Creating a Self-Elevating Script

Creating a Self-Elevating Script

  • Comments 6
  • Likes

The question recently came up on during an internal discussion about how to quickly (“one double-click”) elevate a script on a machine with UAC enabled without installing anything or manually configuring a shortcut to “Run as administrator”.  So to answer this question I decided to share my “self-elevating” CMD script.  This script relies on the same technique as my previous post on my updated version of Launchapp.wsf.  It uses the method of detecting whether the script is running elevated from John Howard’s blog (http://blogs.technet.com/jhoward/archive/2008/11/19/how-to-detect-uac-elevation-from-vbscript.aspx), translated to CMD script.  The following script will “re-launch itself” elevated if it is not already running elevated.  This version (RelaunchElevated.cmd in the download below) requires that either that the Elevate Command PowerToy from here is installed or that elevate.cmd and elevate.vbs from the same download are in the same folder with the script or in the Windows search path.

@echo off
setlocal enabledelayedexpansion

set CmdDir=%~dp0
set CmdDir=%CmdDir:~0,-1%

:: Check for Mandatory Label\High Mandatory Level
whoami /groups | find "S-1-16-12288" > nul
if "%errorlevel%"=="0" (
    echo Running as elevated user.  Continuing script.
) else (
    echo Not running as elevated user.
    echo Relaunching Elevated: "%~dpnx0" %*

    if exist "%CmdDir%\elevate.cmd" (
        set ELEVATE_COMMAND="%CmdDir%\elevate.cmd"
    ) else (
        set ELEVATE_COMMAND=elevate.cmd
    )

    set CARET=^^
    !ELEVATE_COMMAND! cmd /k cd /d "%~dp0" !CARET!^& call "%~dpnx0" %*
    goto :EOF
)

:: Continue script here

echo Arguments passed: %*

This script looks for the System Manadatory Label in the output of whoami /groups.  If it is not found, the script uses the elevate command to launch a new instance of cmd.exe, changes the directory to the script directory, and re-launches itself with the same arguments.

In order the make the script even more self contained (i.e. requiring no additional files) I created another version of this script (RelaunchElevated_EmbeddedScripts.cmd in the download below) that creates elevate.cmd and elevate.vbs in %Temp% on the fly when it is run, uses them from there, and then deletes them after they are used.

 

- Michael Murgolo, Senior Consultant, Microsoft Services, U.S. East Region.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

Attachment: RelaunchElevated.zip
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Very good posting!

    This article solved exactly what I needed!

    Thanks a lot!

  • You are a life saver. I was reading and searching for a week before I finally found this. Thank you for sharing

  • Hi,

    I have a question regarding the script that is being proposed. I've added it to one of my existing scripts, and it worked fine. If command prompt not opened as elevated, it will re-launch as elevated.

    However, I have more than one script where I want to add it to, and ideally I would paste your script into its own .bat file, and then just call it from my existing scripts. The problem I am having with this is that if I call your script at the beginning, it completes, but then the rest of my script is not executed. Could you please give me some advice?

  • Goldie Locks,

    You need to have my script call yours, not the other way around.  Remember that elevation is done per process. So for elevation to occur, a new cmd.exe process must be started.  Calling my script from yours will not elevate the current cmd.exe process.

    So you either need to have my code in your script (like the first one you did), hard-code mine to launch yours after elevation, or change mine to take yours as a command line parameter and launch it after the elevation occurs.

    Michael Murgolo

  • This is great...but...  I still long for sudo.

    I landed here looking for a windows way to do the equivalent of sudo on Windows, and while this contains lots of great info on how to do *part* of what sudo does (allowing an admin to run without elevated privs and elevate only when needed), it misses the original purpose of sudo, which was to allow SOMEONE ELSE (not an admin) to run a SPECIFIC command (one owned and vetted for security by the admin) with admin privs.

    What we're still missing is a trustworthy way of letting a non-admin user run only specific commands with admin privileges.

    For example, at the moment I want to allow a particular non-admin user to run a bat file (or powershell/vb/wsh/whatever) as an admin without letting that user do anything else as an admin.  In this specific case the user needs to modify a config file and restart a service, but the user shouldn't be able to do any other admin action.

    Using sudo on Unix, I would just create a root-owned script (so the user can't change it), then configure sudo to allow the user to run that specific script.  This would take only a few minutes -- it's a really common activity on Unix systems, letting root users allow a non-root user to run a specific script to do only what they need to do without bothering root or waiting for root.

    So far the closest thing I've found (other a few obviously weak sudo clones) would be to set a scheduled task to run as admin, and have that scheduled task look for some kind of signal that it should actually do something.  For example, a powershell script could look for "c:\users\bob\flags\run_once4me.txt" and only proceed if the file is found.  This way the user would have no influence over the steps run by the scheduled task -- he would only be able to cause the script to go or not go.  That's what sudo allows.

    I'm not looking for an answer to this comment -- but I confess to hoping against hope that I'll inspire you to figure out a way to do this gracefully on Windows. ;-)

  • Chew Toy

    The designers of Windows User Account Control expressly decided not to incorporate functionality like setuid/suid or sudo.  This post explains why: blogs.msdn.com/.../faq-why-can-t-i-bypass-the-uac-prompt.aspx.

    Michael Murgolo