Batch file: Drop elevated privileges (run a command as original user) - batch-file

I have a batch file that starts with elevated privileges (my installer spawns it), but at a certain point I need to run a command as the original user who started my installer (i.e. drop from the elevated privileges).
Is it possible to do so?

You can run a command with restricted privileges with:
runas /trustlevel:0x20000 "YourCommandHere"
You should provide the absolute path to your command including any arguments in double quotes as an argument to runas.
If you would like to run more than one command with restricted privileges, you can put them in a separate batch file and run it with:
runas /trustlevel:0x20000 "cmd /C PathToYourBatchFile"
Anyway, this will open a new console with restricted privileges. You also have to use this syntax whenever you wish to run with restricted privileges an internal command (like copy, del, etc.) as these are provided by the command line interpreter and do not have an associated path.
Note that 0x20000 is the trust level of standard users. You can list other available trust levels by running
runas /showtrustlevels

It's still a privileged program (though restricted) in Task Manager by using this command:
runas /trustlevel:0x20000 <cmd>
You can try the other way, which will make it unprivileged in Task Manager:
runas /savecred /user:%username% <cmd>
You still need to enter the password once but not every time.
Use explorer.exe to launch the program:
explorer.exe <cmd>
explorer.exe won't accept arguments for cmd, but you can create a temp script file and lauch it by explorer.exe if arguments are necessary.

Related

How do I execute cmd commands through a bat file?

I need to create a .bat to put together with my setup system to install a network driver, but I have some difficulties in creating the bat.
This .bat needs:
execute a cmd with administrator privileges
run this command: netcfg.exe -v -l networkbll_lwf.inf -c s -i nt_networkbll
exit
The folder for all files location is: c:\Windows\System\Drivers.
You might have to use another batch file first to launch the second with admin rights.
In the first use
runas /noprofile /user:mymachine\administrator batchfilename.bat
PAUSE
and write the needed command in another bat file

How to run another batch script with different privilege?

I want to run a batch script as Administrator which, in turn, starts another batch script (start "title" /b /wait), but with current user's privilege.
Is this possible? What's the best way to do it?
Or how can I get the current logged in user name?
The command you want is runas - this command runs batchfile with the domain and username of the currently logged in user (you could also hardcode the domain and username if you wanted a specific user):
runas /noprofile /user:%USERDOMAIN%\%USERNAME% C:\batchfile.bat
The runas command requires an external program as the last argument so it doesn't handle built in commands like dir or copy. But you can run a built in command like copy with:
runas /noprofile /user:%USERDOMAIN%\%USERNAME% "cmd /c copy C:\source.txt C:\dest.txt"
You can also run things as Administrator like this:
runas /noprofile /user:Administrator "cmd /c copy C:\file.txt C:\Windows\System"
Here is some more info:
https://www.windows-commandline.com/windows-runas-command-prompt/

Command Prompt gets open when installing SQL Server using Power Shell

I am using the following code to setup SQL Server using Power Shell
setup.exe /CONFIGURATONFILE=config.ini
When i run the above script in power shell it opens the command prompt and runs the setup.
Is there a way in power shell that the command prompt that is being opened (which i can see on the screen) gets opened in the background.
As because of this command prompt opening i get an error "Requires an interactive shell" when i run the power shell script remotely.
Does it work if you run Setup.exe with the "Silent" mode (No user-interaction) in addition to the ConfigurationFile? Options are documented here : https://msdn.microsoft.com/en-us/library/ms144259.aspx for reference.
Try specifying /Q or /QS
E.g.
".\setup.exe /Q /ConfigurationFile=$commandlineparam"

Give Admin privileges to exe application

I'm starting an exe application through a .bat file, I want to start it granting admin privileges to it. How can I do it in a .bat file.
Two basic options:
Run the script as admin
Use the 'runas' command e.g.
runas /user:administrator blah.exe
Runas will then prompt for the admin password.

Run as administrator from the command line

To help my computer boot faster, I created a simple batch file that will open the programs I want, rather than do it all on startup, when I sometimes don't want them to.
#ECHO OFF
cd "C:\Users\Aaron\Documents\Documents"
start SSS.lnk
cd "C:\Program Files (x86)\puush"
start puush.exe
cd "C:\Users\Aaron\AppData\Roaming\Google\Google Talk\"
start googletalk.exe
cd "C:\Users\Aaron\AppData\Local\Facebook\Messenger\2.1.4651.0\"
start FacebookMessenger.exe
cd "C:\Program Files\Synergy\"
start synergy.exe
cd "C:\Program Files (x86)\Skype\Phone\"
start Skype.exe
cd "C:\Program Files (x86)\Miranda IM\"
start miranda32.exe
However,
cd "C:\Users\Aaron\Documents\Documents"
start SSS.lnk
is a service that's set to Manual, and I start that myself, and it requires to be run as administrator to start. Is there anything to add in front of that to run just that as administrator?
You might wish to have a look at Runas.
Short answer: You can use runas.exe:
C:\>runas /user:<localmachinename>\administrator cmd
or
runas.exe /user:administrator "full qualified path to your exe"
For the last cmd, you can add /savecred to save the administrator's password (not that I'm saying this is a good idea).
Workaround: Create a shortcut to your script. Go to properties, shortcut, advanced. Check "run as administrator".
There you go; every time you access via shortcut it will open as administrator.
There some misunderstoods:
How to get localmachinename
There are many ways, some of them are:
a. c:\>hostname or
b. c:\>echo %computername%
You can't use runas [...] command if you don't have set password to your Windows.
1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

Resources