📅 06-10-2012 • Δ 21-05-2019
How can you start a program and elevate as administrator without a confirmation by the user. For example, on a corporate network for starting an unattended installation without using the Active Directory Group Policy.
In Windows 8, disabling the UAC (User Account Control) completely through the Group Policy / Local Security Policy, Windows Store applications (old name Metro applications) will stop working with this error:
"This app can't open. [application name] can't open while Account Control is turned off. Turn on User Account Control"
Disabling UAC via Control Panel will only disable it partially.
Why all the old methods don't work anymore
From Windows Vista and later a user, member of the administrators group, gets 2 tokens at login : a user token and an admin token. By default the user token is used. Because of this when using a DOS command like runas.exe for starting a program as another user (ex. an administrator), the user token is used and not the admin token.
One solution is to use the 'Elevation PowerToys for Windows Vista'. It certainly works in Windows 7 and Windows 8. Inside these PowerToys you can find 2 files that work together and can elevate a program if the active user has an admin token:
elevate.cmd and elevate.vbs
Original location: http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx
This method works, but I find it a bit heavy. A batch file and a VBScript engine are launched each time. I developed a solution only using a c# program compiled with .NET Framework 4.0
The only thing that activates the magic (elevate) is the runas parameter in this line:
objShell.ShellExecute strApplication, strArguments, "", "runas"
In the .NET Framework we can accomplish this with the ProcessStartInfo.Verb property from the System.Diagnostics namespace:
ProcessStartInfo.Verb = "runas";
Syntax: elevate [program] [argument 1] [argument 2] ...
Example: elevate notepad c:\windows\win.ini
Elevate.exe starts a program using the Admin token of the current user if the user is in the administrators group for Windows >= Vista.
If UAC is enabled, the user will need to confirm the action. If UAC is partially disabled, the user will not need to confirm the action.
You need .NET Framework 4.0 or later to use my compiled version.
This software is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk. Permission to use or copy this software for any purpose is hereby granted without fee. Permission to modify the code and to distribute modified code is granted.
UAC location in Local Security Policy:
secpol.msc, Local Policies / Security Options/ All entries beginning with: User Account Control
UAC location in Group Policy:
Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options/ All entries beginning with: User Account Control
UAC location in the normal Control Panel:
With view by 'small icons' active: Action Center / Change User Account Control settings Move the slider all the way down 'Never notify' With View by Category active: System and Security / Action Center / Change User Account Control settings
Other possible solutions
- Setting up a scheduled task with "Run with highest privileges" checked
SCHTASKS.EXE /RUN /TN "Name of Task"
- Create a service. But a service runs in 'Session 0 Isolation' mode with its own restrictions.
- Use dangerous tools like PSEXEC (http://technet.microsoft.com/en-us/sysinternals/bb897553). An attacker can easily use this for doing dangerous things.
- Compile a program with a manifest asking for elevation