Self Elevate Script

You may want to create a script that always runs elevated. The following scripts will detect if the session is not elevated and then call themselves using gsudo.

Prefer using gsudo status to test if the session is elevated, as alternatives such as whoami vary depending on the OS language, and net session may fail when the network is down.

• Cmd Batch file, long version: (e.g. self-elevate.bat) link

  @echo off
  gsudo status IsElevated --no-output && goto :IsElevated
  
  echo Admin rights needed. Elevating using gsudo.
  gsudo "%~f0" %*
  if errorlevel 999 Echo Failed to elevate!
  exit /b %errorlevel%
  
  :IsElevated
  :: You are elevated here. Do admin stuff.

• One-Line version: link

  @gsudo status IsElevated --no-output || (gsudo "%~f0" & exit /b)
  :: You are elevated here. Do admin stuff.

• PowerShell: (e.g. self-elevate.ps1) link

  function Test-IsElevated {
    return (New-Object Security.Principal.WindowsPrincipal(
      [Security.Principal.WindowsIdentity]::GetCurrent()))
      .IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
  }
  
  if ((Test-IsElevated) -eq $false) {
    Write-Warning "This script requires local admin privileges. Elevating..."
    gsudo "& '$($MyInvocation.MyCommand.Source)'" $args
    if ($LastExitCode -eq 999 ) {
      Write-error 'Failed to elevate.'
    }
    return
  }
  
  # You are elevated. Do admin stuff here.

  If you don't have gsudo installed, you can still self-elevate but in a new console window: link

  @echo off
  :: This script performs self-elevation, in a new console using only built-in windows tools.
  :: Detect elevation using 'net session', jump to :ElevatedTasks if we are admin.
  net session >nul 2>nul & net session >nul 2>nul && goto :ElevatedTasks
  echo Admin rights needed. Elevating using powershell...
  
  :: This powershell command re-executes this script in a new elevated console
  powershell -C start-Process "%~f0" -Verb RunAs -ArgumentList \"%* \""
  IF ERRORLEVEL 1 Echo Elevation failed!
  exit /b
  
  :ElevatedTasks
  :: You are elevated here. Add your admin tasks here.
  :: This will run as admin ::

Detect if running elevated

• PowerShell-native method:

  function Test-IsElevated {
    return (New-Object Security.Principal.WindowsPrincipal(
      [Security.Principal.WindowsIdentity]::GetCurrent()))
      .IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
  }

Even when this code looks like it will check if the current user is member of the local admins group (regardless of current elevation status), instead it just returns $true if elevated.

• PowerShell gsudo method:

  $IsElevated = 'true' -eq (gsudo status IsElevated)

• Cmd Batch:

  gsudo status IsElevated --no-output 
  if errorlevel 0 echo Current Process Is Not Elevated
  if errorlevel 1 echo Current Process Is Elevated

Detect if current user is member of admins group (regardless of current elevation status)

If you want to know if the current user can elevate with a UAC popup but without entering other user credentials, you need to check if the user is a member of S-1-5-32-544 (a.k.a. BUILTIN\Administrators for english OS).

• Batch with gsudo:

  gsudo status IsAdminMember --no-output 
  if errorlevel 1 goto IsAdminMember

• Batch without gsudo:

  whoami /groups | findstr S-1-5-32-544 > nul
  if errorlevel 1 goto IsAdmin
  echo Not Admin
  exit /b
  :IsAdmin
  echo Current user is a member of the Local Admins group. But we don't know if this session is elevated.

• PowerShell Native

  function Test-IsMemberOfLocalAdminsGroup {
  ([System.Security.Principal.WindowsIdentity]::GetCurrent()).Claims.Value -contains "S-1-5-32-544"
  }

• PowerShell with gsudo

  $IsAdminMember = 'true' -eq (gsudo status IsAdminMember)