1

I have a first bat file that needs admin rights, so the user will run it "As an administrator", then my second bat file should NOT have admin rights (need to drag & drop from Explorer).

I tried to open the second bat file from the first one with the following commands but I can't drag & drop into the second one if the first one it started as an admin.

runas /trustlevel:0x20000 "cmd /C %~dp0upload.bat"

and

%~dp0upload.bat

How can I do that?

UPDATE: full code

@echo off &setlocal
if not exist "MyFolder" GOTO :prog
runas /trustlevel:0x20000 "cmd /C %~dp0upload.bat"
exit /B

:prog
more code.....
exit

UPDATE 2: other attempts

Using

runas /trustlevel:0x20000 "call %~dp0upload.bat"

throws an error like mentioned here

UPDATE 3: using vbs

Ok, I manage to open the first batch as normal user and from there I call another bat with elevated rights using:

setlocal DisableDelayedExpansion
set "batchPath=%~0"
setlocal EnableDelayedExpansion
ECHO Set UAC = CreateObject^("Shell.Application"^) > "%temp%\OEgetPrivileges.vbs" 
ECHO UAC.ShellExecute "temp.bat", "ELEV & !given_name!", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs" 
"%temp%\OEgetPrivileges.vbs"

Now I need to pass !given_name! to the second bat file but I'm not sure how to pass it and how to retrieve it in that second bat.

Community
  • 1
  • 1
remyremy
  • 3,548
  • 3
  • 39
  • 56

1 Answers1

1

The behaviour is by design, to avoid security risks.
Can't drag programs into cmd window
But in your case it seems to be a bit paranoid, as you removed the privileges...

But perhaps you can change the order of elevation.
You could start an unelevated batch for your drag&drop operations and this batch starts your elevated batch file with one of the elevation methods.

The question about transfering a variable (given_name).

Change "ELEV & !given_name!" to "!given_name!" this can be accessed with %1 from temp.bat.

SO: How can I auto-elevate my batch file...

Wai Ha Lee
  • 8,598
  • 83
  • 57
  • 92
jeb
  • 78,592
  • 17
  • 171
  • 225
  • The problem is that the users might not have the administrator password and users differ all the time. SO they need to "Run as Admin" the first batch, which doesn't require a password. I finally unlinked both files so my users will start the first bat only once (run as admin) and any other time start only the second bat (without run as admin) – remyremy Oct 31 '14 at 13:33
  • @remyremy The elevation script doesn't need the admin password, too (for a "normal" user), only a click into the uac message box – jeb Oct 31 '14 at 14:31
  • Thanks it worked! Now I need to pass `!given_name!` to the second bat file but I'm not sure how to pass it and how to retrieve it in that second bat. I updated my question – remyremy Nov 01 '14 at 20:41