locked
runas /truslevels or alternative to achieve similar outcome RRS feed

  • Question

  • Hello All,

    With the new UAC levels that can be set in Windows, there is a need for some of our applications, that it should be run as the administrator user, or with a user with enough credentials to do the actions as needed.

    For these applications, what we would do to run it, is the following: the commands to execute the application are in a *.bat file, and then I would right click the bat file, and say run as administrator. Most of the applications are java apps, and it typically has the following command format in the bat file:

    java -cp <jar files> <executable> <input params>

    How can I modify this bat script, so that I do not need to right click and say 'run as admin' anymore, but that it is rather built in to the command, that it should run as admin? I do not mind if it then asks for a password...

     

    I have been looking at c:\windows\system32\runas.exe, more specifically the /trustlevel option, but i could not get very far with that. Can anyone please help me out, with an alternative method of achieving what I want, or any help with using the runas application. 

    Thank you,

    Harriet

    Thursday, August 19, 2010 7:53 AM

Answers

  • Hello All,

    the solution to my problem, is to run the script commands in an elevated command prompt. The following code will check if the command prompt is elevated, and if not, close it, and re-launches an elevated command prompt:

    echo off
    ver | find "2003" > nul
    if %ERRORLEVEL% == 0 goto ver_2003
    ver | find "XP" > nul
    if %ERRORLEVEL% == 0 goto ver_xp
    ver | find "2000" > nul
    if %ERRORLEVEL% == 0 goto ver_2000
    ver | find "NT" > nul
    if %ERRORLEVEL% == 0 goto ver_nt
    if not exist %SystemRoot%\system32\systeminfo.exe goto warnthenexit
    systeminfo | find "OS Name" > %TEMP%\osname.txt
    FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i
    echo %vers% | find "Windows 7" > nul
    if %ERRORLEVEL% == 0 goto ver_7
    echo %vers% | find "Windows Server 2008" > nul
    echo %vers% | find "Windows Vista" > nul
    if %ERRORLEVEL% == 0 goto ver_vista
    goto warnthenexit
    
    ::
    :ver_xp
    :ver_2000
    :ver_nt
      rem echo off
      echo Using normal command prompt
    goto exit
    
    :ver_2003
    :ver_7
    :ver_2008
    :ver_vista
      rem echo off
      echo Using elevated command prompt
      @echo off
      setlocal enabledelayedexpansion
    
      set CmdDir=%~dp0
      set CmdDir=%CmdDir:~0,-1%
    
      :: Check for Mandatory Label\High Mandatory Level
      whoami /groups | find "S-1-16-12288" > nul
      if "%errorlevel%"=="0" (
        echo Running as elevated user. Continuing script.
      ) else (
        echo Not running as elevated user.
        echo Relaunching Elevated: "%~dpnx0" %*
    
        if exist "%CmdDir%\elevate.cmd" (
          set ELEVATE_COMMAND="%CmdDir%\elevate.cmd"
        ) else (
          set ELEVATE_COMMAND=elevate.cmd
        )
    
        set CARET=^^
        !ELEVATE_COMMAND! cmd /k cd /d "%~dp0" !CARET!^& call "%~dpnx0" %*
        goto :EOF
      )
    goto exit
    
    :warnthenexit
    echo Machine undetermined. 
    :exit<br/>
    <br/>
    ----your commands to be executed as elevated goes here!!!---------<br/>
    <br/>
    
    

    • Marked as answer by harriet_001 Monday, August 30, 2010 8:34 AM
    Monday, August 30, 2010 8:33 AM

All replies

  • Hi,

     

    Thanks for the post!

     

    There is a workaround I would like to recommend to you. You can take the following suggestions to run an application without prompting. Please try to create a shortcut with highest privileges:

     

    1. Click Start, right click on Computer and choose “Manage”

    2. Click “Task Scheduler” on the left panel

    3. Click “Create Task” on the right panel

    4. Type a name for the task

    5. Check “Run with highest privileges.”

    6. Click Triggers tab

    7. Click New

    8. Select “At log on” under begin task

    9. Select “Specific User Or Group”. This ensures the task only runs at log on for you and not all users. Running for all users would be a security risk due to program running under your User Account with Administrative Access.

    10. Click OK

    11. Click Actions tab

    12. Click “New…”

    13. Browse to the program in the “Program/script” box. Click OK

    14. Click the Conditions tab

    15. Uncheck “Start the task only if the computer is on AC power”

    16. Click the Settings tab

    17. Uncheck “Stop the task if it runs longer then”

    18. Click OK

    19. On desktop, right click, choose New and click “shortcut”

    20. In the box type: schtasks.exe /run /tn TaskName where TaskName is the name of task you put in on the basics tab and click next.

    21. Type a name for the shortcut and click Finish

     

    Now, you can double click the shortcut to run the program.

     

    Hope it helps.

     

    Best Regards,

    Miya Yao


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, August 23, 2010 9:24 AM
  • Hello Folks!

    I have a .bat file, for the purpose of starting up a java application. This bat file, contains a few commands, setting up the propper environment for the script to be executed successfully. It worked perfectly on XP systems, but now for Windows 7 (and also Vista) I have problems. The bat file, and all the jar files that is needed to execute, plus the jar file containing the main java class, all lies in the same directory.

    NOW...

    If I turn UAC OFF, and I double click on the bat file, it executes just fine.

    With UAC turned ON, if I ran the bat file from an elevated command prompt, it executes fine.

    BUT, with UAC turned ON, if I right click and say "Run as Administrator", then I get a number of exceptions, stating that it cannot find the classes to be executed. To me it seems that in the underlying architecture, the directory from which the application is executed is changed somehow(not my code, but by windows).

    Has anyone experienced the same scenario? And if you have, can you please give me some advice? I have also tried making a shortcut, and setting a property on the shortcut to "Run as Administrator", but it also did not work for me; it gave the same outcome as above, printing out exceptions that it cannot find the class.

    I would really appreciate your input.

    Regards,

    Harriet

    Tuesday, August 24, 2010 10:07 AM
  • Hi,

     

    Do you try the method I provided before? Please follow that and give me any update.

     

    Also ,I would like to know the reason if you do not want to try that.

     

    Regards,

    Miya Yao


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, August 25, 2010 8:48 AM
  • Hey Miya,thanks for your time to answer!

     

    No I have not tried it, because doing it this way will not suit my  needs. I have a couple of these bat files that needs to be run with elevated permissions, not just one. The scripts should only execute when they are double clicked, and not on some schedule or at startup. We are a development house, this is not for personal use.

    This problem is not fixed yet, I am now investigating a new set of powertools that can apparently be used for elevation. The name of the app is also elevate. However for my  needs it is still not working. I get some UnsatisfiedLink errors, although i checked that the jni class it is looking for is on the PATH. So I am looking at that at the moment....

     

     

    Wednesday, August 25, 2010 9:50 AM
  • Hi,

     

    Since your environment is quite complicated, I suggest you ask questions in Script Center, it’s more professional and could resolve your questions efficiently.

     

    Thanks for your understanding!

     

    Regards,

    Miya Yao


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, August 26, 2010 9:04 AM
  • Hello All,

    the solution to my problem, is to run the script commands in an elevated command prompt. The following code will check if the command prompt is elevated, and if not, close it, and re-launches an elevated command prompt:

    echo off
    ver | find "2003" > nul
    if %ERRORLEVEL% == 0 goto ver_2003
    ver | find "XP" > nul
    if %ERRORLEVEL% == 0 goto ver_xp
    ver | find "2000" > nul
    if %ERRORLEVEL% == 0 goto ver_2000
    ver | find "NT" > nul
    if %ERRORLEVEL% == 0 goto ver_nt
    if not exist %SystemRoot%\system32\systeminfo.exe goto warnthenexit
    systeminfo | find "OS Name" > %TEMP%\osname.txt
    FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i
    echo %vers% | find "Windows 7" > nul
    if %ERRORLEVEL% == 0 goto ver_7
    echo %vers% | find "Windows Server 2008" > nul
    echo %vers% | find "Windows Vista" > nul
    if %ERRORLEVEL% == 0 goto ver_vista
    goto warnthenexit
    
    ::
    :ver_xp
    :ver_2000
    :ver_nt
      rem echo off
      echo Using normal command prompt
    goto exit
    
    :ver_2003
    :ver_7
    :ver_2008
    :ver_vista
      rem echo off
      echo Using elevated command prompt
      @echo off
      setlocal enabledelayedexpansion
    
      set CmdDir=%~dp0
      set CmdDir=%CmdDir:~0,-1%
    
      :: Check for Mandatory Label\High Mandatory Level
      whoami /groups | find "S-1-16-12288" > nul
      if "%errorlevel%"=="0" (
        echo Running as elevated user. Continuing script.
      ) else (
        echo Not running as elevated user.
        echo Relaunching Elevated: "%~dpnx0" %*
    
        if exist "%CmdDir%\elevate.cmd" (
          set ELEVATE_COMMAND="%CmdDir%\elevate.cmd"
        ) else (
          set ELEVATE_COMMAND=elevate.cmd
        )
    
        set CARET=^^
        !ELEVATE_COMMAND! cmd /k cd /d "%~dp0" !CARET!^& call "%~dpnx0" %*
        goto :EOF
      )
    goto exit
    
    :warnthenexit
    echo Machine undetermined. 
    :exit<br/>
    <br/>
    ----your commands to be executed as elevated goes here!!!---------<br/>
    <br/>
    
    

    • Marked as answer by harriet_001 Monday, August 30, 2010 8:34 AM
    Monday, August 30, 2010 8:33 AM