463
140
I always work on a non-administrator account on my Windows computer. Sometimes I need to install programs which requires administrator access. As I mostly use the Windows command prompt, is there a Windows command to escalate privileges, similar to the Linux terminal command sudo?
ukanth
Posted 2009-09-17T09:24:35.757
Reputation: 9 930
272
The runas command.
runas [{/profile|/noprofile}] [/env] [/netonly] [/smartcard] [/showtrustlevels] [/trustlevel] /user:UserAccountName program
Just run:
runas /noprofile /user:Administrator cmd
to start a command shell as a administrator
Davy Landman
Posted 2009-09-17T09:24:35.757
Reputation: 4 194
3@naxa Yeah, it's not exactly sudo. But you can change /user:Administrator to /user:YourLoginName and do the same thing as sudo, of course. Don't quite understand @surfasb 's comment. When would this bite you? I've successfully used this trick to edit files that are only editable by an admin (eg runas /noprofile /user:myUserName "C:\path\to\Vim\vim73\gvim.exe C:\some\file.cfg") – ruffin – 2014-11-05T15:22:59.087
1Doesn't work for me. It just asks for password (whether MyLoginName or the Administrator) and just runs the command normally. I've tested it by running taskmgr and even after entering password it says "740: The requested operation requires elevation.". Running calc works as it doesn't require elevation. – laggingreflex – 2015-01-13T04:31:43.207
@surfasb what if you launch whatever program you want from cmd, after doing runas /user:Administrator? – barlop – 2016-01-17T14:25:34.190
12+1 for "outdated" since runas can't bypass UAC. Instead, press Windows button, type cmd, and press Ctrl+Shift+Enter. – mellow-yellow – 2016-01-22T12:06:24.877
3@barlop: You should look up how UAC works. The Administrator account, by default, auto elevates process to Admin permissions. It's a coincidence that it works with the Administrator account. Use any other account in the Administators group with runas and your program won't get Admin permissions by default. – surfasb – 2016-01-22T16:46:24.667
2https://chocolatey.org/packages/Sudo – cIph3r – 2018-01-16T22:51:29.813
3You also have to make sure that the Administrator account has a password. Otherwise you get an error 1327, "user account restriction. Possible reasons are blank passwords not allowed,..." – lilbyrdie – 2010-11-06T14:35:55.007
6This is not working for me. After I typed my password the command prompt is closed. – Jonas – 2010-12-09T13:44:18.793
1The "Account is disabled" checkbox on the user properties must be unchecked for this command to work. – Mike Glenn – 2010-12-14T05:05:25.057
This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:44.543
2@Jonas, you might have a renamed Admin account. I had the same issue – JP Hellemons – 2011-10-11T14:23:29.710
22You might find you want the profile loaded (e.g. including environment variables) for any extended use. In which case drop the /noprofile. – Richard – 2009-09-17T09:38:14.047
58isn't this asking for the Administrator's password? sudo is asking for *your* password! – n611x007 – 2012-09-18T08:42:29.880
17Unfortunately, this is seriously outdated. Runas merely runs commands under a different set of credentials. Even though your credentials have admin permissions, it doesn't mean all processes under your credentials run as admin. – surfasb – 2014-01-25T00:59:26.513
Can the script provide the password? – jcalfee314 – 2014-03-17T18:13:00.177
128
Elevate - "executes a command with UAC privilege elevation. This is useful for working inside command prompts or with batch files." It's not the same as sudo, it changes the executing user to Administrator, but its syntax is a lot more straightforward to use than runas, and it can keep the current directory, enabling the use of relative paths.
Synopsis:
elevate [(-c | -k) [-n] [-u]] [-w] command
Options:
-c Launches a terminating command processor; equivalent to "cmd /c command".
-k Launches a persistent command processor; equivalent to "cmd /k command".
-n When using -c or -k, do not pushd the current directory before execution.
-u When using -c or -k, use Unicode; equivalent to "cmd /u".
-w Waits for termination; equivalent to "start /wait command".
Elevate's purpose isn't to work around or bypass UAC (User Account Control), but to work with it. As long as UAC is enabled there has to be some kind of prompt at some point in the process. If you need to get rid of prompting altogether you have to disable UAC.
The pain point Elevate alleviates is escalating a particular process from a non-privileged shell and then carrying on as normal. Without this you need to start a privileged command prompt with right-click > "Run as Administrator" before attempting the privileged command, which can't be easily scripted.
This works well with "Elevate without prompting" in secpol.msc. Together, they do the same as %wheel ALL=(ALL) NOPASSWD: ALL in sudo
A known limitation is that it does not return the error code from the program it is elevating.
If your muscle memory is stuck on sudo, create an alias using Doskey:
doskey sudo=elevate -w
or batchfile in PATH:
@elevate -w %*
Elevate is 3rd party tool written by Johannes Passing. It's an 11kb download and portable (no install needed): http://code.kliu.org/misc/elevate/
matt wilkie
Posted 2009-09-17T09:24:35.757
Reputation: 4 147
alias sudo='elevate -w' – Jürgen Paul – 2014-09-29T08:00:42.687
Open explorer.exe as another credentials user and as administrator? – Kiquenet – 2015-02-10T14:47:09.650
1@Kiquenet that's the same approach as runas in other answers, with similar results and differences to elevate, isn't it? – matt wilkie – 2015-02-10T17:38:44.463
11Would be nice to mention that it's an external utility, missing OOTB. – Hi-Angel – 2016-12-27T16:18:25.850
This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:59.033
Bowing to the wisdom of the crowd: post edited to declare it's a download (and credit the maker by name); Also incorporated other comment info. – matt wilkie – 2020-01-14T22:44:05.990
@massimo: see 2nd sentence ;-) – matt wilkie – 2020-01-14T22:45:14.177
5This goes perfect with "Elevate without prompting" in secpol.msc. Together, they do the same as %wheel ALL=(ALL) NOPASSWD: ALL in sudo. – sayap – 2012-02-20T09:40:52.110
2
@sayap, just to be clear, do you mean this: http://ss64.com/nt/syntax-uac.html?
– matt wilkie – 2012-02-20T18:45:33.097Yes, that's the one. From my limited testing, it works straight away without having to restart Windows. – sayap – 2012-02-21T00:19:26.960
there's a similar program with the same name here: http://wintellect.com/cs/blogs/jrobbins/archive/2007/03/27/elevate-a-process-at-the-command-line-in-vista.aspx
– Janus Troelsen – 2013-02-06T01:21:34.7805The only trouble I find with elevate (v1.3.0) is that it does not return the error code from the program it is elevating. – Ken – 2013-08-14T18:41:19.517
4Sudo.bat : @elevate %* => profit! – Joe DF – 2014-03-12T05:06:33.497
-1 this requires elaboration. I just tried C:\>elevate dir and it caused a popup prompting me if I want to elevate. That isn't very useful in a script. – barlop – 2014-03-15T12:30:53.533
2@barlop: elevate's purpose isn't to work around or bypass UAC (User Account Control), but to work with it. As long as UAC is enabled there has to be some kind of prompt at some point in the process. If you need to get rid of prompting altogether you have to disable UAC (see 2nd comment). The problem elevate solves is escalating a particular process from a non-privileged shell, and then carrying on as normal. Without this you need to start a privileged command prompt with right-click "Run as Administrator", which can't be scripted, before attempting the privileged command. – matt wilkie – 2014-03-19T22:40:36.143
@barlop, ok. I see I don't understand the nature of your complaint, and don't know how else to attempt to address it. – matt wilkie – 2014-03-20T18:31:15.777
67
You can use the runas command which is kind of similar, or you can check out the sudo for Windows project over at SourceForge which adds a sudo command.
The difference is subtle:
Let's say you have two users. Bob is a normal user and James is an administrator.
If you log in as Bob and use "runas james acommand" the command is run as if it was run by James, so it accesses James' user settings and any user changes go into James My Documents & settings folders, etc. So if you are installing an application, say, it will be installed as James, not as Bob.
If on the other hand Bob does "sudo acommand" the command is still run as Bob, but with elevated permissions - just like the Linux sudo command. To prevent any user from being able to sudo you have to define a sudoers user group that contains the list of the normal users that have permission to elevate using sudo. The users still have to provide credentials before elevation.
Sometimes the difference isn't important, sometimes it is, and I find that both commands can be useful.
Simon P Stevens
Posted 2009-09-17T09:24:35.757
Reputation: 5 025
1
Another solution, except hosted on GitHub, is windosu: https://github.com/tehsenaus/windosu I just found it, and it seems to work great. Favorite thing is it's super easy to install. Just "npm install -g windosu".
– Venryx – 2017-06-06T07:52:27.590This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:12:08.360
@Massimo, can you explain the difference. – Simon P Stevens – 2020-01-13T14:50:14.573
5@hasen j - your issue is just because ~/.themes evaluates before the command is run (and thus before it switches over to root). – Jared – 2011-12-15T18:52:31.147
2Are you sure? When I run sudo in ubuntu, if my current theme is in ~/.themes then the sudo-ed application will not be able to access that theme, because it's not in /home/root/.themes, and will use the default ugly gtk theme. – hasen – 2009-11-19T22:28:58.367
41
You can also use the Script Elevation PowerToys.
Quog
Posted 2009-09-17T09:24:35.757
Reputation: 539
Awesome - exactly what I was looking for. I didn't want to run as a command has a different user, only to run it with elevated privileges. – orip – 2010-03-14T12:55:51.403
Exactly the right solution for this problem! Who wants Runas with its messy syntax? – Stabledog – 2010-03-29T14:14:43.500
It seems @barlop does not understand UAC. If you want your script to stop prompting you need to switch UAC off temporarily--which requires at least one prompt at the start of the script. Though I think in newer Windows versions even that became harder. Or maybe run every process from an elevated cmd. – jiggunjer – 2016-01-17T13:34:26.380
To only ask once, the script must have a separate component that would then do the administrative actions. – Paul Stelian – 2018-03-01T17:46:35.450
1I've often wished the elevate command were built into windows. It's a fantastic tool. – nhinkle – 2010-11-11T23:43:19.903
there's now an Elevation PowerToys collection by the same author from which Creating a Self-Elevating Script is particularly relevant.
– matt wilkie – 2011-09-07T23:22:53.000@nhinkle can you do elevate command such that it suppresses the popup asking if you want to elevate it? – barlop – 2014-03-15T12:31:34.053
1@barlop of course not. That would defeat the purpose of UAC. – nhinkle – 2014-03-15T17:07:31.197
@nhinkle limiting the techie user in efficiency / demanding his attention for the meanial task of confirmation to run elevated, isn't exactly its goal(its goal is to prevent malicious attack, not elongate the process for legit things), but obviously it's something that it could be argued it must unfortunately do. Now though, if any program could run elevated in an automated way(no permission required), would you want it destroyed, for it hath defeated "the purpose of UAC"? – barlop – 2014-03-15T18:31:53.827
@barlop the whole point of UAC is that you can't run elevated without getting the user's permission. If you could just type elevate whatever.exe and have it run elevated, then it would be trivial for an attacker to run elevate nasty-virus.exe. It's an inherent requirement of UAC that confirmation occur somehow. It can't ask for confirmation in the command window, because the confirmation must run on an isolated secure desktop to prevent other software from injecting keystrokes. – nhinkle – 2014-03-15T18:51:23.527
@nhinkle i'm aware of that and am not disputing that. you didn't quite answer the question I asked you at the end of my comment but it doesn't matter, not important! ;-) – barlop – 2014-03-15T19:32:11.993
30
If you are ready to switch to alternative consoles, there is ConEmu (I'm the author). One of its features - the ability to run both elevated and non-elevated tabs in the one ConEmu window. Tabs may be started with different credentials too.
For user comfort, there is batch-file csudo.cmd (which may be easily adopted to bash). Read full description in project's wiki. In brief, when you run some command from existing non-elevated tab, for example
csudo dism /online /enable-feature /featurename:NetFX3 /All /Source:D:\sources\sxs /LimitAccess
ConEmu will starts dism in the new elevated console/tab (with preceding UAC prompt in Vista or Login box in XP).
By default csudo starts new console in a split (may be changes via editing of csudo.cmd contents).
And of course you may rename it to sudo.cmd if you like "classic" sudo word.
Maximus
Posted 2009-09-17T09:24:35.757
Reputation: 19 395
problem here is the new console tab becomes unusable after the sudo'd command. So you can't continue working in the elevated tab, just get a press enter or esc to exit message. – jiggunjer – 2016-01-17T15:25:10.637
1Of course you cant. Even on Unix you are back to non-elevated terminal after sudo command is done its work! You are going wrong way. – Maximus – 2016-01-17T17:45:48.047
1>
1csudo long ago was included in the ConEmu distribution. No link is needed at all. – Maximus – 2014-03-12T08:16:03.910
24
Three steps to add sudo.
Open PowerShell.
Copy the following script (Ctrl+C) and paste it in PowerShell (Alt+Space+E+P):
$script_path="$HOME\Documents\Scripts"; if (!(test-path $script_path)) {New-Item -ItemType directory $script_path} if (!(test-path $profile)) { new-item -path $profile -itemtype file -force }". $script_path\sudo.ps1" | Out-File $profile -append; "function sudo(){if (`$args.Length -eq 1){start-process `$args[0] -verb `"runAs`"} if (`$args.Length -gt 1){start-process `$args[0] -ArgumentList `$args[1..`$args.Length] -verb `"runAs`"}}" | Out-File $script_path\sudo.ps1; powershell
It will permanently enable sudo command in PowerShell.
sudo <process-name> [param1 [param2 [param3]]]
Examples:
sudo explorer
sudo notepad
sudo powershell
sudo cmd
sudo taskmgr
sudo tasklist
sudo taskkill /IM Skype.exe /PID 8496
Note: I mixed the script from both articles to create the aforementioned script. Rather manually pasting the script in notepad I added the Out-File statements to save ps1 and $profile files from the script.
Tip: If you are not a very big fan of UAC popups (like me), save the following in *.reg file and run it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000
vulcan raven
Posted 2009-09-17T09:24:35.757
Reputation: 389
Got this error on windows 10:
. : File C:\Users\User\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 cannot be loaded because running scripts is disabled on this system. – sowrov – 2015-11-19T09:51:18.557
@sowrov, see this article. By default PowerShell scripts are disabled on any Windows installation. You need to enable it with this command set-executionpolicy remotesigned. Other options besides remotesigned are described in official docs.
Readers note this ps script is a wrapper for the powershell -c start -verb runas program.exe functionality. Also note you can't elevate like this with the cmd prompt (natively). Powershell is the best native option. – jiggunjer – 2016-01-17T13:58:07.197
can the same be done in cmd.exe instead of powershell env? powershell does not compute with clink and without clink windows does not compute at all... – PJJ – 2019-02-26T07:39:08.800
This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:12:33.093
1I love the powershell solution for this question. This has to be the easiest way to elevate something. Existing .bat files can easily be converted to POSH – Mitchell Skurnik – 2013-02-14T18:05:54.613
19
If you're doing this on Windows, then in addition to the Run As command as mentioned in a couple of other answers, there are also ways to do this with the mouse.
If you hold down the Shift key as you right-click on most executable files in Windows you should notice a few more advanced options. One of these is the "Run As..." option (I think it's called "Run As Administrator" from Vista onwards).
You can also download a more advanced version of RunAs from Microsoft, called ShellRunAs, this has enhancements over the built-in RunAs command, both in command line and graphical modes, including letting you save account credentials
GAThrawn
Posted 2009-09-17T09:24:35.757
Reputation: 4 176
This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:29.640
4
diimdeep
Posted 2009-09-17T09:24:35.757
Reputation: 762
surun does a great job. However sometimes under Windows 8 and 8.1 its defaults aren't ideal. Because it replaces Windows's run as function, you are not able to start a command prompt with right click on the start screen. – Wolf – 2015-01-15T11:15:38.173
This is the best answer and should be the accepted one. Most of the other answers are about elevation of a user account in Administrators: not sudo. – Massimo – 2020-01-13T10:13:36.680
3
There is a chocolatey package for it with the convenient name sudo. You can install the package with chocolatey using this command:
choco install -y sudo
Then in whatever Windows/MS shell you have to use, you can use sudo as expected.
ypid
Posted 2009-09-17T09:24:35.757
Reputation: 283
This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:16.943
3
I wrote gsudo, a sudo for windows that feels like *nix sudo and has a few killer features:
-n to launch in a new window.gsudo is invoked several times within minutes it only shows the UAC pop-up once.
gsudo Opens an elevated shell in the current console.
gsudo [options] {command} [arguments]
Executes the specified command with elevated permissions.
Most relevant [options]:
-n | --new Starts the command in a new console with elevated rights (and returns immediately).-w | --wait Force wait for the process to end (and return the exitcode).-s | --system Run As Local System account ("NT AUTHORITY\SYSTEM").--copyev Copy all environment variables to the elevated session before executing.scoop install gsudochoco install gsudoPowerShell -Command "Set-ExecutionPolicy RemoteSigned -scope Process; iwr -useb https://raw.githubusercontent.com/gerardog/gsudo/master/installgsudo.ps1 | iex"
Gerardo Grignoli
Posted 2009-09-17T09:24:35.757
Reputation: 218
3
As you've probably discovered, runas will let you run as another user but it cannot do elevation and it doesn't pass current directories, environment variables or long command lines.
Hamilton C shell solves that with a genuine su and sudo. su lets you run a command as another user; sudo (actually an alias to su) lets you run a command elevated. You can also do both, running elevated as a different user. Current directories, environment variables and long command lines are passed by way of a shared memory handshake between su running in the caller's context and a copy of itself running as an interlude with the new credentials that then starts the child. Full disclosure: I'm the author.
Nicole Hamilton
Posted 2009-09-17T09:24:35.757
Reputation: 8 987
1
The simplest solution in my view is to leverage powershell to do the work, which is portable and will prompt the user using the UAC.
You can just run this in any shell (cmd or powershell)
powershell Start-Process -verb runAs path-to-your.exe "-all -args -in -quotes"
twall
Posted 2009-09-17T09:24:35.757
Reputation: 231
1
A working sudo replacement for Cygwin's mintty terminal would be to place the following script in user's PATH:
$!/bin/bash
cygstart --action=runas mintty -e `which bash` -lc \"$@\"
For me this is the only viable replacement to elevate privileges of programs like vim or cygrunsrv while working in a terminal on Windows.
karafior
Posted 2009-09-17T09:24:35.757
Reputation: 129
0
This script does the job:
@echo Set objShell = CreateObject("Shell.Application") > %temp%\sudo.tmp.vbs
@echo args = Right("%*", (Len("%*") - Len("%1"))) >> %temp%\sudo.tmp.vbs
@echo objShell.ShellExecute "%1", args, "", "runas" >> %temp%\sudo.tmp.vbs
@cscript //NoLogo %temp%\sudo.tmp.vbs
Save it as sudo.cmd then add it to your PATH
Note: the runas means in this context "Run as administrator" and not "Run as other user"
Taken from here and slightly edited to remove cscript.exe header from output
Charles Milette
Posted 2009-09-17T09:24:35.757
Reputation: 93
1This creates a new console. The new window will disappear after the sudo'd command is completed--so you can't even read output. – jiggunjer – 2016-01-17T14:09:30.070
Sadly, yes. But it can be used for some basic commands (copy), GUI tools, or opening an admin cmd. – Charles Milette – 2016-01-17T18:04:55.627
This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:10:55.660
0
The following vbs script allows to launch a given command with arguments with elevation and mimics the behavior of the original unix sudo command for a limited set of used cases (it will not cache credentials nor it allows to truly execute commands with different credentials). I put it on C:\Windows\System32.
Set objArgs = WScript.Arguments
exe = objArgs(0)
args = ""
IF objArgs.Count >= 2 Then
args = args & objArgs(1)
End If
For it = 2 to objArgs.Count - 1
args = args & " " & objArgs(it)
Next
Set objShell = CreateObject( "WScript.Shell")
windir=objShell.ExpandEnvironmentStrings("%WINDIR%")
Set objShellApp = CreateObject("Shell.Application")
objShellApp.ShellExecute exe, args, "", "runas", 1
set objShellApp = nothing
Example use on a command prompt sudo net start service
ceztko
Posted 2009-09-17T09:24:35.757
Reputation: 121
Downvoters: еxplain why and what is not working for you. The script is tested and working for me. – ceztko – 2019-11-06T19:56:06.947
This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:04.740
@Massimo of course calling this script sudo is a small naming abuse: it doesn't and it will not have the same features of original sudo, but by default in unix will execute with super user (root) impersonification, providing this is allowed in sudoers, so the mimic of the provided example it's perfectly clear to me. It's not possible to create a full sudo replacement in Windows without access to Windows internals and without defining a clear semantic of what can and what can't be done by the command. If this quick and dirty script doesn't work for you should find a different solution – ceztko – 2020-01-13T10:34:33.203
7@IGRACH not on my powershell... – jiggunjer – 2016-01-17T15:27:10.890
2I use this
doskey sudo= runas /user:Administrator "cmd /k cd \"%cd%\" & $*"– William – 2018-09-10T15:35:36.9571
Try my
– noseratio – 2019-02-16T07:39:40.987wsudo, asudo-like tool for Windows available as a Chocolatey package.2gsudo works in cmd/powershell/windows terminal and has some nice features. – Gerardo Grignoli – 2020-02-10T01:53:33.290
This may be old news now but I run windows 10 with windows-subsystem-for-linux enabled. For my wsl terminal I use Ubuntu. I never thought I would go for something like this as a linux user but it's actually pretty handy, plays nice with VS code as well.
– Jacksonkr – 2020-02-27T15:45:29.1737I believe the term you are looking for is "elevated" access. Even though your credentials have admin permission, processes under your credentials don't have admin permissions until you "sudo" the command. In Windows, they call it "elevate". – surfasb – 2014-01-25T01:01:01.767