Link to home
Create AccountLog in
Avatar of sukhoi35
sukhoi35

asked on

Execute a Batch File bypassing the UAC

Hello Experts,
I am required to execute a batch script which starts or stops a service on Windows Server 2012 machine. I however do not want the UAC window asking for admin privileges to pop-up, as I am actually invoking the batch execute from another application in an automated fashion. While I do have admin rights on the machine, it restricts me from accessing the registry or the Task Scheduler.

Can I please know if there is a way out?
Avatar of Dr. Klahn
Dr. Klahn

Have you looked into psexec?  I have not checked this, but I see no reason it would not work if the "remote" system is the same machine.

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
No need for elevation/UAC bypass.
All you need to do is set service permissions, so that the elevated Administrators token isn't required.
Delegate the permissions to control the service to a domain local group (or local group on the server hosting the service), and add the user(s) running the application to this group.
Note: do not delegate to individual user accounts!

You can delegate the permissions using a GPO, for example (no relevant changes since 2003 ...):
How To Configure Group Policies to Set Security for System Services in Windows Server 2003
https://support.microsoft.com/en-us/help/324802/how-to-configure-group-policies-to-set-security-for-system-services-in

If it's just one server, you can do that locally using subinacl.exe as well:
SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
Note that subinacl.exe is a stand-alone program, you don't really need to install it. You can open the msi using 7-zip, for example, and extract the exe.
This should work for you:
subinacl.exe /service "YourService" /grant=YOURDOMAIN\YourGroup=QSTOP

Open in new window


Help:
subinacl.exe /help /full
...
Service:
  F : Full Control
  R : Generic Read
  W : Generic Write
  X : Generic eXecute
  L : Read controL
  Q : Query Service Configuration
  S : Query Service Status
  E : Enumerate Dependent Services
  C : Service Change Configuration
  T : Start Service
  O : Stop Service
  P : Pause/Continue Service
  I : Interrogate Service
  U : Service User-Defined Control Commands
...

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of sukhoi35

ASKER

Thanks for the response!