Skip to main content

How to Make a Batch Script Request Administrator Privileges (Run as Admin)

Many administrative tasks scripted in Windows Batch—such as modifying protected registry keys, installing software, or changing system services—require elevated (administrator) privileges to run successfully. If a user executes a script without these rights, it will fail with "Access is Denied" errors. Ensuring your script runs with the necessary permissions is key to its reliability.

This guide will explain and contrast two methods for this: the classic RUNAS command for specific user contexts, and the modern, recommended "self-elevation" technique that triggers a standard User Account Control (UAC) prompt for administrator approval.

Why Force a Script to Run as Administrator?

Without administrator rights, a batch script is sandboxed and cannot perform system-level changes. Forcing elevation ensures your script can:

  • Write to protected directories like C:\Program Files or C:\Windows.
  • Modify HKEY_LOCAL_MACHINE in the registry.
  • Start, stop, or configure system services.
  • Install or uninstall software that requires administrative access.

An elevation check at the beginning of a script prevents it from failing midway through due to insufficient permissions.

This is the standard and most secure method for all modern versions of Windows (Vista and newer). Instead of trying to switch to a specific "Administrator" account, this technique checks if the script currently has elevated rights. If it doesn't, it re-launches itself in a way that triggers the standard User Account Control (UAC) prompt. The user is then asked to click "Yes" to grant administrator-level permissions to the script.

This approach is superior because:

  • It doesn't require a password to be typed into the script or console.
  • It works for any user who is a member of the local Administrators group, not just the account named "Administrator".
  • It follows the standard, secure way that modern Windows applications request elevation.

The Complete Self-Elevating Script

@ECHO OFF
CLS

:: ============================================================================
:: Check for Administrative Privileges and self-elevate if not present
:: ============================================================================
NET FILE >NUL 2>NUL
IF '%ERRORLEVEL%' NEQ '0' (
    ECHO Requesting administrative privileges...
    ECHO(
    powershell.exe -Command "Start-Process '%~f0' -Verb RunAs"
    EXIT /B
)
ECHO(

:: ============================================================================
:: Your Administrative Code Starts Here (This section only runs if elevated)
:: ============================================================================

ECHO SUCCESS: The script is now running with administrator privileges.
ECHO The current user is: %USERNAME%
ECHO(
ECHO For example, we can now access the System32\config folder:
DIR "C:\Windows\System32\config" >NUL 2>&1
IF '%ERRORLEVEL%' EQU '0' (
    ECHO Successfully accessed the secure config folder.
) ELSE (
    ECHO FAILED to access the secure config folder.
)

ECHO(
ECHO Script has finished.
PAUSE
GOTO :EOF
note

NET FILE is used here as an alternative to OPENFILES as it's available on more Windows editions by default and also requires admin rights.

How Self-Elevation Works: The NET FILE and PowerShell Trick

  1. NET FILE >NUL 2>NUL: This is the core permission check. The NET FILE command, when run, will fail if the user does not have administrative privileges. We redirect its normal output (>NUL) and its error output (2>NUL) to nowhere because we only care about its success or failure, not its output text.
  2. IF '%ERRORLEVEL%' NEQ '0': After NET FILE runs, we check the ERRORLEVEL. A non-zero ERRORLEVEL indicates that the command failed, meaning the script is not currently running as an admin.
  3. powershell.exe ... -Verb RunAs: If elevation is needed, this PowerShell command is executed.
    • Start-Process '%~f0': This tells PowerShell to start a new process. The special batch variable %~f0 expands to the full path of the currently running script.
    • -Verb RunAs: This is the crucial part. RunAs is a special "verb" that tells the Windows shell to execute the process with elevated privileges, which triggers the UAC prompt.
  4. EXIT /B: The original, non-elevated script then immediately exits. The new, elevated instance (if the user clicks "Yes") takes over and runs the script from the beginning. On its second run, the NET FILE command will succeed (ERRORLEVEL will be 0), the IF block will be skipped, and the script will proceed to the administrative code section.

Method 2: The Classic RUNAS Command (for Specific User Contexts)

This older method attempts to re-launch the script as a different, specifically named user (e.g., the built-in "Administrator" account).

This approach is generally NOT recommended for modern use because:

  • Requires a Password: It forces the user to type a password directly into the console, which can be insecure and is a poor user experience.
  • Often Fails on Modern Systems: The built-in account named "Administrator" is disabled by default on most modern Windows installations for security reasons.
  • UAC Incompatibility: It doesn't integrate well with the standard UAC security model and can be blocked by security policies.

It should only be used in specific, controlled environments (like a domain environment) where you know the target user account exists, is enabled, and you explicitly need to run a task under that exact user's context, not just with general admin rights.

The RUNAS Script Example

@ECHO OFF
CLS
ECHO Current User is '%USERNAME%'

REM -- Check if we are running as the specific 'Administrator' user --
IF /I "%USERNAME%" NEQ "Administrator" (
    ECHO This script needs to run as the built-in Administrator.
    ECHO Attempting to re-launch... You will be prompted for the Administrator password.
    ECHO(
    runas /user:Administrator "cmd /c %~f0"
    GOTO :EOF
)

REM --- Your code runs here ONLY IF you are the 'Administrator' user ---
ECHO SUCCESS: You are running as the 'Administrator' user.

ECHO(
PAUSE
GOTO :EOF

How RUNAS Works and Its Limitations

  1. IF /I "%USERNAME%" NEQ "Administrator": This checks if the current username is not "Administrator". The /I makes the comparison case-insensitive.
  2. runas /user:Administrator "...": If the check is true, it uses the RUNAS command to try and start a new process.
    • /user:Administrator: Specifies the user account to use. You could also use a domain user like /user:YourDomain\AdminUser.
    • "cmd /c %~f0": This is the command to execute. cmd /c starts a new command prompt that runs the specified command (%~f0, our script) and then terminates.
  3. Password Prompt: The user will be prompted to type the password for the "Administrator" account directly in the console window. If correct, a new window will open running the script as that user. If incorrect, it will fail.
  4. GOTO :EOF: The original script exits, leaving the new one (if successful) to run.

Summary: Choosing the Right Method (RUNAS vs. UAC Self-Elevation)

FeatureSelf-Elevation (UAC) MethodRUNAS Command Method
RecommendationBest Practice for Modern WindowsLegacy / Niche Domain Use Only
SecurityHigh (Uses standard, secure UAC)Low (Requires password entry in console)
CompatibilityExcellent on modern Windows (Vista+)Fails if specified user account is disabled
User ExperienceFamiliar UAC pop-up promptUnfamiliar, plain-text console password prompt

Conclusion

For virtually all modern scripting needs where administrator rights are required, use the UAC self-elevation method.

  • It is more secure, far more reliable on standard Windows configurations, and provides a user experience that is consistent with the operating system's security model.
  • The classic RUNAS command should be reserved for very specific scenarios in controlled environments where running as a particular named user is a strict requirement.

Table of Contents