Can't run as Admin

Question

I have to execute the ewfmgr.exe which can be executed only when the Command window is opened as an Admin.

If I go to Start->type cmd.exe

Answer 1

What must be at least taken into account on elevating a command script (batch file) to administrator level?

1. The current directory changes in any case to %SystemRoot%\System32.

2. The environment could change completely if the current user is not in administrator group and therefore the user has to use a different user account to run the batch file with elevated privileges of an administrator, for example the local administrator account must be used instead of current user account. This affects environment variables and permissions on network resources.

3. The script is started initially always in environment of parent process which is on 64-bit Windows the 32-bit environment instead of the 64-bit environment in case of parent process is a 32-bit application.

4. The script could be executed with one or more arguments enclosed in double quotes which should be passed right to the script on execution with elevated privileges.

How to handle those 4 points?

1. Current directory

Many command line scripts (batch files) are coded to work with current directory and assume that the current directory is the same directory as the batch file. That the current directory is the same directory in which the batch file is stored is true on double clicking on a batch file stored on a local drive or a network drive, except the execution of batch files from network drives is disabled by security settings.

But Windows sets %SystemRoot%\System32 as current directory on running a cmd script as scheduled task using system account.

And Windows sets %SystemRoot%\System32 as current directory on using RunAs to run a cmd script with elevated administrator privileges.

And Windows sets %SystemRoot% as current directory after printing into console window the message below on executing a batch file with a double click which is stored on a network share opened using UNC path.

'\server\share\directory'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.

Using UNC paths as current directory could be enabled as described for example by an answer on How to run batch file from network share without "UNC path are not supported" message?

The best would be to write the entire script code to work independent on which directory is the current directory.

That means not using just the file name of a referenced file, but "Full path to\FileName.exe", i.e. the file name with file extension and with full path enclosed in double quotes.

In case of all files to run or referenced from within a cmd script are stored in an unknown folder, but are always in same folder as the cmd script, the simple method to get path for all files is using the command line:

set "SourceFolder=%~dp0"

%~dp0 expands to path of the batch file always ending with a backslash and never being enclosed in double quotes even if the folder path contains a space character or other command line syntax critical characters like an ampersand.

Then all files are referenced with using

"%SourceFolder%FileName.exe"

Note: There is no backslash (directory separator on Windows) as the environment variable SourceFolder holds the folder path already with a backslash at end.

Of course it is also possible to use cd /D "%~dp0" to set current directory to the directory of the cmd script, but this does not work for UNC paths.

But there is also the command pushd "%~dp0" working also with UNC paths if command extensions are enabled as by default.

For details on the commands CD and PUSHD run in a command prompt window cd /? and pushd /? and read the output help.

2. Environment variables

Windows creates a copy of the currently active environment table of current process whenever a new process is created.

But this is not the case when a batch file elevates itself to administrator level. Therefore it is not possible to define environment variables on initial run of a batch file, then elevate to administrator level, and access now the environment variables as defined before in initial environment. It could even happen that the batch file was initially executed in 32-bit environment on 64-bit Windows on initial execution, but runs in 64-bit environment after elevation to administrator level.

So everything which needs to be passed from initial execution to elevated execution must be parsed via command line arguments or via a file on a local drive fully accessible in all environments, i.e. for everyone.

3. 32-bit versus 64-bit environment

Sometimes a 32-bit installer is used for installing either a 32-bit or a 64-bit application depending on bit width of Windows because of running on all Windows. The batch file is processed by 32-bit cmd.exe in 32-bit environment on using a 32-bit installer even when executed on a 64-bit Windows.

At least the following three Microsoft articles should be studied carefully before reading further:

• File System Redirector
• WOW64 Implementation Details
• Registry Keys Affected by WOW64

It is definitely no good idea to depend on value of environment variable PROCESSOR_ARCHITECTURE as its value is x86 when a 32-bit process is executed on 64-bit Windows in 32-bit environment.

It is also not good to query the architecture of the processor directly from Windows registry. It is not guaranteed that there is a 64-bit Windows running on a computer with a 64-bit CPU. It is not often done, but nevertheless possible to use 32-bit Windows on a computer with a 64-bit processor on main board.

The environment variable ProgramFiles(x86) is not defined by default on 32-bit Windows as it is on 64-bit Windows which can be used to determine if a command file script is running on 32-bit or 64-bit Windows.

And the file %SystemRoot%\Sysnative\cmd.exe exists only for 32-bit processes running in 32-bit environment on 64-bit Windows because of special alias Sysnative existing only for a 32-bit process in 32-bit environment on 64-bit Windows which can be used to determine in which environment the batch file is currently running.

4. Passing arguments

It is easy to elevate a batch file executed without any arguments to elevated administrator level.

It is also no problem to pass simple arguments which do not need to be enclosed in double quotes to batch file running elevated.

But passing one or more arguments containing at least one space character or one of these characters &()[]{}^=;!'+,`~<|> which require enclosing the argument string in double quotes is really not easy, especially on creating a Visual Basic script from within a batch file to elevate to administrator level.

It is a real nightmare to try to encode double quotes in batch file correct to be passed via the VB script to the same batch file executed with elevated privileges. Most solutions provided in world wide web simply don't support double quoted parameters. Matt's Elevate.cmd - Version 4 is no exception. Running a batch file using this code with "%ProgramFiles%\Installation Folder" as first argument results on initial execution in "C:\Program Files\Installation Folder" being the first and only argument and on elevated execution after removing argument ELEV in the three arguments C:\Program, Files\Installation and Folder.

5. Possible solution for this task

For this task a 32-bit NSIS installer is calling a command line script which must elevate itself to administrator level and should run on 64-bit Windows in 64-bit environment instead of 32-bit environment as on initial run.

I have once analyzed the batch and VB script code of Matt's Elevate.cmd - Version 4, have removed all useless code, have enhanced it to support also arguments enclosed in double quotes using a much easier method than other posted, and have commented the code completely so that others can also understand it for answering UNC paths as current directories in batch file where admin rights are requested.

The batch script posted there is written to work independent on what is the current directory for working also with batch file being executed from a network share using UNC path which of course works only if the network share is still accessible according to permission settings of the share after elevation to administrator level. I found out today after a comment by Richard on his answer on Open Command Window in Windows x64 mode that the web page SS64 - Run with elevated permissions contains nearly the same code as I developed without having ever read the code there.

The adapted batch file code below should work for this task. It expects the executable ewfmgr.exe in same directory as the cmd script or ewfmgr.exe is specified with full path as first argument on executing the script in case of being in a different directory.

@echo off
setlocal EnableExtensions DisableDelayedExpansion
cls

rem Define as application to run by default the file ewfmgr.exe in folder
rem of the batch file which can be a folder on a local drive or on a
rem network drive or even a UNC path.

set "AppToRun=%~dp0ewfmgr.exe"
set "vbsGetPrivileges=%TEMP%\OEgetPriv_%~n0.vbs"

rem The console application NET with parameter FILE can be executed
rem successfully only if the account used for running this batch file
rem has local administrator privileges. See the Microsoft documentation
rem https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb490702(v=technet.10)
rem for details about NET FILE.

rem The output written to handle STDOUT on successful execution is redirected
rem to device NUL to suppress it. The exit code of NET assigned to ERRORLEVEL
rem is in this case 0 indicating a successful execution.

rem But on a failed execution because of not having administrator
rem privileges NET outputs to handle STDERR the two error messages
rem "System error 5 has occurred." and "Access is denied." which
rem are redirected from handle STDERR to device NUL to suppress them.
rem And exit/return code of NET is 1 indicating a failed execution.

rem Read https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb490982(v=technet.10))
rem for details about using command redirection operators.

%SystemRoot%\System32\net.exe FILE >nul 2>nul
if not errorlevel 1 goto RunMainCode

if "%~1" == "ELEV" (

    rem This condition is just for safety. If the batch file was started
    rem already a second time with ELEV as first parameter and execution
    rem of NET FILE failed nevertheless because of missing permissions,
    rem the batch file outputs an error message, waits for any key press
    rem by the user to make sure that the user had the chance to read the
    rem error message and then exits the batch file processing without
    rem doing anything at all.

    echo %~nx0 should run already with elevated privileges, but it isn't.
    echo/
    echo Press any key to exit %~nx0 without doing anything ...
    pause >nul
    goto :EOF
)

rem This batch file can be started without any parameter resulting in %* being
rem expanded to nothing which results in environment variable BatchArgs being
rem deleted if already existing or with ewfmgr.exe with full path as parameter
rem which must be enclosed in double quotes in case of path containing
rem one or more spaces.

rem As the batch file needs to be executed once again in a separate command
rem process running as local administrator for full access at least on local
rem machine it is necessary to prepare the parameters/arguments list. Each
rem double quote in the arguments list must be doubled to be correct escaped
rem in the VB script file.

rem This is necessary as otherwise running this batch file with
rem "Full path to\ewfmgr.exe"
rem as first parameter would result in execution of the batch file by the
rem Windows Scripting Host as Full path to\ewfmgr.exe without the double
rem quotes as arguments for the batch file and therefore the first parameter
rem is on elevated execution "Full" instead of "Full path to\ewfmgr.exe" as
rem it was initially.

rem Many "run as administrator" solutions which can be found in world wide web
rem don't handle parameter strings correct which are enclosed in double quotes
rem because the parameter string has one or more spaces or other critical
rem characters requiring enclosing the parameter string in double quotes.

set "BatchArgs=%*"
setlocal EnableDelayedExpansion
if defined BatchArgs set "BatchArgs= !BatchArgs:"=""!"

rem Everything output by the ECHO command lines within the next command block
rem is redirected into the VB script file created in the folder for temporary
rem files of current user with name of batch file in VB script file name. This
rem makes it possible that multiple batch files with different names can run
rem at the same time using same code for creating a VB script file to run the
rem batch file once again as administrator with elevated privileges.

rem For details on ShellExecute parameters see the Microsoft documentation
rem https://docs.microsoft.com/en-us/windows/win32/shell/shell-shellexecute

rem The tricky part is quoting the arguments list correct which should be
rem finally passed to cmd.exe executed from the VB script. The command process
rem running the batch file with elevated privileges of local administrator
rem should automatically close after execution of batch file finished which
rem is the reason for first argument /C.

rem The second argument is the command to execute by `cmd.exe` which is
rem the batch file name with complete path which must be enclosed in double
rem quotes for safety in case of batch file name or path contains one or more
rem spaces. But additionally the batch file itself must be started with at
rem least two more arguments.

rem The first argument for the batch file is ELEV which is used as indication
rem to detect if this batch file is already started a second time via the
rem VB script using local built-in administrator account.

rem The second argument for the batch file is the application to
rem run with full default path which is the batch file folder.

rem And last all parameters passed to this batch file on initial run should
rem be also passed to second execution of this batch file under the different
rem environment of local built-in administrator account.

rem This nesting of batch file arguments in command processor arguments written
rem into a VB script file which requires additionally escaping each double quote
rem within a string with one more double quote results in a strange syntax for
rem the line to write into the VB script file.

(
    echo Set UAC = CreateObject^("Shell.Application"^)
    echo UAC.ShellExecute "%SystemRoot%\System32\cmd.exe", "/C """"%~f0"" ELEV ""!AppToRun!""!BatchArgs!""", , "runas", 1
)>"%vbsGetPrivileges%"
endlocal

rem Now the created VB script file can be executed with Windows Script Host.
rem Then the VB script file can be deleted as not longer needed and processing
rem of this batch file under current user account ends resulting in returning
rem to command process which results in closing the console window if not
rem executed by cmd.exe started with option /K to keep the console window
rem opened like on opening a command prompt window and running this batch
rem file from within the command prompt window.

%SystemRoot%\System32\WScript.exe "%vbsGetPrivileges%"
del "%vbsGetPrivileges%"
endlocal
goto :EOF


rem Here starts the main code of the batch file which needs to be
rem executed with elevated privileges of a local administrator.

rem First is checked if the first parameter of the batch file is ELEV
rem which indicates that this batch file was started a second time
rem using administrator privileges or local administrator account.

:RunMainCode
if "%~1" == "ELEV" (

    rem In this case the second argument is the application to run with
    rem batch file folder passed from initial run to this second run of
    rem the batch file. The current directory is now not anymore the initial
    rem current directory, but %SystemRoot%\System32 as set by Windows on
    rem starting a command process using RunAs and administrator account.
    rem This must be taken into account on further batch file processing.

    rem For this batch file it does not matter what is the current directory
    rem as it is written to work with path of the application to run defined
    rem on starting the batch file (initially). So there is no need to use
    rem CD /D "%~dp0"  or  PUSHD "%~dp0"  as many "run as administrator"
    rem solutions use to change the current directory to directory of the
    rem batch file. There is also no need for  CD /D "%~2"  or  PUSHD "%~2"
    rem here which of course could be also used.

    rem The two additionally added arguments ELEV and the application to
    rem run are removed from the arguments lists by using twice the
    rem command SHIFT to restore the initial arguments list.

    set "AppToRun=%~2"
    shift /1
    shift /1
)

if "%ProgramFiles(x86)%" == "" goto RunApp
if not exist %SystemRoot%\Sysnative\cmd.exe goto RunApp
%SystemRoot%\Sysnative\cmd.exe /C ""%~f0" %*"
endlocal
goto :EOF

rem If this batch file was started (initially) with a parameter string,
rem interpret the first parameter string as application to run with
rem full path if the specified executable file exists at all.

rem Then run the application with full path and its parameters.

:RunApp
if not "%~1" == "" (
    if exist "%~1" set "AppToRun=%~1"
)
"%AppToRun%" c: -enable
endlocal

6. Best solution for this task

---

But it turned out after I finished writing and testing the code above, writing this long answer and before posting it, reading the comment written by Richard on his answer on Open Command Window in Windows x64 mode, the best solution is most likely using the NSIS code as posted at

How do you request administrator permissions using NSIS?

And use in the command script just the few lines at bottom also posted as my answer on Open Command Window in Windows x64 mode to switch from 32-bit to 64-bit environment.