscript.exe //nologo "%~f0?.wsf" //job:Elevate & exit /b
-->
<job id="Elevate">
<script language="VBScript">
Set objShell = CreateObject("Shell.Application")
Set objWshShell = WScript.CreateObject("WScript.Shell")
Set objWshProcessEnv = objWshShell.Environment("PROCESS")
strCommandLine = Trim(objWshProcessEnv("ELEVATE_CMDLINE"))
objShell.ShellExecute "cmd", "/k " & strCommandLine, "", "runas"
</script>
</job>
:ELEVATED
echo === Running in elevated session:
echo Script file: %~f0
echo Arguments : %*
echo Working dir: %cd%
Browse to C:\windows\System32 and right click on cmd.exe and run as Administrator. Worked for me on Windows 7.
If you are trying to run a script with elevated privileges you could do the same for the script file or use the scheduler's run as a different user option to run the script.
This is great, but not something I could do from within the command line, e.g., from an install script. The only user intervention that should be required is confirming the elevation--similar to when you install any program on Windows 6/7. –
Avogadro
NirCmd www.nirsoft.net offers elevated Use nircmdc
I personally did not satisfied with any of suggested solutions so I traced and find out how microsoft itself is running some commands as administrator without any confirmations.
Here is what I finally found from windows registry:
*RunAs "D:\Path\To\app.exe"
*RunAs "D:\Path\To\app.exe" [YourCommandArgs]
© 2022 - 2024 — McMap. All rights reserved.
sudo-like tool for Windows, available as a Chocolatey package: https://mcmap.net/q/89078/-how-to-run-39-sudo-39-command-in-windows-duplicate – Expectation