Udostępnij za pośrednictwem


Creating a Self-Elevating Script

The question recently came up on during an internal discussion about how to quickly (“one double-click”) elevate a script on a machine with UAC enabled without installing anything or manually configuring a shortcut to “Run as administrator”.  So to answer this question I decided to share my “self-elevating” CMD script.  This script relies on the same technique as my previous post on my updated version of Launchapp.wsf.  It uses the method of detecting whether the script is running elevated from John Howard’s blog (https://blogs.technet.com/jhoward/archive/2008/11/19/how-to-detect-uac-elevation-from-vbscript.aspx), translated to CMD script.  The following script will “re-launch itself” elevated if it is not already running elevated.  This version (RelaunchElevated.cmd in the download below) requires that either that the Elevate Command PowerToy from here is installed or that elevate.cmd and elevate.vbs from the same download are in the same folder with the script or in the Windows search path.

@echo off
setlocal enabledelayedexpansion

set CmdDir=%~dp0
set CmdDir=%CmdDir:~0,-1%

:: Check for Mandatory Label\High Mandatory Level
whoami /groups | find "S-1-16-12288" > nul
if "%errorlevel%"=="0" (
echo Running as elevated user. Continuing script.
) else (
echo Not running as elevated user.
echo Relaunching Elevated: "%~dpnx0" %*

    if exist "%CmdDir%\elevate.cmd" (
set ELEVATE_COMMAND="%CmdDir%\elevate.cmd"
) else (
set ELEVATE_COMMAND=elevate.cmd
)

    set CARET=^^
!ELEVATE_COMMAND! cmd /k cd /d "%~dp0" !CARET!^& call "%~dpnx0" %*
goto :EOF
)

:: Continue script here

echo Arguments passed: %*

This script looks for the System Manadatory Label in the output of whoami /groups.  If it is not found, the script uses the elevate command to launch a new instance of cmd.exe, changes the directory to the script directory, and re-launches itself with the same arguments.

In order the make the script even more self contained (i.e. requiring no additional files) I created another version of this script (RelaunchElevated_EmbeddedScripts.cmd in the download below) that creates elevate.cmd and elevate.vbs in %Temp% on the fly when it is run, uses them from there, and then deletes them after they are used.

 

- Michael Murgolo, Senior Consultant, Microsoft Services, U.S. East Region.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

RelaunchElevated.zip

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    This is great...but...  I still long for sudo. I landed here looking for a windows way to do the equivalent of sudo on Windows, and while this contains lots of great info on how to do part of what sudo does (allowing an admin to run without elevated privs and elevate only when needed), it misses the original purpose of sudo, which was to allow SOMEONE ELSE (not an admin) to run a SPECIFIC command (one owned and vetted for security by the admin) with admin privs. What we're still missing is a trustworthy way of letting a non-admin user run only specific commands with admin privileges. For example, at the moment I want to allow a particular non-admin user to run a bat file (or powershell/vb/wsh/whatever) as an admin without letting that user do anything else as an admin.  In this specific case the user needs to modify a config file and restart a service, but the user shouldn't be able to do any other admin action. Using sudo on Unix, I would just create a root-owned script (so the user can't change it), then configure sudo to allow the user to run that specific script.  This would take only a few minutes -- it's a really common activity on Unix systems, letting root users allow a non-root user to run a specific script to do only what they need to do without bothering root or waiting for root. So far the closest thing I've found (other a few obviously weak sudo clones) would be to set a scheduled task to run as admin, and have that scheduled task look for some kind of signal that it should actually do something.  For example, a powershell script could look for "c:usersbobflagsrun_once4me.txt" and only proceed if the file is found.  This way the user would have no influence over the steps run by the scheduled task -- he would only be able to cause the script to go or not go.  That's what sudo allows. I'm not looking for an answer to this comment -- but I confess to hoping against hope that I'll inspire you to figure out a way to do this gracefully on Windows. ;-)

  • Anonymous
    January 01, 2003
    Chew Toy The designers of Windows User Account Control expressly decided not to incorporate functionality like setuid/suid or sudo.  This post explains why: blogs.msdn.com/.../faq-why-can-t-i-bypass-the-uac-prompt.aspx. Michael Murgolo

  • Anonymous
    July 06, 2010
    Very good posting! This article solved exactly what I needed! Thanks a lot!

  • Anonymous
    August 26, 2010
    You are a life saver. I was reading and searching for a week before I finally found this. Thank you for sharing

  • Anonymous
    August 30, 2010
    Hi, I have a question regarding the script that is being proposed. I've added it to one of my existing scripts, and it worked fine. If command prompt not opened as elevated, it will re-launch as elevated. However, I have more than one script where I want to add it to, and ideally I would paste your script into its own .bat file, and then just call it from my existing scripts. The problem I am having with this is that if I call your script at the beginning, it completes, but then the rest of my script is not executed. Could you please give me some advice?

  • Anonymous
    July 08, 2016
    Hi Michael,Thank you for this information. If I am using relaunchelevated_embeddedScripts.cmd, where in that file do I call my bat file?Thanks,

  • Anonymous
    September 19, 2016
    It works great (at least for my needs :)!Tanks a lot!

  • Anonymous
    March 16, 2017
    Hi Michael,I am attempting to run a file from a batch file cctk (to set the BIOS settings on Dell machines) and I keep getting into an infinite loop. I am hoping that this will assist with that. Could you please assist me.Where in your script do I put my code or how do I call my file from within yours.Sorry probably a newbie question.Thanks, =)

  • Anonymous
    March 16, 2017
    Anonymous (March 16, 2017):Have you looked at SuRun? It does much of what sudo does and can have fairly restrictive controls.

  • Anonymous
    January 29, 2018
    This Script looks perfect, but I ran into trouble when starting from a network drive. In elevated mode, all network drives seems to be gone. So I hat to copy my script to local %Temp% before and use the commands: copy "%~dpnx0" "%Temp%%~nx0" !ELEVATE_COMMAND! cmd /k cd /d "%Temp%" !CARET!^& call "%Temp%~nx0" %* !CARET!^& del "%Temp%~nx0"