47

Whenever I need to run a powershell script it complains of security, if I add powershell.exe -nologo -executionpolicy bypass -File .\install.ps1 I still get permission denied unauthorizedAccessException. I just want to run this install script, what is the sudo equivalent to type on the powershell on windows?

Rob
  • 14,746
  • 28
  • 47
  • 65
eri0o
  • 2,285
  • 4
  • 27
  • 43
  • Does this answer your question? [Running a command as Administrator using PowerShell?](https://stackoverflow.com/questions/7690994/running-a-command-as-administrator-using-powershell) – ggorlen Nov 17 '20 at 05:57

6 Answers6

47

If you are using Chocolatey (a package manager), you can install a package named sudo.
Then you can use sudo like Linux sudo

Sean
  • 1,055
  • 11
  • 10
  • This is great! I can finally use the PowerShell window I always keep open, instead of reaching for PowerShell / Run as Administrator in the Start Menu. :-) – Christian Davén Feb 19 '21 at 12:52
  • 3
    This works. But I can not see any program output. For example, if I type "sudo ls", it shows an UAC prompt, then just goes to next line of cursor without showing me the output of the "ls" command. I recommend "gsudo" as a better alternative. – Spero Jul 17 '21 at 21:31
  • Tried at the end 2021 and it works so good!! I use that for installing choco packages – Lorenzo Morelli Sep 28 '21 at 14:09
  • I like this. Thanks! very useful – JoenMarz Nov 07 '22 at 06:17
28

Note: If you're looking to add general-purpose, prepackaged sudo-like functionality to PowerShell, consider the
Enter-AdminPSSession (psa) function from this Gist, discussed in the bottom section of this answer.

If you are running from PowerShell already, then use Start-Process -Verb RunAs as follows:

Start-Process -Verb RunAs powershell.exe -Args "-executionpolicy bypass -command Set-Location \`"$PWD\`"; .\install.ps1"

Note:

  • The script invariably runs in a new window.
  • Since the new window's working directory is invariably $env:windir\System32, a Set-Location call that switches to the caller's working directory ($PWD) is prepended.
    • Note that in PowerShell (Core) 7+ (pwsh.exe) this is no longer necessary, because the caller's current location is inherited.
  • Executing Set-Location necessitates the use of -Command instead of -File.
    • A general caveat is that -Command can change the way arguments passed to your script are interpreted (there are none in your case), because they are interpreted the same way they would be if you passed the arguments from within PowerShell, whereas -File treats them as literals.

If you're calling from outside of PowerShell, typically from cmd.exe/ a batch file, you need to wrap the above in an outer call to powershell.exe, which complicates things in terms of quoting, unfortunately:

powershell.exe -command "Start-Process -Verb RunAs powershell.exe -Args '-executionpolicy bypass -command', \"Set-Location `\"$PWD`\"; .\install.ps1\""

Interactively, of course, you can:

  • Right-click the PowerShell shortcut (in your taskbar or Start Menu, or on your Desktop), select Run as Administrator to open a PowerShell window that runs with admin privileges, and run .\install.ps1 from there.

  • Alternatively, from an existing PowerShell window, you can open a run-as-admin window with Start-Process -Verb RunAs powershell.exe, as in AdminOfThings' answer.

mklement0
  • 382,024
  • 64
  • 607
  • 775
8

You can utilize the Start-Process command and then use parameter -Verb runas to elevate. This works great for starting an elevated process.

I created a sudo function like this and added it to my powershell profile:

function sudo {
    Start-Process @args -verb runas
}

Example: Open notepad as Admin to edit hosts file

sudo notepad C:\Windows\System32\drivers\etc\hosts

If you want to elevate a Powershell command, you can create a simple function like this:

function Start-ElevatedPS {
    param([ScriptBlock]$code)

    Start-Process -FilePath powershell.exe -Verb RunAs -ArgumentList $code
}

Then, call the function and pass command wrapped in {} (script block)

Example: Elevate to create a symbolic link

Start-ElevatedPS { New-Item -ItemType SymbolicLink -Name mySymlink.ps1 -Target C:\myTarget.ps1 }
David Hatch
  • 2,406
  • 1
  • 17
  • 11
  • 3
    Worth mentioning you can get to this using the $PROFILE variable, `notepad.exe $PROFILE` – Simon Curtis Dec 17 '20 at 20:16
  • if I run Start-ElevatedPS as follows: `Start-ElevatedPS { New-Item -ItemType SymbolicLink -Path "$var1" -Target "$var2"; }`, I get an error saying "Cannot bind argument to parameter Path" even though `$var1` and `$var2` are defined right before this call. – user2635911 Sep 20 '22 at 17:26
  • `.$PROFILE` reload profile. Nice snippet, ty – dza Dec 03 '22 at 06:06
  • I added `-ArgumentList "-noexit", $code` so it doesn't exit, this is probably useful to someone. – dza Dec 03 '22 at 06:35
  • I don't know if this used to work and stopped working at some point? ```` sudo choco install python Start-Process : A positional parameter cannot be found that accepts argument 'python'. At C:\Users\\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1:6 char:5 + Start-Process @args -verb runas + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Start-Process], ParameterBindingException + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.StartProcessCommand ```` – Daniel Russell Apr 20 '23 at 18:48
6

As of today (October 2021), winget install gerardog.gsudo did the trick (on windows 10 home edition). Edit: Tested on Windows 11 as well (April 2022)

after that, you can do this:

gsudo notepad C:\windows\system32\something-editable-by-admin-only.txt

To test if it's working, or in your case:

gsudo powershell.exe install.ps1

You will be prompted by windows` UAC to elevate your priveleges by gsudo, and you can read the source code here: https://github.com/gerardog/gsudo

Ofer Sadan
  • 11,391
  • 5
  • 38
  • 62
4

You can start PowerShell with the Run as Administrator option:

Start-Process powershell -Verb runAs
AdminOfThings
  • 23,946
  • 4
  • 17
  • 27
3

If you have a corporate policy that blocks scripts execution, then yes. ByPass does not change your profile (user context) state. That is not the design (use case) for any of those switches regarding Execution Policies.

There is not a direct comparison of sudo in Windows, this has nothing to do with PowerShell. You are either admin in a session / app or you are not. If you are installing software, that means you must be admin. If you are doing global system-wide changes, that means you must be admin.

There are folks who have strived to implement scripts, wrapper functions and or modules to mimic sudo …

Module from the MS PowerShell gallery. Sudo 0.9.3 Use functionality similar to sudo in PowerShell

From GitHub Sudo for PowerShell

Sudo for PowerShell Installation From PowerShell, create a $profile if you don't have one:

if (!(test-path $profile)) { new-item -path $profile -itemtype file -force }

Open the profile in notepad:

notepad.exe $profile

Add the following line and save the file:

. /path/to/sudo.ps1

sudo will be available in all new PowerShell windows Usage

sudo application [arguments ...]

...but that does not change what Windows expects when dealing with security boundaries.

See also this Q&A Sudo !! equivalent in PowerShell

$^ is a variable that expands to the last executed Powershell command. You can run a command as another user using runas, so the following works:

runas /user:domain\administrator $^

To shorten that up a bit, you can do some magic with aliases. Take a look at this Technet article for more info.

EDIT: One caveat - $^ only executes the first command in a pipeline or multi-command line. If you need to redo an entire command that is peppered with pipes or semicolons, use Invoke-History instead (which defaults to the last full command in its entirety).

postanote
  • 15,138
  • 2
  • 14
  • 25
  • I was actually trying to run a script I wrote in a [Windows VM](https://developer.microsoft.com/en-us/windows/downloads/virtual-machines) . The same script ran just fine in AppVeyor, so it was a surprise. :/ – eri0o Mar 23 '19 at 19:03
  • Humm… OK, then you are in complete control of that VM? If so, then why is the execution policy restricted? That is the default, but you can change that using Set-ExecutionPolicy -ExecutionPolicy RemoteSigned, then you have no need for the bypass thing. Local scripts run, remote scripts need to be signed to run. https://www.hanselman.com/blog/SigningPowerShellScripts.aspx – postanote Mar 23 '19 at 19:55
  • 1
    `-ExecutionPolicy Bypass` always works, irrespective of the effective PowerShell execution policy. You can use it to invoke a PowerShell instance that runs `Start-Process -Verb RunAs`, which gives you an elevated process - after confirming / providing admin credentials to a UAC prompt. – mklement0 Mar 23 '19 at 22:26
  • 1
    The 2nd project you link to - https://github.com/stephenn/powershell_sudo - is a _minimal_ wrapper around `Start-Process -Verb RunAs`, which requires invocation _from PowerShell_. However, its minimalist nature means that it doesn't address the problem of the working dir. defaulting to `$env:windir\System32` and also not `Start-Process`'s [broken handling of arguments with embedded whitespace](https://github.com/PowerShell/PowerShell/issues/5576). In short: this wrapper is hardly worth it. – mklement0 Mar 23 '19 at 22:29
  • `runas.exe /user:...` will only result in an _elevated_ (run-as-admin) process if you use the _built-in_ `Administrator` account - which is _disabled by default_, for security reasons. `$^` is not the the most recently executed PowerShell _command_, it is only that command's _first token_. – mklement0 Mar 23 '19 at 22:33
  • Correction: [the docs](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies#set-a-different-policy-for-one-session) suggest that `-ExecutionPolicy Bypass` cannot override a policy _set by a GPO_ (Group Policy Object). – mklement0 Dec 02 '20 at 21:18