Code to invoke UAC elevation dialog from within a batch file

Microsoft Windows
Post Reply
User avatar
MigrationUser
Posts: 336
Joined: 2021-Jul-12, 1:37 pm
Contact:

Code to invoke UAC elevation dialog from within a batch file

Post by MigrationUser »

28 Jun 2012 17:24
ddouglas_KMI

Hi guys,
I used the code from the "runas" page within my batch file so that it would invoke the UAC dialogue. My script requires admin privileges to run correctly because it's part of a software installer that has to copy and delete files to a number of locations - some of which are within program files. When I double click on the batch file, the UAC window asks for my permission to make changes, and after I click yes everything runs perfectly. But, when I run it from within my installer the computer gets into an endless loop until I restart. A command prompt window will pop up and say "Requesting administrative privileges..." but then before the UAC dialogue comes up, that window closes and another command prompt window opens up and says the same thing, and this happens over and over again, and there is no UAC dialogue to click on. There was one time where I think the command prompt briefly flashed an error about not being able to find a file, but I'm not sure what file it is talking about. The installer is created in Winzip Self-Extractor, so it's very simple. All it does is unzip a folder and run my batch script. The command I use is simply:

./myfolder/setup.bat

If I manually unzip this folder in the correct destination location and double click on the bat file everything works perfectly. I am stumped. :wall:
Do I need to pass it an argument or something? I copied and pasted the code from here without altering anything. https://ss64.com/nt/runas.html
Any help would be HUGELY appreciated. Thanks so much.
Diane

----------------------------

#2 28 Jun 2012 17:30
ddouglas_KMI

Hi again, just wanted to clarify that this is on Windows 7. Also, I'm predominantly a mac user, so please excuse, meant to type that my command is:

.\myfolder\setup.bat

Thanks,
Diane

----------------------------
#3 28 Jun 2012 18:00
RG

The current directory gets changed when you 'Run as admin'.
Put this line near the top of you bat file (before you reference any files):

pushd %~dp0%

To prove this... temporarily put this line just before and just after the pushd line

echo.cd=%CD% & pause

Windows Shell Scripting and InstallShield

----------------------------
#4 28 Jun 2012 19:58
ddouglas_KMI

Hi, thanks for the suggestion but I'm afraid it still loops. I did just as you suggested and this time the command prompt printed:
cd=C:\
Press any key to continue...

cd=C:\QuNeo
Press any key to continue...

Requesting administrative privileges...
Then the window disappears and a new one pops up with this again:

cd=C:\QuNeo
Press any key to continue...

Requesting administrative privileges...

Here is my code:

Code: Select all

@Echo off

echo.cd=%CD% & pause
pushd %~dp0%
echo.cd=%CD% & pause

:: Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

:: If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
Echo Requesting administrative privileges...
goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
Echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
Echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

"%temp%\getadmin.vbs"

Exit /B

:gotAdmin
if exist "%temp%\getadmin.vbs" ( Del "%temp%\getadmin.vbs" )
Pushd "%CD%"
CD /D "%~dp0"
:--------------------------------------
Thanks so much, I'll be online and refreshing this page a whole lot if anyone has any suggestions... :D

----------------------------

#5 28 Jun 2012 20:50
RG

Instead of trying to get admin privileges once you are in there... how about forcing them to 'Run as admin'?
Trying this will eliminate all that vb stuff.
If you have a shortcut to this you may also be able to right click on it and check 'Run as administrator' in the Compatibilty tab. That will make it prompt when you run it from the shortcut.

Code: Select all

@Echo off

echo.cd=%CD% & pause
pushd %~dp0%
echo.cd=%CD% & pause

:: Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

:: If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
   color CF
   echo.Right click on this bat file and select 'Run as administrator'.
   pause
   Exit /B 1
)

:gotAdmin
if exist "%temp%\getadmin.vbs" ( Del "%temp%\getadmin.vbs" )
Pushd "%CD%"
CD /D "%~dp0"
:--------------------------------------
FYI.. it might be a bit simpler to check permissions like this

Code: Select all

OPENFILES > nul
IF ERRORLEVEL 1 (
instead of

Code: Select all

>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

:: If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
Last edited by RG (28 Jun 2012 20:56)

Windows Shell Scripting and InstallShield

----------------------------

#6 28 Jun 2012 20:52
ddouglas_KMI

Forgot to mention that QuNeo is the name of the install folder. The destination is the C drive. Thank you again.

----------------------------

#7 28 Jun 2012 20:56
ddouglas_KMI

I am forcing the self extracting zip file to run as administrator. But the batch file is included in the zip and run automatically by a command stored using winzip self extractor. The user does not have an opportunity to right click on it. Is that what you were suggesting? I'm afraid I might not be following you. Thanks for the help though.

----------------------------

#8 28 Jun 2012 20:58
RG

Ahhhhhh....
Not sure what to do about that smile
Still seems like the problem may be in the vb stuff.
Is this a 64 bit system?
If so, can you try on a 32 bit system?

Windows Shell Scripting and InstallShield

----------------------------

#9 28 Jun 2012 21:03
ddouglas_KMI

Sure, I can take a look around and see if we have any 32bit systems around the office, but I think all our win7 machines are 64 bit. The one I've been testing on so far is definitely 64bit.
Would it be possible to include 2 batch files or something? have one of them call the other one with admin privileges or something?

----------------------------

#10 28 Jun 2012 21:05
RG

Put a pause before and after
"%temp%\getadmin.vbs"
and see if your temp file is created correctly.
Can you execute it while paused?

Windows Shell Scripting and InstallShield

----------------------------

#11 28 Jun 2012 21:09
ddouglas_KMI

OK I'll try that.

I can also try using the other method for checking permissions too that you mentioned above. I didn't think that was the problem though because it appears to be getting stuck in the if statement where it prints Requesting Administrative Privileges over and over again, but the dialog never comes up. Weirdest thing. If I double click the script then it totally works, that's the insane thing. Could my command to call my batch file be wrong or missing flags or something?

----------------------------

#12 28 Jun 2012 21:13
RG


The problem may be because you are trying to impersonate another user. Don't think you can do that.
Maybe your self extractor can write the bat file to the desktop or %TEMP% and then you can execute as another operation?

Windows Shell Scripting and InstallShield

----------------------------

#13 28 Jun 2012 21:30
ddouglas_KMI


Ok, that sounds like a good plan. So I can install to temp and then at the end of my bat file I copy my install folder to C? I'll try that next.

I tried putting in the 2 pauses. Running it by hand worked and running it from the installer did not. One command prompt window opens and says:
cd=C:\
Press any key to continue...
cd=C:\QuNeo
Press any key to continue...
Requesting administrative privileges...
Press any key to continue...

When I ran the file by hand, at this point after pressing a key the dialog window popped up correctly and then everything went smoothly. From the installer no dialog window pops up. Instead a second command prompt window opens and repeats:

cd=C:\QuNeo
Press any key to continue...
cd=C:\QuNeo
Press any key to continue...
Requesting administrative privileges...
Press any key to continue...

This is still checking for permissions the original way in case it matters - hadn't gotten to trying your way yet. I'll try changing the install directory first. Thanks for all the help troubleshooting. Kinda new at windows scripting...

----------------------------

#14 28 Jun 2012 21:35
ddouglas_KMI

I think the bat file has to be inside the zip, so they go to the same location.

I checked in the temp directory while the script was paused right after it spawned the second window and there was indeed a file called getadmin just created in my temp directory. What should be in it?

----------------------------

#15 28 Jun 2012 21:41

ddouglas_KMI

OK figured something out. If, while the bat is paused, I go and doubleclick on the getadmin.vbs file, it opens the UAC dialog. I give it my permission and it runs the rest of the script correctly with admin privileges. So I think the problem is that for some reason it can't find the getadmin.vbs file in temp when running the bat from the installer. Perhaps if I change directories into temp? Or can I create the .vbs file in my current directory instead of in temp?

----------------------------

#16 28 Jun 2012 22:39

ddouglas_KMI

FIXED! :D

My solution was to copy the created getadmin.vbs file out of temp while the script was paused before it got deleted. Then, I remade my installer and instead of calling my setup.bat file, I call the getadmin.vbs file, which is responsible for running setup.bat with admin privileges. Here is the code for both in case anyone is interested.

inside of getadmin.vbs:

Set UAC = CreateObject("Shell.Application")
UAC.ShellExecute "C:\QuNeo\setup7.bat", "", "", "runas", 1

----------------------------
#17 30 Jun 2012 14:17

Simon Sheppard

I'm a bit late to this thread, but I've just added a page for Shellexecute to the VBScript pages
https://ss64.com/vb/shellexecute.html

Also when a script is run with elevated permissions any mapped drives will be disconnected
Here's an elevation script that preserves drive mappings
https://ss64.com/vb/syntax-elevate.html

It uses RGs suggestion of using OPENFILES to check for elevation. A few alternative methods exist to check for Admin rights, but OPENFILES feels like the least likely to break in some future version of Windows.

I do wonder if theres a reason (perhaps security) behind elevated sessions losing drive maps (and current directory and TEMP folder location) but I think it's most likely just an unavoidable side effect of running under a different access token.

----------------------------
#18 01 Jul 2012 07:04
ddouglas_KMI

Hi Simon, thanks for your post, very very helpful. I have now got my batch script consistently working on windows 7, but I have a new and slightly different problem. I have a very similar batch script written for windows xp - just some different paths. However, it still has some problems - folders not getting renamed, some files not getting copied/deleted. It could be an error in my paths I suppose, I'm still debugging it, but I was wondering - is running as admin as important on windows XP as it is on windows 7 and vista? I thought that there were problems with my paths in windows 7 but as soon as I got the batch file to run as admin, all those problems disappeared and everything worked. Could the same thing be happening for me on XP? When I tried to launch my batch script in the same way from a .vbs file I got an error that there was no program associated with the file and it said that I should change something in "Folder Options." Any suggestions? Thanks so much,
Diane

----------------------------

#19 01 Jul 2012 11:20
Simon Sheppard

The whole run as admin/elevation thing doesn't exist in XP, but you will need to ensure the account has permissions to move/modify the files.

When launching a VBS script, I think it's a good practice to explicitly use 'CScript yourvbscript.vbs' rather than assuming the machine has an appropriate file association for .vbs files in place

----------------------------

#20 01 Jul 2012 17:49
ddouglas_KMI

Alright, that clears the UAC thing up. Would you mind explaining to me if there is a way to check for permissions from within my bat or vbs file? Also, if the current user doesn't have permissions, is there any way I can get around that - like forcing my script to run as a different user? - or do I just need to post an error of some kind?

My other question is that it is the bat script that has no file association - it looks like the .vbs file that calls it runs. The error message that pops up mentions the .bat file - so maybe I'm calling it with the wrong command or something? Or maybe it's missing something similar to the CScript yourvbscript.vbs line saying to run this with the command prompt?

Thanks for the help, I am pretty new to vbs and bat scripting.
Diane

----------------------------

#21 01 Jul 2012 21:57
RG

I've been doing something like this so that I check for admin on Vista and above, but ignore the test for XP, 2003 Server, and older OS's. Granted it may need to be modified someday for some future OS's that is not here yet (Windows 8 is OK).

Code: Select all

VER | FIND "Version 6." > nul
IF %ERRORLEVEL% == 0 (
   REM Do OPENFILES to check for administrative privileges
   OPENFILES > nul
   IF ERRORLEVEL 1 (
      COLOR CF
      ECHO.Right click on this file and select 'Run as administrator'.
      PAUSE
      EXIT /B 1
      )
   )
You can verify that you have write permissions by trying a simple ECHO to the destination and checking errorlevel and/or error message.

Code: Select all

rem set DestFolder=Whatever... you may have already done this
echo.testing > "%DestFolder%\Junk.txt"
if errorlevel 1 (
   echo.Verify that %UserName% has permission to write to %DestFolder%
   pause
   )
del /q "%DestFolder%\Junk.txt"
Of course you should check errorlevel on your real COPY or MOVE as well. The reason for trying something simple is that there may be more other reasons that your real will fail.

Windows Shell Scripting and InstallShield

----------------------------

#22 02 Jul 2012 18:52
ddouglas_KMI

Thanks guys, I'll work on it.

But I'm still confused about what to do if I find that an XP user does not have permissions to copy/delete files in certain locations. Can I run my script in a way that just requires them to enter a password rather than launch the file by right clicking or logging in as a different user? Also a bit confused because when I added the CScript myscript.vbs line I got a compilation error. I'm also still not sure how to specify a file association for bat files - when I call mine from the .vbs file it says there is no program associated with the file.

Hope I'm not missing anything obvious, any suggestions appreciated.

----------------------------

#23 03 Jul 2012 03:11
RG

I think it would be best if you just display an error message if the user does not have write permission to the folder. Impersonating another user will cause other problems (current directory, temp directory, etc will change). Besides, even if you make that work... it will likely be problematic for Windows 8 and future OS's as Microsoft considers stuff like that a security risk and is making that stuff more difficult.

Windows Shell Scripting and InstallShield

----------------------------

#24 05 Aug 2012 23:11

RG

Additional info in regard to my post above about checking for admin privileges.

I have been doing it that way for a few years.... but as I cautioned above "Granted it may need to be modified someday for some future OS's that are not here yet (Windows 8 is OK)." Well that day is here... this works just a bit differently on Windows 2012 Server (at least in Release Candidate Essentials Build 8400). My original post will still work with 2012 Server, but it may display an "ERROR:" message even if ERRORLEVEL=0... which seems wrong to me, but...

If you execute OPENFILES with admin privileges you get the following (1st 3 lines below ====== are from STDERR; rest is from STDOUT). ERRORLEVEL is still same as before.
===========================================
ERROR: Unable to retrieve data.
The system could not find the environment option that was entered.

Files opened remotely via local share points:
---------------------------------------------
INFO: No shared open files found.
===========================================

It can be misleading to see the ERROR message, so I have modified the check just a bit so that I pipe STDERR to nul (in addition to STDOUT) and also output the error mesage that would be displayed if we don't have admin privileges.

Code: Select all

VER | FIND "Version 6." > nul
IF %ERRORLEVEL% == 0 (
   REM Do OPENFILES to check for administrative privileges
   REM 2>nul is needed because 2012 Server returns ERRORLEVEL 0 but outputs "ERROR: Unable to retrieve data."
   OPENFILES >nul 2>nul
   IF ERRORLEVEL 1 (
      COLOR CF
      ECHO.ERROR: Logged-on user does not have administrative privilege.
      ECHO.Right click on this bat file and select 'Run as administrator'.
      PAUSE
      EXIT /B 1
      )
   )
Windows Shell Scripting and InstallShield

----------------------------

#25 22 Nov 2013 13:37
Simon Sheppard

I've just been made aware of a shortcoming with the OPENFILES method, which is that it fails if you are running under WOW64
e.g. to run a 32 bit installer your script is running %systemroot%\syswow64\cmd.exe ...

An alternative is found here
https://stackoverflow.com/questions/4051 … 0#19492700

It uses the NET SESSION command instead.

Code: Select all

:isadmin
Echo Administrative permissions required. Detecting ...

Net Session >nul 2>&1
If %errorLevel% == 0 (
   Set _isadmin=YES
   Echo Success: Administrative permissions confirmed.
) else (
   Set _isadmin=NO
   Echo Failure: found only non-elevated permissions.
)
pause >nul 
----------------------------

#26 29 Sep 2015 00:12
parkashan

Sorry to revive an old thread but I have a basic question regarding the VB script being executed here. How is the batch file running the VBScript on the line where it says "%temp%\getadmin.vbs". Doesn't it need a CSRIPT or WSCRIPT host to run the VB file? If I use the code as is, the batch file just opens the vb file in notepad on my PC, and so the question. If it is not needed for some reason, can someone suggest why it is being opened up in Notepad on my pc?

----------------------------

#27 29 Sep 2015 01:20
Simon Sheppard

Im not sure which bit of code you are looking at but yes, you will need to prefix the .vbs with a CSCRIPT

----------------------------

#28 29 Sep 2015 01:30
parkashan

I am referring to the above post by ddouglas_KMI on 28 Jun 2012 19:58 (the one after the statement "Echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs" "). I see the same statement in http:// ss64.com/vb/syntax-elevate.html page too and its missing CScript.exe too

----------------------------

#29 29 Sep 2015 09:31
Simon Sheppard

I've updated https://ss64.com/vb/syntax-elevate.html now, (it would work without cscript only if you had a file association setup for .vbs files).
Post Reply