WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.



Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

RunWithLogon and UAC

 Keywords: RunWithLogon UAC requires elevation 1932 prompt

You cannot use the RunWithLogon function by itself to circumvent the UAC elevation prompt when UAC is enabled.

When UAC is enabled and you attempt to use "RunWithLogon" to start a process that requires elevation, it will fail. The fact that the credentials passed to the function are for an administrator account does not matter. We know this seems counter-intuitive but this is just how UAC works.


The problem is that the RunWithLogon uses the underlying Windows API CreateProcessWithLogonw. When you are launching an application using RunWithLogon, behind the scenes CreateProcessWithLogonw is actually logging on that user. With UAC enabled, if that user is a member of the local Administrators group, thatís going to result in generating two different user tokens: a full administratorís token and a filtered administrators token. However the application you launch will only use the filtered administrators token until you explicitly elevate.

So how so you explicitly elevate? Well normally you can use the ShellExecute function for creating a process that requires elevation. ShellExecute works because the shell sits in a much higher layer in the OS and consequently is able to take a dependency on elevation. Unfortunately there is no equivalent ShellExecuteWithLogon API!


Option 1:

You need a 'bootstrapper'. Some process which will let you do the transition to the alternate user, which could be responsible for running the require Administrator application. So, you could design something like this:
;**        RunAs Bootstrapper - ShellExecuteWithLogon

; Can be used by standard user to run a program requiring elevated admin privileges.
; This script must be compiled with the manifest 'asInvoker'
; The application you are launching must be compiled with the manifest 'HighestAvailable' or 'RequireAdministrator'
appname = DirScript():'doadminstuff.exe' ; compiled with the manifest 'HighestAvailable' or 'RequireAdministrator'
If param0 == 0
   ; Relaunch this script using the filtered administrators token, and pass the commandline parameter 'Elevator'
   RunWithLogon(IntControl(1004, 0, 0, 0, 0), "Elevator", DirScript(), @NORMAL, @NOWAIT, "Guesswho", ".", "*topsecret*", 0)
ElseIf param1 == "Elevator"
   ; Explicitly elevate to a full administrator’s token using ShellExecute
   ShellExecute(appname, "", FilePath(appname), @NORMAL, "")

Option 2: Scheduled Task Workaround

One widely reported solution is to create a Scheduled Task using schtasks.exe that executes upon creation. This task then runs the part of the script that requires administrative privilege.

Update: One drawback is that it requires that an Administrator sets up the task on the users workstation. Standard users cannot run scheduled tasks on demand. Makes sense for security though.

Article ID:   W18319
Filename:   RunWithLogon and UAC.txt
File Created: 2017:07:28:13:02:44
Last Updated: 2012:01:25:10:51:49