Is there any 'sudo' command for Windows?

463

140

I always work on a non-administrator account on my Windows computer. Sometimes I need to install programs which requires administrator access. As I mostly use the Windows command prompt, is there a Windows command to escalate privileges, similar to the Linux terminal command sudo?

ukanth

Posted 2009-09-17T09:24:35.757

Reputation: 9 930

7@IGRACH not on my powershell... – jiggunjer – 2016-01-17T15:27:10.890

2I use this doskey sudo= runas /user:Administrator "cmd /k cd \"%cd%\" & $*" – William – 2018-09-10T15:35:36.957

1

Try my wsudo, a sudo-like tool for Windows available as a Chocolatey package.

– noseratio – 2019-02-16T07:39:40.987

2gsudo works in cmd/powershell/windows terminal and has some nice features. – Gerardo Grignoli – 2020-02-10T01:53:33.290

This may be old news now but I run windows 10 with windows-subsystem-for-linux enabled. For my wsl terminal I use Ubuntu. I never thought I would go for something like this as a linux user but it's actually pretty handy, plays nice with VS code as well.

– Jacksonkr – 2020-02-27T15:45:29.173

7I believe the term you are looking for is "elevated" access. Even though your credentials have admin permission, processes under your credentials don't have admin permissions until you "sudo" the command. In Windows, they call it "elevate". – surfasb – 2014-01-25T01:01:01.767

Answers

272

The runas command.

runas [{/profile|/noprofile}] [/env] [/netonly] [/smartcard] [/showtrustlevels] [/trustlevel] /user:UserAccountName program

Just run:

runas /noprofile /user:Administrator cmd 

to start a command shell as a administrator

Davy Landman

Posted 2009-09-17T09:24:35.757

Reputation: 4 194

3@naxa Yeah, it's not exactly sudo. But you can change /user:Administrator to /user:YourLoginName and do the same thing as sudo, of course. Don't quite understand @surfasb 's comment. When would this bite you? I've successfully used this trick to edit files that are only editable by an admin (eg runas /noprofile /user:myUserName "C:\path\to\Vim\vim73\gvim.exe C:\some\file.cfg") – ruffin – 2014-11-05T15:22:59.087

1Doesn't work for me. It just asks for password (whether MyLoginName or the Administrator) and just runs the command normally. I've tested it by running taskmgr and even after entering password it says "740: The requested operation requires elevation.". Running calc works as it doesn't require elevation. – laggingreflex – 2015-01-13T04:31:43.207

@surfasb what if you launch whatever program you want from cmd, after doing runas /user:Administrator? – barlop – 2016-01-17T14:25:34.190

12+1 for "outdated" since runas can't bypass UAC. Instead, press Windows button, type cmd, and press Ctrl+Shift+Enter. – mellow-yellow – 2016-01-22T12:06:24.877

3@barlop: You should look up how UAC works. The Administrator account, by default, auto elevates process to Admin permissions. It's a coincidence that it works with the Administrator account. Use any other account in the Administators group with runas and your program won't get Admin permissions by default. – surfasb – 2016-01-22T16:46:24.667

2https://chocolatey.org/packages/Sudo – cIph3r – 2018-01-16T22:51:29.813

3You also have to make sure that the Administrator account has a password. Otherwise you get an error 1327, "user account restriction. Possible reasons are blank passwords not allowed,..." – lilbyrdie – 2010-11-06T14:35:55.007

Also check out my wsudo.

– noseratio – 2019-02-12T03:18:45.897

6This is not working for me. After I typed my password the command prompt is closed. – Jonas – 2010-12-09T13:44:18.793

1The "Account is disabled" checkbox on the user properties must be unchecked for this command to work. – Mike Glenn – 2010-12-14T05:05:25.057

This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:44.543

2@Jonas, you might have a renamed Admin account. I had the same issue – JP Hellemons – 2011-10-11T14:23:29.710

22You might find you want the profile loaded (e.g. including environment variables) for any extended use. In which case drop the /noprofile. – Richard – 2009-09-17T09:38:14.047

58isn't this asking for the Administrator's password? sudo is asking for *your* password! – n611x007 – 2012-09-18T08:42:29.880

17Unfortunately, this is seriously outdated. Runas merely runs commands under a different set of credentials. Even though your credentials have admin permissions, it doesn't mean all processes under your credentials run as admin. – surfasb – 2014-01-25T00:59:26.513

Can the script provide the password? – jcalfee314 – 2014-03-17T18:13:00.177

128

Elevate - "executes a command with UAC privilege elevation. This is useful for working inside command prompts or with batch files." It's not the same as sudo, it changes the executing user to Administrator, but its syntax is a lot more straightforward to use than runas, and it can keep the current directory, enabling the use of relative paths.

Synopsis:
  elevate [(-c | -k) [-n] [-u]] [-w] command

Options:
  -c  Launches a terminating command processor; equivalent to "cmd /c command".
  -k  Launches a persistent command processor; equivalent to "cmd /k command".
  -n  When using -c or -k, do not pushd the current directory before execution.
  -u  When using -c or -k, use Unicode; equivalent to "cmd /u".
  -w  Waits for termination; equivalent to "start /wait command".

Elevate's purpose isn't to work around or bypass UAC (User Account Control), but to work with it. As long as UAC is enabled there has to be some kind of prompt at some point in the process. If you need to get rid of prompting altogether you have to disable UAC.

The pain point Elevate alleviates is escalating a particular process from a non-privileged shell and then carrying on as normal. Without this you need to start a privileged command prompt with right-click > "Run as Administrator" before attempting the privileged command, which can't be easily scripted.

This works well with "Elevate without prompting" in secpol.msc. Together, they do the same as %wheel ALL=(ALL) NOPASSWD: ALL in sudo

A known limitation is that it does not return the error code from the program it is elevating.

If your muscle memory is stuck on sudo, create an alias using Doskey:
doskey sudo=elevate -w

or batchfile in PATH:
@elevate -w %*

Elevate is 3rd party tool written by Johannes Passing. It's an 11kb download and portable (no install needed): http://code.kliu.org/misc/elevate/

matt wilkie

Posted 2009-09-17T09:24:35.757

Reputation: 4 147

alias sudo='elevate -w' – Jürgen Paul – 2014-09-29T08:00:42.687

Open explorer.exe as another credentials user and as administrator? – Kiquenet – 2015-02-10T14:47:09.650

1@Kiquenet that's the same approach as runas in other answers, with similar results and differences to elevate, isn't it? – matt wilkie – 2015-02-10T17:38:44.463

11Would be nice to mention that it's an external utility, missing OOTB. – Hi-Angel – 2016-12-27T16:18:25.850

This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:59.033

Bowing to the wisdom of the crowd: post edited to declare it's a download (and credit the maker by name); Also incorporated other comment info. – matt wilkie – 2020-01-14T22:44:05.990

@massimo: see 2nd sentence ;-) – matt wilkie – 2020-01-14T22:45:14.177

5This goes perfect with "Elevate without prompting" in secpol.msc. Together, they do the same as %wheel ALL=(ALL) NOPASSWD: ALL in sudo. – sayap – 2012-02-20T09:40:52.110

2

@sayap, just to be clear, do you mean this: http://ss64.com/nt/syntax-uac.html?

– matt wilkie – 2012-02-20T18:45:33.097

Yes, that's the one. From my limited testing, it works straight away without having to restart Windows. – sayap – 2012-02-21T00:19:26.960

there's a similar program with the same name here: http://wintellect.com/cs/blogs/jrobbins/archive/2007/03/27/elevate-a-process-at-the-command-line-in-vista.aspx

– Janus Troelsen – 2013-02-06T01:21:34.780

5The only trouble I find with elevate (v1.3.0) is that it does not return the error code from the program it is elevating. – Ken – 2013-08-14T18:41:19.517

4Sudo.bat : @elevate %* => profit! – Joe DF – 2014-03-12T05:06:33.497

-1 this requires elaboration. I just tried C:\>elevate dir and it caused a popup prompting me if I want to elevate. That isn't very useful in a script. – barlop – 2014-03-15T12:30:53.533

2@barlop: elevate's purpose isn't to work around or bypass UAC (User Account Control), but to work with it. As long as UAC is enabled there has to be some kind of prompt at some point in the process. If you need to get rid of prompting altogether you have to disable UAC (see 2nd comment). The problem elevate solves is escalating a particular process from a non-privileged shell, and then carrying on as normal. Without this you need to start a privileged command prompt with right-click "Run as Administrator", which can't be scripted, before attempting the privileged command. – matt wilkie – 2014-03-19T22:40:36.143

@barlop, ok. I see I don't understand the nature of your complaint, and don't know how else to attempt to address it. – matt wilkie – 2014-03-20T18:31:15.777

67

You can use the runas command which is kind of similar, or you can check out the sudo for Windows project over at SourceForge which adds a sudo command.

The difference is subtle:

Let's say you have two users. Bob is a normal user and James is an administrator.

If you log in as Bob and use "runas james acommand" the command is run as if it was run by James, so it accesses James' user settings and any user changes go into James My Documents & settings folders, etc. So if you are installing an application, say, it will be installed as James, not as Bob.

If on the other hand Bob does "sudo acommand" the command is still run as Bob, but with elevated permissions - just like the Linux sudo command. To prevent any user from being able to sudo you have to define a sudoers user group that contains the list of the normal users that have permission to elevate using sudo. The users still have to provide credentials before elevation.

Sometimes the difference isn't important, sometimes it is, and I find that both commands can be useful.

Simon P Stevens

Posted 2009-09-17T09:24:35.757

Reputation: 5 025

1

Another solution, except hosted on GitHub, is windosu: https://github.com/tehsenaus/windosu I just found it, and it seems to work great. Favorite thing is it's super easy to install. Just "npm install -g windosu".

– Venryx – 2017-06-06T07:52:27.590

This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:12:08.360

@Massimo, can you explain the difference. – Simon P Stevens – 2020-01-13T14:50:14.573

5@hasen j - your issue is just because ~/.themes evaluates before the command is run (and thus before it switches over to root). – Jared – 2011-12-15T18:52:31.147

2Are you sure? When I run sudo in ubuntu, if my current theme is in ~/.themes then the sudo-ed application will not be able to access that theme, because it's not in /home/root/.themes, and will use the default ugly gtk theme. – hasen – 2009-11-19T22:28:58.367

41

You can also use the Script Elevation PowerToys.

Quog

Posted 2009-09-17T09:24:35.757

Reputation: 539

Awesome - exactly what I was looking for. I didn't want to run as a command has a different user, only to run it with elevated privileges. – orip – 2010-03-14T12:55:51.403

Exactly the right solution for this problem! Who wants Runas with its messy syntax? – Stabledog – 2010-03-29T14:14:43.500

It seems @barlop does not understand UAC. If you want your script to stop prompting you need to switch UAC off temporarily--which requires at least one prompt at the start of the script. Though I think in newer Windows versions even that became harder. Or maybe run every process from an elevated cmd. – jiggunjer – 2016-01-17T13:34:26.380

To only ask once, the script must have a separate component that would then do the administrative actions. – Paul Stelian – 2018-03-01T17:46:35.450

1I've often wished the elevate command were built into windows. It's a fantastic tool. – nhinkle – 2010-11-11T23:43:19.903

there's now an Elevation PowerToys collection by the same author from which Creating a Self-Elevating Script is particularly relevant.

– matt wilkie – 2011-09-07T23:22:53.000

@nhinkle can you do elevate command such that it suppresses the popup asking if you want to elevate it? – barlop – 2014-03-15T12:31:34.053

1@barlop of course not. That would defeat the purpose of UAC. – nhinkle – 2014-03-15T17:07:31.197

@nhinkle limiting the techie user in efficiency / demanding his attention for the meanial task of confirmation to run elevated, isn't exactly its goal(its goal is to prevent malicious attack, not elongate the process for legit things), but obviously it's something that it could be argued it must unfortunately do. Now though, if any program could run elevated in an automated way(no permission required), would you want it destroyed, for it hath defeated "the purpose of UAC"? – barlop – 2014-03-15T18:31:53.827

@barlop the whole point of UAC is that you can't run elevated without getting the user's permission. If you could just type elevate whatever.exe and have it run elevated, then it would be trivial for an attacker to run elevate nasty-virus.exe. It's an inherent requirement of UAC that confirmation occur somehow. It can't ask for confirmation in the command window, because the confirmation must run on an isolated secure desktop to prevent other software from injecting keystrokes. – nhinkle – 2014-03-15T18:51:23.527

@nhinkle i'm aware of that and am not disputing that. you didn't quite answer the question I asked you at the end of my comment but it doesn't matter, not important! ;-) – barlop – 2014-03-15T19:32:11.993

30

If you are ready to switch to alternative consoles, there is ConEmu (I'm the author). One of its features - the ability to run both elevated and non-elevated tabs in the one ConEmu window. Tabs may be started with different credentials too.

For user comfort, there is batch-file csudo.cmd (which may be easily adopted to bash). Read full description in project's wiki. In brief, when you run some command from existing non-elevated tab, for example

csudo dism /online /enable-feature /featurename:NetFX3 /All /Source:D:\sources\sxs /LimitAccess

ConEmu will starts dism in the new elevated console/tab (with preceding UAC prompt in Vista or Login box in XP).

By default csudo starts new console in a split (may be changes via editing of csudo.cmd contents).

And of course you may rename it to sudo.cmd if you like "classic" sudo word.

sudo in ConEmu/Windows

Maximus

Posted 2009-09-17T09:24:35.757

Reputation: 19 395

problem here is the new console tab becomes unusable after the sudo'd command. So you can't continue working in the elevated tab, just get a press enter or esc to exit message. – jiggunjer – 2016-01-17T15:25:10.637

1Of course you cant. Even on Unix you are back to non-elevated terminal after sudo command is done its work! You are going wrong way. – Maximus – 2016-01-17T17:45:48.047

1>

  • if you're gonna open a new window or tab you might as well keep it, let the user choose if they want to continue. 2) On my ubuntu I don't have to sudo every time, elevation lasts a few minutes I think. 3) this application has a million options, yet nothing for this? Maybe I'm spoiled.
  • < – jiggunjer – 2016-01-18T02:31:28.270

    1csudo long ago was included in the ConEmu distribution. No link is needed at all. – Maximus – 2014-03-12T08:16:03.910

    24

    Quick method:

    Three steps to add sudo.

    1. Open PowerShell.

    2. Copy the following script (Ctrl+C) and paste it in PowerShell (Alt+Space+E+P):

    $script_path="$HOME\Documents\Scripts"; if (!(test-path $script_path)) {New-Item -ItemType directory $script_path} if (!(test-path $profile)) { new-item -path $profile -itemtype file -force }". $script_path\sudo.ps1" | Out-File $profile -append; "function sudo(){if (`$args.Length -eq 1){start-process `$args[0] -verb `"runAs`"} if (`$args.Length -gt 1){start-process `$args[0] -ArgumentList `$args[1..`$args.Length] -verb `"runAs`"}}" | Out-File $script_path\sudo.ps1; powershell
    
    1. Hit Enter.

    It will permanently enable sudo command in PowerShell.

    Usage:

    sudo <process-name> [param1 [param2 [param3]]]
    

    Examples:

    sudo explorer
    sudo notepad
    sudo powershell
    sudo cmd
    sudo taskmgr
    sudo tasklist
    sudo taskkill /IM Skype.exe /PID 8496
    

    Long method for learning:

    Note: I mixed the script from both articles to create the aforementioned script. Rather manually pasting the script in notepad I added the Out-File statements to save ps1 and $profile files from the script.

    Tip: If you are not a very big fan of UAC popups (like me), save the following in *.reg file and run it:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ConsentPromptBehaviorAdmin"=dword:00000000
    

    vulcan raven

    Posted 2009-09-17T09:24:35.757

    Reputation: 389

    Got this error on windows 10: . : File C:\Users\User\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 cannot be loaded because running scripts is disabled on this system. – sowrov – 2015-11-19T09:51:18.557

    @sowrov, see this article. By default PowerShell scripts are disabled on any Windows installation. You need to enable it with this command set-executionpolicy remotesigned. Other options besides remotesigned are described in official docs.

    – vulcan raven – 2015-11-22T09:54:43.727

    Readers note this ps script is a wrapper for the powershell -c start -verb runas program.exe functionality. Also note you can't elevate like this with the cmd prompt (natively). Powershell is the best native option. – jiggunjer – 2016-01-17T13:58:07.197

    can the same be done in cmd.exe instead of powershell env? powershell does not compute with clink and without clink windows does not compute at all... – PJJ – 2019-02-26T07:39:08.800

    This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:12:33.093

    1I love the powershell solution for this question. This has to be the easiest way to elevate something. Existing .bat files can easily be converted to POSH – Mitchell Skurnik – 2013-02-14T18:05:54.613

    19

    If you're doing this on Windows, then in addition to the Run As command as mentioned in a couple of other answers, there are also ways to do this with the mouse.

    If you hold down the Shift key as you right-click on most executable files in Windows you should notice a few more advanced options. One of these is the "Run As..." option (I think it's called "Run As Administrator" from Vista onwards).

    You can also download a more advanced version of RunAs from Microsoft, called ShellRunAs, this has enhancements over the built-in RunAs command, both in command line and graphical modes, including letting you save account credentials

    GAThrawn

    Posted 2009-09-17T09:24:35.757

    Reputation: 4 176

    This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:29.640

    4

    Surun is free, open-source application that allows certain programs to run with administrative rights, without providing a password without changing the user registry or modify environment variables.

    When I was using Windows XP this app helps me a lot. Beta works under Windows 7.

    diimdeep

    Posted 2009-09-17T09:24:35.757

    Reputation: 762

    surun does a great job. However sometimes under Windows 8 and 8.1 its defaults aren't ideal. Because it replaces Windows's run as function, you are not able to start a command prompt with right click on the start screen. – Wolf – 2015-01-15T11:15:38.173

    This is the best answer and should be the accepted one. Most of the other answers are about elevation of a user account in Administrators: not sudo. – Massimo – 2020-01-13T10:13:36.680

    3

    There is a chocolatey package for it with the convenient name sudo. You can install the package with chocolatey using this command:

    choco install -y sudo
    

    Then in whatever Windows/MS shell you have to use, you can use sudo as expected.

    ypid

    Posted 2009-09-17T09:24:35.757

    Reputation: 283

    This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:16.943

    3

    I wrote gsudo, a sudo for windows that feels like *nix sudo and has a few killer features:

    • Run within the current console (attached) without breaking tab-key auto-complete. Or add -n to launch in a new window.
    • Handles all scenarios reliably to be used on scripts. (ExitCodes, StdIn/Out/Err Redirection/Capture)
    • Supports Cmd/PowerShell/PowerShell Core
    • Credentials cache: If gsudo is invoked several times within minutes it only shows the UAC pop-up once.

    gsudo demo

    Usage

    gsudo Opens an elevated shell in the current console.

    gsudo [options] {command} [arguments] Executes the specified command with elevated permissions.

    Most relevant [options]:

    • -n | --new Starts the command in a new console with elevated rights (and returns immediately).
    • -w | --wait Force wait for the process to end (and return the exitcode).
    • -s | --system Run As Local System account ("NT AUTHORITY\SYSTEM").
    • --copyev Copy all environment variables to the elevated session before executing.

    Installation

    • Using Scoop: scoop install gsudo
    • Using Chocolatey: choco install gsudo
    • Manual Install
    PowerShell -Command "Set-ExecutionPolicy RemoteSigned -scope Process; iwr -useb https://raw.githubusercontent.com/gerardog/gsudo/master/installgsudo.ps1 | iex"
    

    Gerardo Grignoli

    Posted 2009-09-17T09:24:35.757

    Reputation: 218

    3

    As you've probably discovered, runas will let you run as another user but it cannot do elevation and it doesn't pass current directories, environment variables or long command lines.

    Hamilton C shell solves that with a genuine su and sudo. su lets you run a command as another user; sudo (actually an alias to su) lets you run a command elevated. You can also do both, running elevated as a different user. Current directories, environment variables and long command lines are passed by way of a shared memory handshake between su running in the caller's context and a copy of itself running as an interlude with the new credentials that then starts the child. Full disclosure: I'm the author.

    Nicole Hamilton

    Posted 2009-09-17T09:24:35.757

    Reputation: 8 987

    1

    The simplest solution in my view is to leverage powershell to do the work, which is portable and will prompt the user using the UAC.

    You can just run this in any shell (cmd or powershell)

    powershell Start-Process -verb runAs path-to-your.exe "-all -args -in -quotes"
    

    twall

    Posted 2009-09-17T09:24:35.757

    Reputation: 231

    1

    A working sudo replacement for Cygwin's mintty terminal would be to place the following script in user's PATH:

    $!/bin/bash
    cygstart --action=runas mintty -e `which bash` -lc \"$@\"
    

    For me this is the only viable replacement to elevate privileges of programs like vim or cygrunsrv while working in a terminal on Windows.

    karafior

    Posted 2009-09-17T09:24:35.757

    Reputation: 129

    0

    This script does the job:

    @echo Set objShell = CreateObject("Shell.Application") > %temp%\sudo.tmp.vbs
    @echo args = Right("%*", (Len("%*") - Len("%1"))) >> %temp%\sudo.tmp.vbs
    @echo objShell.ShellExecute "%1", args, "", "runas" >> %temp%\sudo.tmp.vbs
    @cscript //NoLogo %temp%\sudo.tmp.vbs
    

    Save it as sudo.cmd then add it to your PATH

    Note: the runas means in this context "Run as administrator" and not "Run as other user"

    Taken from here and slightly edited to remove cscript.exe header from output

    Charles Milette

    Posted 2009-09-17T09:24:35.757

    Reputation: 93

    1This creates a new console. The new window will disappear after the sudo'd command is completed--so you can't even read output. – jiggunjer – 2016-01-17T14:09:30.070

    Sadly, yes. But it can be used for some basic commands (copy), GUI tools, or opening an admin cmd. – Charles Milette – 2016-01-17T18:04:55.627

    This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:10:55.660

    0

    The following vbs script allows to launch a given command with arguments with elevation and mimics the behavior of the original unix sudo command for a limited set of used cases (it will not cache credentials nor it allows to truly execute commands with different credentials). I put it on C:\Windows\System32.

    Set objArgs = WScript.Arguments
    exe = objArgs(0)
    args = ""
    IF objArgs.Count >= 2 Then
       args = args & objArgs(1)
    End If
    For it = 2 to objArgs.Count - 1
       args = args & " " & objArgs(it)
    Next
    Set objShell = CreateObject( "WScript.Shell")
    windir=objShell.ExpandEnvironmentStrings("%WINDIR%")
    Set objShellApp = CreateObject("Shell.Application")
    objShellApp.ShellExecute exe, args, "", "runas", 1
    set objShellApp = nothing
    

    Example use on a command prompt sudo net start service

    ceztko

    Posted 2009-09-17T09:24:35.757

    Reputation: 121

    Downvoters: еxplain why and what is not working for you. The script is tested and working for me. – ceztko – 2019-11-06T19:56:06.947

    This is elevation of a user account in Administrators; sudo is another thing. – Massimo – 2020-01-13T10:11:04.740

    @Massimo of course calling this script sudo is a small naming abuse: it doesn't and it will not have the same features of original sudo, but by default in unix will execute with super user (root) impersonification, providing this is allowed in sudoers, so the mimic of the provided example it's perfectly clear to me. It's not possible to create a full sudo replacement in Windows without access to Windows internals and without defining a clear semantic of what can and what can't be done by the command. If this quick and dirty script doesn't work for you should find a different solution – ceztko – 2020-01-13T10:34:33.203