- Powershell
- FTP
- Windows OS
Execute a Batch File bypassing the UAC
Hello Experts,
I am required to execute a batch script which starts or stops a service on Windows Server 2012 machine. I however do not want the UAC window asking for admin privileges to pop-up, as I am actually invoking the batch execute from another application in an automated fashion. While I do have admin rights on the machine, it restricts me from accessing the registry or the Task Scheduler.
Can I please know if there is a way out?
I am required to execute a batch script which starts or stops a service on Windows Server 2012 machine. I however do not want the UAC window asking for admin privileges to pop-up, as I am actually invoking the batch execute from another application in an automated fashion. While I do have admin rights on the machine, it restricts me from accessing the registry or the Task Scheduler.
Can I please know if there is a way out?
Have you looked into psexec? I have not checked this, but I see no reason it would not work if the "remote" system is the same machine.
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
No need for elevation/UAC bypass.
All you need to do is set service permissions, so that the elevated Administrators token isn't required.
Delegate the permissions to control the service to a domain local group (or local group on the server hosting the service), and add the user(s) running the application to this group.
Note: do not delegate to individual user accounts!
You can delegate the permissions using a GPO, for example (no relevant changes since 2003 ...):
How To Configure Group Policies to Set Security for System Services in Windows Server 2003
https://support.microsoft.com/en-us/help/324802/how-to-configure-group-policies-to-set-security-for-system-services-in
If it's just one server, you can do that locally using subinacl.exe as well:
SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
Note that subinacl.exe is a stand-alone program, you don't really need to install it. You can open the msi using 7-zip, for example, and extract the exe.
This should work for you:
Help:
All you need to do is set service permissions, so that the elevated Administrators token isn't required.
Delegate the permissions to control the service to a domain local group (or local group on the server hosting the service), and add the user(s) running the application to this group.
Note: do not delegate to individual user accounts!
You can delegate the permissions using a GPO, for example (no relevant changes since 2003 ...):
How To Configure Group Policies to Set Security for System Services in Windows Server 2003
https://support.microsoft.com/en-us/help/324802/how-to-configure-group-policies-to-set-security-for-system-services-in
If it's just one server, you can do that locally using subinacl.exe as well:
SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
Note that subinacl.exe is a stand-alone program, you don't really need to install it. You can open the msi using 7-zip, for example, and extract the exe.
This should work for you:
subinacl.exe /service "YourService" /grant=YOURDOMAIN\YourGroup=QSTOP
Help:
subinacl.exe /help /full
...
Service:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
...
Just stumbled over this third-party tool which seems to do the job as well:
A Free Standalone GUI utility to Set Permissions for any Windows Service
https://www.coretechnologies.com/products/ServiceSecurityEditor/
A Free Standalone GUI utility to Set Permissions for any Windows Service
https://www.coretechnologies.com/products/ServiceSecurityEditor/
Explore More Content
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
How to run a poweshell command from a batch file -
![]()
wrote an Article
![]()
Keyboard shortcuts (hotkeys) to move mouse to monitors in a multi-monitor configuration - AutoHotkey Script
-
![]()
created a Video
![]()
Check for and download updated file - Example - FileZilla
-
Explore Cloud Class® ![]()
Certification: MCSA MCSE Microsoft Certified Solutions Associate & Systems Engineer - Designing and Implementing a Server Infrastructure
Premium Content
You need an Expert Office subscription to comment.Start Free Trial