Avatar of sukhoi35
sukhoi35
 asked on

Execute a Batch File bypassing the UAC

Hello Experts,
I am required to execute a batch script which starts or stops a service on Windows Server 2012 machine. I however do not want the UAC window asking for admin privileges to pop-up, as I am actually invoking the batch execute from another application in an automated fashion. While I do have admin rights on the machine, it restricts me from accessing the registry or the Task Scheduler.

Can I please know if there is a way out?
VB ScriptWindows BatchWindows OSWindows Server 2012

Avatar of undefined
Last Comment
sukhoi35

8/22/2022 - Mon
Dr. Klahn

Have you looked into psexec?  I have not checked this, but I see no reason it would not work if the "remote" system is the same machine.

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
oBdA

No need for elevation/UAC bypass.
All you need to do is set service permissions, so that the elevated Administrators token isn't required.
Delegate the permissions to control the service to a domain local group (or local group on the server hosting the service), and add the user(s) running the application to this group.
Note: do not delegate to individual user accounts!

You can delegate the permissions using a GPO, for example (no relevant changes since 2003 ...):
How To Configure Group Policies to Set Security for System Services in Windows Server 2003
https://support.microsoft.com/en-us/help/324802/how-to-configure-group-policies-to-set-security-for-system-services-in

If it's just one server, you can do that locally using subinacl.exe as well:
SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
Note that subinacl.exe is a stand-alone program, you don't really need to install it. You can open the msi using 7-zip, for example, and extract the exe.
This should work for you:
subinacl.exe /service "YourService" /grant=YOURDOMAIN\YourGroup=QSTOP

Open in new window


Help:
subinacl.exe /help /full
...
Service:
  F : Full Control
  R : Generic Read
  W : Generic Write
  X : Generic eXecute
  L : Read controL
  Q : Query Service Configuration
  S : Query Service Status
  E : Enumerate Dependent Services
  C : Service Change Configuration
  T : Start Service
  O : Stop Service
  P : Pause/Continue Service
  I : Interrogate Service
  U : Service User-Defined Control Commands
...

Open in new window

ASKER CERTIFIED SOLUTION
oBdA

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
sukhoi35

ASKER
Thanks for the response!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy