How to ask for admin permission in a batch?

Question

Since a few weeks, my scripts for modifying my IP address don't work anymore. I suspect an update of Windows 10.

Up to now, I was using the script given in this thread :

@echo on

:: BatchGotAdmin
:-------------------------------------
REM  --> Check for permissions
    IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" (
>nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SYSTEMROOT%\SysWOW64\config\system"
) ELSE (
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
)

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    set params= %*
    echo UAC.ShellExecute "cmd.exe", "/c ""%~s0"" %params:"=""%", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    del "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    pushd "%CD%"
    CD /D "%~dp0"
:--------------------------------------    
    <YOUR BATCH SCRIPT HERE>

But now, I got this error:

Failed to load script: C:\Users\me\AppData\Local\Temp\getadmin.vbs: access denied

The strange thing is, getadmin.vbs is indeed created in the Temp directory.

Here is the exact output :

C:\Users\arc\Desktop\ConfigLAN>REM --> Check for permissions

C:\Users\arc\Desktop\ConfigLAN>IF "AMD64" EQU "amd64" ("C:\WINDOWS\SysWOW64\cacls.exe" "C:\WINDOWS\SysWOW64\config\system" 1>nul 2>&1 ) ELSE ("C:\WINDOWS\system32\cacls.exe" "C:\WINDOWS\system32\config\system" 1>nul 2>&1 )

C:\Users\arc\Desktop\ConfigLAN>REM --> If error flag set, we do not have admin.

C:\Users\arc\Desktop\ConfigLAN>if '5' NEQ '0' ( echo Requesting administrative privileges... goto UACPrompt ) else (goto gotAdmin ) Requesting administrative privileges...

C:\Users\arc\Desktop\ConfigLAN>echo Set UAC = CreateObject("Shell.Application") 1>"C:\Users\arc\AppData\Local\Temp\getadmin.vbs"

C:\Users\arc\Desktop\ConfigLAN>set params=

C:\Users\arc\Desktop\ConfigLAN>echo UAC.ShellExecute "cmd.exe", "/c ""C:\Users\arc\Desktop\CONFIG~1\newBatch.bat"" ", "", "runas", 1 1>>"C:\Users\arc\AppData\Local\Temp\getadmin.vbs"

C:\Users\arc\Desktop\ConfigLAN>"C:\Users\arc\AppData\Local\Temp\getadmin.vbs"

(error is triggered here)

C:\Users\arc\Desktop\ConfigLAN>del "C:\Users\arc\AppData\Local\Temp\getadmin.vbs"

C:\Users\arc\Desktop\ConfigLAN>exit /B

The first oddity, for me is clearly shown in your error message. `C:\Users\me\AppData\Temp\getadmin.vbs` should be `C:\Users\me\AppData\Local\Temp\getadmin.vbs`. The obvious questions therefore are either, **1.** Which other environment variables have you changed the values of? or, **2.** Which other important information in your question have you just 'free typed' instead of copying and pasting directly? — Compo, Apr 23 '21 at 09:08
I'm sorry, it was a typo when writing my message. The error is `C:\Users\me\AppData\Local\Temp\getadmin.vbs`. I edited my original post. — ArnaudVS, Apr 23 '21 at 11:11
Change `@echo off` to `@echo on`, then run your script from the Command Prompt, instead of the GUI. Then you should clearly see what is happening. Then if you cannot work it out from that output, please copy and paste, the full, and exact content from the cmd window, into your question, formatted as code, so that we can help you to debug it. — Compo, Apr 23 '21 at 12:08
Thank you for your help. I tried your advice, not sure it helps... I edited my question with the console output — ArnaudVS, Apr 23 '21 at 12:54
Did you open a Command Prompt window using `Run as administrator`, and if so why? Have you noticed how the poor code you've copied will always run `"C:\WINDOWS\system32\cacls.exe" "C:\WINDOWS\system32\config\system" 1>nul 2>&1` and never run `"C:\WINDOWS\SysWOW64\cacls.exe" "C:\WINDOWS\SysWOW64\config\system" 1>nul 2>&1`. More importantly, why when your code actually gets to the error, have you, seemingly changed the output and inserted `(error is triggered here)` instead? Why are you running `"%temp%\getadmin.vbs"`, as opposed to via arguments to `cscript.exe`? — Compo, Apr 23 '21 at 13:33
I suggest to look on my very long answer on [Can't run as Admin](https://stackoverflow.com/a/41493926/3074564) explaining (hopefully) everything to know on coding a batch file which need to be run with elevated privileges of a local administrator. The batch file I posted can be used as template for all such batch files. The batch file code is very long because it contains lots of remarks (comments) explaining the command lines. All lines with `rem` after 0 or more leading spaces can be removed which makes the batch file much smaller. — Mofi, Apr 23 '21 at 14:26

score -1 · Answer 1 · 2021-04-23T21:33:19.673

You can use the following sequence that works perfectly fine for me.

@echo off
::::::::::::::::::::::::::::::::::::::::::::
:checkPrivileges
NET FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' (goto gotPrivileges) else (goto getPrivileges)
:getPrivileges
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo For Each strArg in WScript.Arguments >> "%temp%\getadmin.vbs"
echo If strArg = WScript.Arguments.Item^(0^) Then d = Left^(strArg, InStrRev^(strArg,"\"^) - 1^) >> "%temp%\getadmin.vbs"
echo args = args ^& " " ^& strArg  >> "%temp%\getadmin.vbs"
echo Next >> "%temp%\getadmin.vbs"
echo UAC.ShellExecute "cmd.exe", ^("/c start /D """ ^& d ^& """ /B" ^& args ^& " ^& exit"^), , "runas", 4 >> "%temp%\getadmin.vbs"
cscript "%temp%\getadmin.vbs" ""%~s0"" %*
del /q "%temp%\getadmin.vbs"
exit /b
:gotPrivileges
:: Your code here

This VBS script uses perfectly the UAC.ShellExecute, you can point by yourself the changes. You used a lot of tricks and the VBS code doesn't even call UAC in the correct way, which is why it gives permission denied. I believe that the use of cacls and this script was very useful in the past, used by Malware to obtain administrative access without the user's permission, there are many programs that use icacls for this, I will not even point out, but that may have made using icacls difficult.

You can also use Powershell previously to do it.

Powershell -Command "Start-Process cmd -Verb RunAs -ArgumentList '/c C:\YourPath\yourprogram.bat'"

Both of the scripts works perfectly fine for me. I can see a lot of errors in your .vbs, but there is no point in pointing them out because the script is not yours. I recommend that you use the Powershell, it is much more useful and simple, to integrate:

NET FILE >NUL 1>NUL 2>NUL
if %errorlevel% equ 0 (goto gotprivileges) else (start Powershell -Command "Start-Process cmd -Verb RunAs -ArgumentList '/c C:\YourPath\yourprogram.bat'" & exit)

Hope this helps,
K.

Indeed your script works well, but it needs to be run as administrator. If not, the script fails. In my previous version, the script asked itself for the admin, which was handy (double clic instead of rightclic->run as admin. Anyway it's already a very good solution. I'll mark as answer depending on your reply.Thank you — ArnaudVS, Apr 26 '21 at 08:44
@ArnaudVS I believe you have misunderstood. The Script itself asks for administrative permissions, and it was exactly what you were asking for ... Try using Powershell's too, it is, in my opinion, but easy and guaranteed ... You can post your code here so we can help About that. — , Apr 26 '21 at 11:43
Well I think I don't have the same behavior as you then. When using your script, it won't ask for admin permission, it will simply fail. By right-clic->run as admin, then it runs, ask for admin and apply my changes. — ArnaudVS, Apr 26 '21 at 13:38
As i said, i tested the script myself and it works perfectly fine. Probably there are a syntax error in your copy or some misconfiguration, you can post your code here so we can help about that. — , Apr 26 '21 at 22:54
I use this script since Windows 7 and it works perfectly in Windows 7 to 10. @ArnaudVS — , Apr 26 '21 at 22:55

How to ask for admin permission in a batch?

1 Answers1