We help IT Professionals succeed at work.

Execute a Batch File bypassing the UAC

Hello Experts,
I am required to execute a batch script which starts or stops a service on Windows Server 2012 machine. I however do not want the UAC window asking for admin privileges to pop-up, as I am actually invoking the batch execute from another application in an automated fashion. While I do have admin rights on the machine, it restricts me from accessing the registry or the Task Scheduler.

Can I please know if there is a way out?
Comment
Watch Question

Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
Have you looked into psexec?  I have not checked this, but I see no reason it would not work if the "remote" system is the same machine.

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018

Commented:
No need for elevation/UAC bypass.
All you need to do is set service permissions, so that the elevated Administrators token isn't required.
Delegate the permissions to control the service to a domain local group (or local group on the server hosting the service), and add the user(s) running the application to this group.
Note: do not delegate to individual user accounts!

You can delegate the permissions using a GPO, for example (no relevant changes since 2003 ...):
How To Configure Group Policies to Set Security for System Services in Windows Server 2003
https://support.microsoft.com/en-us/help/324802/how-to-configure-group-policies-to-set-security-for-system-services-in

If it's just one server, you can do that locally using subinacl.exe as well:
SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
Note that subinacl.exe is a stand-alone program, you don't really need to install it. You can open the msi using 7-zip, for example, and extract the exe.
This should work for you:
subinacl.exe /service "YourService" /grant=YOURDOMAIN\YourGroup=QSTOP

Open in new window


Help:
subinacl.exe /help /full
...
Service:
  F : Full Control
  R : Generic Read
  W : Generic Write
  X : Generic eXecute
  L : Read controL
  Q : Query Service Configuration
  S : Query Service Status
  E : Enumerate Dependent Services
  C : Service Change Configuration
  T : Start Service
  O : Stop Service
  P : Pause/Continue Service
  I : Interrogate Service
  U : Service User-Defined Control Commands
...

Open in new window

CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
Just stumbled over this third-party tool which seems to do the job as well:
A Free Standalone GUI utility to Set Permissions for any Windows Service
https://www.coretechnologies.com/products/ServiceSecurityEditor/

Author

Commented:
Thanks for the response!