What we write in the page

In the Windows 10 command line, when a normal user who does not have administrative privileges tries to launch a program that requires administrative privileges, you will be asked to enter administrator's ID and password.

This is a security feature introduced in Windows Vista called UAC, which prevents bad programs from changing system settings without permission.

Therefore, this page describes the procedure to use batch to run programs that require administrator privileges with built-in ID and password .

This is not a technology to be used regularly, as it may cause security problems, and it is necessary to understand the disadvantages before using it.

Also, even though you are running as an administrator from batch, The error message "The requested operation requires elevation (Run as administrator)." or "Please run as administrator" may appear and you cannot run the program.

The following is a summary of how to change privileges on the command line in such cases.

Cases that can be solved

• If you right-click on the program you want to run and select Run as administrator, there is no problem, but you cannot run it from the command line!
• I want to execute a command that requires administrative privileges from a non-administrative user without a UAC window!
• I know my ID and password, so I want to run batches with them automatically promoted!
• I want to run the command prompt with administrator privileges from a regular user by incorporating the ID and password into a shortcut.

Verified version

• Windows 10 Enterprise、version 1809
• Windows 10 Home, version 2004

Insufficient permissions

There are two major situations when access is denied due to lack of privileges.

1. You do not have enough permissions to access or execute the folder or file you are trying to access.
2. You are the user owner, but you do not have the privilege to perform a specific function. Insufficient privileges.

1. Dealing with insufficient privileges to files and folders

For example, if you log in as a normal user with no administrative privileges and try to write a file to a Windows system folder, you will see the following message.

> echo testwrite > %windir%\test.txt
Access denied.

In this case, you may not have enough permissions to access the destination folder.

You can use the dir /q command to check the owner, the It is necessary to check the owner using the dir /q command, and grant access using the icacls command or the takeown command.

I will skip this section.

2. Lack of permissions to perform certain functions

You may get the following message even though you are the administrator.

I'm running as an administrator! I'm running as an administrator!

"The requested operation requires elevation (Run as administrator)."

The following is a description of what to do in this case.

Run the program using the runas command

The runas command can be used to run a program with a specified user.

runas /user:Administrator "cmd"

This will launch cmd (command prompt) with the privileges of the user's name, and can also be run from powershell.

Now you can launch the command prompt with administrative privileges.

However, if you try to use the "netsh" command to change anything related to Internet settings in this state However, if you try to change anything related to the Internet settings with the "netsh" command, etc., you will be told that you do not have enough privileges. (The same lack of privileges can also occur with other commands that change the machine's settings.

This is because the runas command does not grant enough privileges when switching users.

Privilege check

You can check your current privileges by using the whoami command. The `whoami' command is a Windows command to check your own user information.

The `whoami' command is a command to check your user information on Windows. whoami alone can check your user name.

Let's look at an example of running it on the command line. Here is an example of a user promoted from normal user privileges to Administrator using the runas command.

> whoami
amaji-devterm\Administrator
> whoami /priv
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Even though you are an Administrator user, the Administrator invoked by the runas command has few privileges. As described below, let's compare the privileges with those of a command prompt launched with proper UAC authentication.

About UAC

When you run a program with administrative privileges, the entire desktop will go black and you will be asked to enter the ID and password required for administrative privileges. Also, if you are already an administrator user account, you will be asked to confirm that you are really okay to run the program.

The Windows OS from Windows Vista onwards has a User Account Control (UAC) function, which allows you to control the user's access to the system. This feature prevents users from calling programs that require privileges, which could inadvertently change the system.

When a user tries to perform a task that requires administrative privileges, the system temporarily switches to a special authentication screen and asks the user for manual authentication (ID and password input). This is also a way to prevent suspicious automated programs from accepting input*.

This happens when you do something like the following.

• As a normal user, right-click the application -> Run as administrator
• With a normal user, runas command → Directly launch a program that requires administrator privileges

Run a program that requires administrative privileges + privileges without showing UAC on the command line

If the UAC appears, it will stop the work that you really want to complete the operation only with the command line. (From a security point of view, you're right, and under normal circumstances, you should authenticate every time.

Switch the execution user with the runas command, and rerun the program from your own user in powershell. If it's a poweshell start-process function, the user will have the same privileges as when they logged in, and if the executor is the user themselves, they will have the same privileges as when they logged in. If the executor is the user himself, the UAC will not be displayed.

runas /user:username cmd
powershell start-process cmd -verb runas

If you put it on one line, it looks like this.

runas /user:username "powershell start-process cmd -verb runas"

The same command can be used under Active Directory management.

runas /user:username@ad-server.local "powershell start-process cmd -verb runas"

If you run this, you will be prompted for a password at the command prompt. If the password is correct, you will be able to run commands with administrative privileges and without UAC.

This is what it looks like in the diagram.

Privilege escalation using PowerShell Credential

By using powershell, which is available as a standard feature in Windows, you you can even omit manual entry of IDs and passwords.

Specifically, we manually create Windows credentials, and use the credentials to start a new program .

With this, you can incorporate passwords into the batch and fully automate the process.

Of course, it is not recommended to write passwords in plain text on the batch, so please be careful when using it.

A sample code for powershell is provided below.

This will allow a normal user to launch the command prompt with privileged administrative privileges. You can skip the UAC and password entry every time. You can now launch the cmd program with privileged administrative privileges, skipping the UAC and password entry each time.

$uid = "userid"
$pw = "password"
$secPw = ConvertTo-SecureString -String $pw -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $uid, $secPw
Start-Process powershell -Credential $cred -WindowStyle Minimized -ArgumentList "-noexit -command Start-Process cmd -verb runas"

From the command prompt that is launched after executing the above, check your own permissions.

> whoami
Administrator
> whoami /priv
PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Disabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled

If you just got administrator privileges with the runas command, you only had five privileges. But this one has a lot of privileges.

One line command to launch with privileged admin rights.

The powershell script described in the section "Elevating privileges with PowerShell Credentials" can be used as a one-liner. If you put the powershell script described in the "Elevating Privileges with PowerShell Credentials" section into a one-liner, you can run it from powershell or from the command prompt with You can run the program with administrative privileges from powershell, from the command prompt, or from Win+R's "Run as" command. The program can be launched with administrative privileges.

Make it possible to run programs with administrative privileges from shortcuts

To enable the program to be run with administrative privileges from a shortcut, just write the contents discussed in the section "Launching with privileged administrative privileges with a one-line command" in the shortcut. You just need to write it in the shortcut.

Privileged execution from task schedule without UAC dialog

Even if you are registered in the Administrator group, when you try to run a program that requires privileges However, the Windows Task Scheduler does not have a UAC dialog.

However, tasks registered in the Windows Task Scheduler with the "Run as Administrator" setting can be executed without the UAC dialog. However, tasks registered with the "Run as administrator" setting in the Windows Task Scheduler can be run as administrator without the UAC dialog. This can be used to launch tasks from batches, etc. without issuing a UAC.

This is more secure than embedding the administrator's ID or PW directly in the batch.

Register from the command line

In this case we will use the command line to regist task to windows taskscheduler.

Let's register the necessary commands to the task scheduler with administrative privileges. Since administrative privileges (UAC authentication) are required to run the Windows registry, let's specify regedit.exe.

schtasks /CREATE /TN hello_planc /TR "C:\Windows\regedit.exe" /SC ONCE /ST 00:00 /RL highest /F

The options for the schtasks command are as follows

• /CREATE : The options for the schtasks command are as follows
• /SC : lauch frequency. ONCE stands for one-time execution only (SCheduletype)
• /TN : Task name(Task Name)
• /TR : Command to be executed (TaskRun)
• /ST : If you put ONCE in SC, you need to register this too. (STart time)
• /RL : Privilege to execute, where highest is privileged execution (RunLevel)
• /F : Force overwrite if there is a task.

For the task name, register the appropriate "hello_planc" for testing.

Here, I wrote "ONCE" for the /SC option. ONCE is a kind of task that is executed only once at a specified date and time.

at /ST option, The time to be executed is specified in 24-hour format (HH:mm), but in this case In this case, I will specify 00:00.

When the program is executed and registered successfully, the following message will be displayed.

WARNING: Task may not run because /ST is earlier than current time.
SUCCESS: The scheduled task "hello_planc" has successfully been created.

You can check the registration status with the following command.

schtasks /Query /v /tn hello_planc

Run from command line

Next, let's run the registered "hello_planc" task from the command line.

schtasks /RUN /TN hello_planc

Programs that normally require UAC (e.g. regedit, etc.) can be launched without UAC.

Remove from command line

You can remove it with the following.

schtasks /DELETE /TN hello_planc

You will be prompted to enter "y" to complete the deletion.

WARNING: Are you sure you want to remove the task "hello_planc" (Y/N)? y
SUCCESS: The scheduled task "hello_planc" was successfully deleted.

the task I created was successfully deleted.

Run the created task from a shortcut

Once you've created the shortcut, all you have to do is click! and, you can easily launch the created task.

You just create shortcut to schtasks /RUN /TN hello_planc command.

Caution

UAC is a security protection mechanism that prevents unintended programs from running.

Just because it's convenient doesn't mean it's a security problem to run batches with privileges without going through UAC. Please be careful. (Of course, I can't take responsibility for this. ;-) )

References and Special Thanks

• (Japanese)Microsoft - schtasks
• Microsoft - Application Compatibility - Session 0 Isolation
• PENETRATING TESTING LAB - UAC Bypass – Task Scheduler
• stackoverflow - Can I send some text to the STDIN of an active process under Windows?

Page History