How to run another batch script with different privilege? - batch-file

I want to run a batch script as Administrator which, in turn, starts another batch script (start "title" /b /wait), but with current user's privilege.
Is this possible? What's the best way to do it?
Or how can I get the current logged in user name?

The command you want is runas - this command runs batchfile with the domain and username of the currently logged in user (you could also hardcode the domain and username if you wanted a specific user):
runas /noprofile /user:%USERDOMAIN%\%USERNAME% C:\batchfile.bat
The runas command requires an external program as the last argument so it doesn't handle built in commands like dir or copy. But you can run a built in command like copy with:
runas /noprofile /user:%USERDOMAIN%\%USERNAME% "cmd /c copy C:\source.txt C:\dest.txt"
You can also run things as Administrator like this:
runas /noprofile /user:Administrator "cmd /c copy C:\file.txt C:\Windows\System"
Here is some more info:
https://www.windows-commandline.com/windows-runas-command-prompt/

Related

New to scripting

I have two commands I have to run in CMD. I also need to run them remotely. I will add the .bat file to the C:\ of the remote computer as well. This is actually a fix for Windows 7 to 10 1809 migrations that breaks protected view in Office if anyone wants to know.
icacls "C:\Windows\SysWOW64\msvcp140.dll" /grant *S-1-15-2-1:(OI)(CI)RX
icacls "C:\Windows\SysWOW64\vcruntime140.dll" /grant *S-1-15-2-1:(OI)(CI)RX
This is what I came up with as being my first attempt at creating a bat file on my own. I am so new to this it's almost embarrassing but you have to start somewhere.
c:\
cd C:\Windows\SysWOW64
start cmd.exe /k icacls "C:\Windows\SysWOW64\msvcp140.dll" /grant *S-1-15-2-1:(OI)(CI)RX
start cmd.exe /c icacls "C:\Windows\SysWOW64\vcruntime140.dll" /grant *S-1-15-2-1:(OI)(CI)RX
pause
This also has to be run as admin.
One solution I can think of is for you to use PsExec from the SysInternals Suite. You mentioned trying to run command line commands from a remote location as admin, so this is why I am suggesting it. You can use it to run the icacls command or other commands remotely.
Here are some links to some documentation about PsExec:
Microsoft Documentation
ss64 Documentation
And a link to an artice written by Mark Russinovich (Sysinternals Creator) on using PsExec:
PsExec Article
Now for the usage for your specific need:
psexec -accepteula \\[IP Address or Hostname] -u [domain\username] -p [Password] cmd.exe
Example with the options filled in:
psexec -accepteula \\192.168.1.3 -u win7\bob -p P#ssword cmd.exe
This command will will allow you to open a remote command shell on the machine you want to execute the icacls commands. From there, you just run the icacls commands as if you were sitting at the remote machine. I recommend reading up in the links provided to understand what each switch does.
Or you can try this, which combines the above with your icacls commands and executes it all at once. I have not tested the command below, but it SHOULD work. This is all one command by the way, so make sure it is copied as one line.
psexec -accepteula \\[IP Address or Hostname] -u [User] -p [Password] cmd /c "icacls "C:\Windows\SysWOW64\msvcp140.dll" /grant *S-1-15-2-1:(OI)(CI)RX & icacls "C:\Windows\SysWOW64\vcruntime140.dll" /grant *S-1-15-2-1:(OI)(CI)RX"
I know this isn't a batch script, but it could help accomplish what you want to do.

Access is denied deleting files at command prompt

I am trying to run a batch file nightly to delete files in a certain directory that are older than 15 days. I am getting "Access is denied" even if I paste the command into an elevated (admin) command prompt window. This is on a Windows 7 PC. Here is the command that I found online to delete files over a certain age:
forfiles /p "C:\ProgramData\WEBSERVER\Download\X549D95" /d -15 /c "cmd /c del #path"
The user I am logged in as is a local administrator and has full control to the files in that folder. The PC is not a member of the domain so should not have group policies doing anything weird on it.
Maybe I have to do something to make this part of the command run as an administrator: "cmd /c del #path"? If so, how do I do that? I cannot find a switch for "cmd" to do that.

Command Prompt Runas cscript

I have get_data.vbs located in C:/test/source/. I've created run.bat file in C:/test/bin.
I'm able to run vbs script when I put the following in bat file:
cscript ../source/get_data.vbs
Q: Why it doesn't work when I use runas command:
runas /user:domain\username "cscript \"../source/get_data.vbs""
If I put full path, it works without any issues:
runas /user:domain\username "cscript \"C:/test/source/get_data.vbs""
Thanks in advance
It didn't work because runas is started on its current directory %windir%\System32 and there is no /source/get_data.vbs there.
If you want to make sure of this, try this code:
start /separate runas /user:domain\username "cscript \"../source/get_data.vbs""
You will see on title of the Window that opened something like C:\Windows\System32\runas.exe

Batch file: Drop elevated privileges (run a command as original user)

I have a batch file that starts with elevated privileges (my installer spawns it), but at a certain point I need to run a command as the original user who started my installer (i.e. drop from the elevated privileges).
Is it possible to do so?
You can run a command with restricted privileges with:
runas /trustlevel:0x20000 "YourCommandHere"
You should provide the absolute path to your command including any arguments in double quotes as an argument to runas.
If you would like to run more than one command with restricted privileges, you can put them in a separate batch file and run it with:
runas /trustlevel:0x20000 "cmd /C PathToYourBatchFile"
Anyway, this will open a new console with restricted privileges. You also have to use this syntax whenever you wish to run with restricted privileges an internal command (like copy, del, etc.) as these are provided by the command line interpreter and do not have an associated path.
Note that 0x20000 is the trust level of standard users. You can list other available trust levels by running
runas /showtrustlevels
It's still a privileged program (though restricted) in Task Manager by using this command:
runas /trustlevel:0x20000 <cmd>
You can try the other way, which will make it unprivileged in Task Manager:
runas /savecred /user:%username% <cmd>
You still need to enter the password once but not every time.
Use explorer.exe to launch the program:
explorer.exe <cmd>
explorer.exe won't accept arguments for cmd, but you can create a temp script file and lauch it by explorer.exe if arguments are necessary.

Run as administrator from the command line

To help my computer boot faster, I created a simple batch file that will open the programs I want, rather than do it all on startup, when I sometimes don't want them to.
#ECHO OFF
cd "C:\Users\Aaron\Documents\Documents"
start SSS.lnk
cd "C:\Program Files (x86)\puush"
start puush.exe
cd "C:\Users\Aaron\AppData\Roaming\Google\Google Talk\"
start googletalk.exe
cd "C:\Users\Aaron\AppData\Local\Facebook\Messenger\2.1.4651.0\"
start FacebookMessenger.exe
cd "C:\Program Files\Synergy\"
start synergy.exe
cd "C:\Program Files (x86)\Skype\Phone\"
start Skype.exe
cd "C:\Program Files (x86)\Miranda IM\"
start miranda32.exe
However,
cd "C:\Users\Aaron\Documents\Documents"
start SSS.lnk
is a service that's set to Manual, and I start that myself, and it requires to be run as administrator to start. Is there anything to add in front of that to run just that as administrator?
You might wish to have a look at Runas.
Short answer: You can use runas.exe:
C:\>runas /user:<localmachinename>\administrator cmd
or
runas.exe /user:administrator "full qualified path to your exe"
For the last cmd, you can add /savecred to save the administrator's password (not that I'm saying this is a good idea).
Workaround: Create a shortcut to your script. Go to properties, shortcut, advanced. Check "run as administrator".
There you go; every time you access via shortcut it will open as administrator.
There some misunderstoods:
How to get localmachinename
There are many ways, some of them are:
a. c:\>hostname or
b. c:\>echo %computername%
You can't use runas [...] command if you don't have set password to your Windows.
1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

Resources