How-to: Run with elevated permissions

The CMD shell, START and RUNAS commands have no built-in options to elevate or run individual commands 'As Admin' (elevated).

It is possible to right click CMD.exe (or it's Start menu shortcut) and run a whole new session 'As Admin'.

Shortcuts can be edited to always run as Admin - Properties | Shortcut | Advanced then tick "Run as administrator".

To run an item on the Start menu / Search /Desktop elevated, select it and then press Ctrl+Shift+Enter on the keyboard.

To elevate from the command line will require running either VBScript or PowerShell, this does not have to involve completely rewriting existing scripts, you can use a couple of lines of either VBScript or PowerShell to launch an elevated CMD.exe and that will run a batch file elevated.

Another approach is to use a third party utility that will elevate permissions.

When a script is run with elevated permissions several aspects of the user environment will change: The current directory, the current TEMP folder and any mapped drives will be disconnected.

Testing for Elevation

Testing if the current session is elevated can be done with the FSUTIL command (via StackOverflow) or SFC.

fsutil dirty query %SYSTEMDRIVE% >nul
If %errorLevel% NEQ 0 (
   Echo Failure, please rerun this script from an elevated command prompt. Exiting...
   Ping 127.0.0.1 3>&1 > nul
   Exit /B 1
) 
Echo Success: this script is running elevated.

Windows 7 does not require passing a drive letter to FSUTIL, Windows 8 and 10 do.

Run without Elevation

In some cases you may wish to run an application without elevation, this will restrict what the application can do.

The undocumented environment variable __COMPAT_LAYER can be used to lower the ExecutionLevel to RunAsInvoker

@Echo Off
SETLOCAL
Set __COMPAT_LAYER=RunAsInvoker
regedit.exe

The example above will run REGEDIT using the user's native permissions, attempting to modify any protected area of the registry (such as HKLM) within this session will produce an error. Without this, by default Regedit will run elevated.

Scheduled Tasks

If a scheduled task invokes a UAC prompt, then the task will fail to run unattended.
To prevent this, select the check box 'Run With Highest Privileges':

Elevate Scheduled task

“A man in public life expects to be sneered at – it is the fault of his elevated situation, and not of himself” ~ Charles Dickens

Related

Compatibility - Backwards compatibility - runas admin / color - this can also force elevation.
PowerShell: Run with Elevated Permissions
VBScript: Run with Elevated Permissions
SS64 Forum thread on UAC detection.
elevate - Command-Line UAC Elevation Utility.


 
Copyright © 1999-2020 SS64.com
Some rights reserved