asked on
Execute a Batch File bypassing the UAC
Hello Experts,
I am required to execute a batch script which starts or stops a service on Windows Server 2012 machine. I however do not want the UAC window asking for admin privileges to pop-up, as I am actually invoking the batch execute from another application in an automated fashion. While I do have admin rights on the machine, it restricts me from accessing the registry or the Task Scheduler.
Can I please know if there is a way out?
I am required to execute a batch script which starts or stops a service on Windows Server 2012 machine. I however do not want the UAC window asking for admin privileges to pop-up, as I am actually invoking the batch execute from another application in an automated fashion. While I do have admin rights on the machine, it restricts me from accessing the registry or the Task Scheduler.
Can I please know if there is a way out?
VB ScriptWindows BatchWindows OSWindows Server 2012
Last Comment
sukhoi35
No need for elevation/UAC bypass.
All you need to do is set service permissions, so that the elevated Administrators token isn't required.
Delegate the permissions to control the service to a domain local group (or local group on the server hosting the service), and add the user(s) running the application to this group.
Note: do not delegate to individual user accounts!
You can delegate the permissions using a GPO, for example (no relevant changes since 2003 ...):
How To Configure Group Policies to Set Security for System Services in Windows Server 2003
https://support.microsoft.com/en-us/help/324802/how-to-configure-group-policies-to-set-security-for-system-services-in
If it's just one server, you can do that locally using subinacl.exe as well:
SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
Note that subinacl.exe is a stand-alone program, you don't really need to install it. You can open the msi using 7-zip, for example, and extract the exe.
This should work for you:
Help:
All you need to do is set service permissions, so that the elevated Administrators token isn't required.
Delegate the permissions to control the service to a domain local group (or local group on the server hosting the service), and add the user(s) running the application to this group.
Note: do not delegate to individual user accounts!
You can delegate the permissions using a GPO, for example (no relevant changes since 2003 ...):
How To Configure Group Policies to Set Security for System Services in Windows Server 2003
https://support.microsoft.com/en-us/help/324802/how-to-configure-group-policies-to-set-security-for-system-services-in
If it's just one server, you can do that locally using subinacl.exe as well:
SubInACL (SubInACL.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=23510
Note that subinacl.exe is a stand-alone program, you don't really need to install it. You can open the msi using 7-zip, for example, and extract the exe.
This should work for you:
subinacl.exe /service "YourService" /grant=YOURDOMAIN\YourGroup=QSTOP
Help:
subinacl.exe /help /full
...
Service:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
...
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for the response!
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec