Using runas to run netsh as administrator
There's a difference between being logged in to an account that is part of the administrators group and running either (a) elevated or (b) as the builtin Administrator account.
Anytime you run as Administrator, you are always elevated -- by definition. So if you run /user:administrator
that window will be elevated when it opens, you WON'T get a UAC prompt and the netsh
command should run.
But because the builtin Administrator account always runs elevated and doesn't generate UAC prompts from runas
, it's a security risk, especially if it doesn't have a password. That's why Microsoft disables the Administrator account by default and requires that you enable it first:
In Windows® 7, the built-in administrator account is disabled by default. In previous versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.
An Administrator account with a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations and upgrades of Windows 7.
Here's how you enable it. (You can open MMC by typing "mmc" in the "Run..." box in the Start menu.)
Change the properties of the Administrator account by using the Local Users and Groups Microsoft Management Console (MMC).
- Open the MMC console and select Local Users and Groups.
- Right-click the Administrator account and select Properties.
- The Administrator Properties window appears.
- On the General tab, clear the Account is Disabled check box.
- Close the MMC console.
Also, be aware that runas
does NOT allow you to pass arguments to the program you run:
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/savecred | /netonly] ]
/user:<UserName> program
RUNAS [ [/noprofile | /profile] [/env] [/savecred] ]
/smartcard [/user:<UserName>] program
RUNAS /trustlevel:<TrustLevel> program
If you'd like to run a command elevated under your own userid or if you'd like to pass arguments, you need a genuine sudo
or su
(like this one, part of my own Hamilton C shell :) with an interlude marked in the application manifest as requiring elevation. If you do it that way, you will see a UAC prompt.
Related videos on Youtube
Comments
-
jhfrontz almost 2 years
I'm trying to do some debugging for a vendor on a Windows 7 machine. I need to run
netsh
to set a parameter. I've tried to run it from a cygwin/shell window but get a "Run as administrator" failure.Googling around, I see that there is a
runas
command that seems to work likesudo
. Since my user account (me
) is an administrator, I tryrunas /user:me "netsh ..."
I get a prompt forme
's password; I enter it;netsh
(presumably running in a newcmd
window) flashes open and closed; and I get a successful return from the command (i.e., $? == 0).But apparently that's not good enough since the parameter was unchanged. I finally got around this by doing "run as administrator" on a shortcut to the shell (and then ran
netsh
normally).What's the trick to make Windows/
runas
realize thatme
really is an administrator? -
jhfrontz over 11 yearsHmm, OK, thanks. I thought I saw somewhere that if I quoted stuff, I could pass arguments. So if that doesn't work-- if I instead create a batch file that just executes its arguments and mark it with the "run as administrator" setting, does that approximate
sudo
? -
Nicole Hamilton over 11 yearsYou could certainly run a
.cmd
file as Administrator by right-clicking and selecting that or by using therunas
command. But you can't mark it as requiring elevation because it's not an.exe
that could have a manifest. To add a manifest to an.exe
, use themanifest.exe
utility supplied with the Windows SDK that comes with Visual Studio.