Run Powershell as Admin without UAC confirmation

Hi all ,

I have two files in first one I call batch file (start.cmd) from windows as admin user .In this file I call powershell as admin, and through this file I call second file (msi.ps1) where I install msi file. All works fine but when I run Start.cmd it requires UAC confirmation for powershell.

start.cmd:
powershell -Command “Start-Process powershell “-ExecutionPolicy Bypass -NoProfile -Command \"cd \“C:\Temp`”; & `”.\msi.ps1`”`"" -Verb RunAs"

msi.ps1:
Start-Process msiexec.exe -Wait -ArgumentList ‘/I D:\file.msi /quiet’

How could I avoid this confirmation?
Thanks.

Peter

Peter,
Welcome to the forum. :wave:t4:

If you already started your cmd elevated all child processes started from this cmd will run elevated.

If you’re asking how to bypass UAC - you can not.

Next time please format your code as code using the preformatted text button ( </> ). Simply place the cursor on an empty line, click the button and paste your code.

Thanks in advance

I’ve been there. Your only option is to disable UAC, you can do it via registry (requires a reboot) but if a policy is in place to enable it back, you are out of luck. I remember I created a scheduled task that ran during shutdown to disable UAC via registry, the next time the computer boots, UAC will be disabled and although the policy will enable it back, a reboot will be required again, so UAC is never successfully enabled because the task will run on every reboot.

If I remember correctly, I created a script that would edit the key, and the scheduled task would run the script before the shutdown event.

This is the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

Set it to 0.

Even if that’s like leaving the door to your house wide open for everyone - what you’d proabably never do I hope - you still need to be an administrator on the computer you want to install something, right? For a decent admin it should be like using a seatbelt while driving - get used to it. :wink:

I agree that most of the time you would want the extra layer of protection that UAC provides but there are also legitimate reasons why you may want to disable it. You could be working on a sandbox or test environment, it could be a temporary measure to complete any given task (specially an automated one), you could be working on an isolated, controlled, locked-down environment, etc.

As long as you know what you are doing, it should be an option, particularly when the benefits of disabling it outweigh the benefits of keeping it enabled. Just my $0.02.

The original question seems to be about an installation. If I do correctly read between the lines I’d expect the question is about how to install a software without being an administrator. :wink:

Do you have the feeling that this is the case in this case? :wink:

I have to side with Olaf on this one. Turning off UAC is a bad idea. Not only does it protect you from yourself, it makes it harder for the bad guys/malware to elevate privileges. You may “think” you know what your are doing, but so do the bad guys. The only way I could see justifying turning UAC off is on air gapped systems. I do 90+% of windows stuff from an admin shell and as Olaf points out, everything from there is elevated.

Just my $.02

Hi guys,

thank you for your responses.
@Olaf Yes my goal is to install msi package for more users in domain with policy, but I will run start.cmd as administrator, not without admin rights. I just need to set a parameter YES to confirm UAC for powershell, if that is possible… or disable UAC for time to install msi package and then set it back.
After windows login I want to check if msi package is installed and in case not then install it.

Peter

That is exactly the same scenario I have faced before. There is no way to respond to the UAC’s prompt automatically, I guess it would defeat the purpose.

The easiest way is to disable it via Group Policy and then enable it back. If that is not an option, it will be tricky but still possible, see my previous post above.

There is no other way around it.

Just to mention it at least once: You are using the wrong tool for the job. Even if it’s technically possible and is supported by MSFT - it is a bad idea!! :point_up_2:t4:

It is not.

That’s not necessary.

I assume you did not google it how to do it, have you? There is a dedicated way to install MSI packages by GPO. You don’t need a script for it.

Even if you use a script for it you should run it as computer policy - not as user policy. This way the script runs with the system account and does not need an extra elevation. It does not even need a start.cmd you can provide a PowerShell script right away.

That’s unnecessary if you use the right tool.

If you have the chance to use a software deployment solution or at least a WSUS server I urgently recommend to do so. It will save you from a lot of wasted time and frustration. :wink:

1 Like