Sometimes you need to create a batch file which includes commands that require elevated rights. Due to the UAC function included in Windows since Windows Vista, when start a batch file, it opens without the required access rights unless you right click it and select 'Run as Administrator' from the context menu.
- Batch File Runas Administrator
- Batch Program Examples
- Batch File Runas Administrator Without Password
- Batch Runas Administrator Manager
- Batch Runas Administrator Command
Runas is a very useful command on Windows OS. This command enables one to run a command in the context of another user account. One example scenario where this could be useful is: Suppose you have both a normal user account and an administrator account on a computer and currently you are logged in as normal user account. Now you want to install some software on the computer, but as you do not have admin privileges you can’t install the same from the current account. One option is to switch user and login as administrator. Instead, you can do the same by simply using runas command. You just need to launch the installer from command prompt using runas command and by providing administrator login id and password.
Let’s see the syntax of runas command with some examples.
Run a program from another user account
The command to launch a program using another user credentials is given below.
- A script and a program can run as system account via RunAsRob, a system account has more system privileges than an administrator. Run application as admin with the own profile and setting of the limitied user account. In other runas utilities it is just possible to run as administrator by using another account.
- The right-click, Run As Administrator function in File Explorer fails if the path to the target contains both an at sign (@) and a space. For example these paths work: D: foo bar foobar D: foo bar foo bar D: @foo bar foobar D: @foo email protected foobar But these prevent the target (batch file) from running: D: @foo bar foo bar.
For example, if you want to open registry editor as administrator of the computer, the command would be as below.
After running the above command, you will be asked to enter the password of administrator account. After password validation, registry editor will be opened with the administrator account credentials.
To specify arguments to the program:
If you need to provide arguments to the program that need to be invoked as another user, you can put the program name and the parameters in double quotes.
For example to open the file C:boot.ini as administrator, the command would be:
Running command prompt as another user :
If you have multiple commands need to be executed with administrator(or any other user )credentials, instead of running each command using runas, you can open command prompt window once as the administrator and then run all the commands in that window. Below is the command for opening a command window using runas.
Example:
It will launch new command window after printing the above message.
Run a batch file as administrator
To run a batch file as administrator of the computer, you need to mention the path of the batch file in the place of command in the runas syntax.
For example, to run the batch file located at c:datamybatchfile.bat, you need to run the below command.
Some questions regarding runas command:
Batch File Runas Administrator
When I use runas command, I am getting the error ‘This program is blocked by group policy. For more information, contact your system administrator’. How can I fix this?
Administrator of your system might have disabled users to login from command prompt. In group policy editor, this setting can be found in the below node.
Computer Configuration -> Windows settings -> Security settings ->Local Policies -> User rights assignment
In the above path, look for the setting ‘Deny logon as a batch job‘. If you have administrator privileges, you can disable this settings. Otherwise, you need to contact the system/domain administrator.
-->Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8
Allows a user to run specific tools and programs with different permissions than the user's current logon provides.
Runas is a command-line tool that is built into Windows Vista. To use runas at the command line, open a command prompt, type runas with the appropriate parameters, and then press ENTER.
In the user interface for Windows Vista, the Run as… command has been changed to Run as administrator. However, you should rarely have to use the Run as administrator command because Windows Vista will automatically prompt you for an administrator password when it is needed.
For examples of how this command can be used, see Examples.
Syntax
Parameters
Parameter | Description |
|---|---|
/profile | Loads the user's profile. This is the default. This parameter cannot be used with the /netonly parameter. |
/no profile | Specifies that the user's profile is not to be loaded. This allows the application to load more quickly, but it can also cause a malfunction in some applications. |
/env | Specifies that the current network environment be used instead of the user's local environment. |
/netonly | Indicates that the user information specified is for remote access only. This parameter cannot be used with the /profile parameter. |
/savecred | Indicates if the credentials have been previously saved by this user. This parameter is not available and will be ignored on Windows Vista Home or Windows Vista Starter Editions. This parameter cannot be used with the /smartcard parameter. |
/smartcard | Indicates whether the credentials are to be supplied from a smartcard. This parameter cannot be used with the /savecred parameter. |
/showtrustlevels | Displays the trust levels that can be used as arguments to /trustlevel. |
/trustlevel | Specifies the level of authorization at which the application is to run. Use /showtrustlevels to see the trust levels available. |
/user:<UserAccountName> '<ProgramName> <PathToProgramFile>' | Specifies the name of the user account under which to run the program, the program name, and the path to the program file. The user account name format should be <User>@<Domain> or <Domain><UserAccountName>. |
/? | Displays help at the command prompt. |
Batch Program Examples
Remarks
Enter the user's password only when prompted.
It is good practice for administrators to use an account with restrictive permissions to perform routine, nonadministrative tasks, and to use an account with broader permissions only when performing specific administrative tasks. To accomplish this without logging off and back on, log on with a regular user account, and then use the runas command to run the tools that require the broader permissions.
The use of runas is not restricted to administrator accounts, although that is the most common use. Any user with multiple accounts can use runas to run a program, MMC console, or Control Panel item with alternate credentials.
If you want to use the Administrator account on your computer, for the /user: parameter, type one of the following:
**/user:<**AdministratorAccountName>@<ComputerName>
**/user:<ComputerName><**AdministratorAccountName>
If you want to use this command as a domain administrator, type one of the following:
**/user:<AdministratorAccountName>@<**DomainName>
**/user:<**DomainName><AdministratorAccountName>
With the runas command, you can run programs (*.exe), saved MMC consoles (*.msc), shortcuts to programs and saved MMC consoles, and Control Panel items. You can run them as an administrator while you are logged on to your computer as a member of another group, such as the Users or Power Users group.
You can use the runas command to start any program, MMC console, or Control Panel item. As long as you provide the appropriate user account and password information, the user account has the ability to log on to the computer, and the program, MMC console, or Control Panel item is available on the system and to the user account.
With the runas command, you can administer a server in another domain or forest (the computer from which you run a tool and the server you administer are in different domains or forests).
If you try to start a program, MMC console, or Control Panel item from a network location using runas, it might fail because the credentials used to connect to the shared network resource are different from the credentials used to start the program. The latter credentials may not be able to gain access to the same shared network resource.
Some items, such as the Printers folder and desktop items, are opened indirectly and cannot be started with the runas command.
If the runas command fails, the Secondary Logon service might not be running or the user account you are using might not be valid. To check the status of the Secondary Logon service, in Computer Management, click Services and Applications, and then click Services. To test the user account, try logging on to the appropriate domain using the account.
Group Policy is not processed for the user whose credentials are supplied to the runas command. This is by design. The runas command can load the user profile of the secondary user whose identity is being used to create the process, and that user profile may contain registry keys and values from previous interactive logons when Group Policy was processed for that user. However, the runas command also contains a /noprofile switch that bypasses the loading of the user profile, so that behavior should not be relied upon. User GPO is only processed for users who log on interactively to their own desktops by using the logon user interface.
Batch File Runas Administrator Without Password
Examples
Batch Runas Administrator Manager
The following command starts an instance of the command prompt as an administrator on the local computer:
When prompted, type the administrator account password.
The following command starts an instance of the Computer Management snap-in using a domain administrator account called contosodomainadmin:
Batch Runas Administrator Command
When prompted, type the domain administrator account password.
The following command starts an instance of Notepad (and a file named my_file.txt) using a domain administrator account called jayj in a domain called domain.contoso.com:
When prompted, type the domain administrator account password.
The following command starts an instance of a command prompt window, saved MMC console, Control Panel item, or program that will administer a server in another forest:
<Domain><User_Name> must be a user with sufficient permissions to administer the server. When prompted, type the account password.
Additional references