Windows – How to create a folder in Program Files with UAC on from the command line

permissionswindowswindows 7

Up until now, I've always disabled UAC. Now, I'd like to play by the book and leave it on.

My test case is getting mkdir c:\program files\foo to work. When I run it (my user is an admin), I get Access is denied.

So, do runas /user:boom\administrator "mkdir c:\program files\foo", hoping this will help. I am prompted for a password. I hit ENTER, and get

RUNAS ERROR: Unable to run – mkdir c:\program files\foo 1327: Logon
failure: user account restriction. Possible reasons are blank
passwords not allowed, logon hour restrictions, or a policy
restriction has been enforced.

Fine, I try to setup a password for the administrator user. I look it up in the users tab in task manager or in User Accounts –> Manage another account, and it's not there.

How should I proceed? Is trying to run mkdir under administrator is even the right track? Should I try to run it under SYSTEM?

As a side note, I also tried installing Sudo for Windows, but couldn't get it to work, nor could I find a simple "hello world" tutorial for it (This is the issue I ran into).

Update – OK, I found cmd.exe and right-clicked "run as Administartor", and was then able to change the password by running a privileged taskmgr from it. Still, when I run runas /user:administrator "mkdir foo" and type the password I get the same error. This is a brand new laptop, not connected to a domain, and the admin password is not blank.

Update 2 – This is Win 7 64 bit professional, and I want to do this all from the command line. My goal is to create a simple "sudo.bat" script.

Best Answer

If you logged in account is an "administrator" then you should be able to right-click cmd.exe, "Run AS Administrator", Hit "OK" to UAC, and from there the mkdir should work in Program Files without any further prompting.

If you are not a admin user, and/or open the cmd in the regular user context (not "As Administrator"), then you'll be denied access to Program Files (as you have found).

Are you sure the error you're getting (once you are successfully using a known Administrator account/ password) with RunAs is the SAME error ("1327: Logon failure: user account restriction") and not "2: The system cannot find the file specified."?

Because I get error 2 when I try to RunAs MkDir (as an admin) because Mkdir is NOT an executable file (it's a system command), and that's all RunAs can launch.

You can use CMD.EXE in combination with RunAs, and then feed it the mkdir command. This is tricky due to nested double quotes, but in the end you should be able to use:

runas /user:administrator "cmd /C \"mkdir \"c:\\program files\\foo\"\""

From any command prompt (administrator or not) to pull off what you want.

(The extra backslashes are escape characters)

Related Solutions

Windows – How to run program from command line with elevated rights

It looks like this utility - Hidden Start - will do what you wish if you use the /uac switch. Here's an example command line:

hstart /UAC "notepad.exe"

This will pop up the UAC dialog rather than ask for a password like runas does.

enter image description here

Windows – Hide account from login screen but can be used in UAC

The original question was different, but I have actually provided an answer to this question before. See my post in the question "Always display the last / default user Windows 7 welcome screen" - it explains how to set up UAC and hidden accounts together so you can authenticate to the account via UAC but not log into it from the welcome screen.

Essentially, what you need to do is configure UAC to prompt for the user to enter both their username and password manually, allowing you to enter a username which is hidden from the login screen but still enabled. Instructions on how to do this are on the linked post.

In the meantime, it should still be possible for you to recover the account without doing a full reinstall. Open a command prompt (cmd.exe), and type runas /user:USERNAME regedit.exe, where USERNAME is the name of the administrative account. It will prompt you for that user's password; enter it and hit enter. This will open the registry editor running as that user, from which you can go in and revert the changes you made, adding back the account to the login screen.

Re-read your question and noticed that you said run-as won't work. What happens when you try booting into safe mode? I seem to recall that with Windows 7 Home Premium, the built-in administrator account is disabled by default, but is enabled in safe mode, allowing you to log into it and make changes. Unless you have hidden the built-in account in addition to whatever account you set up, this may work.

Finally, if all else fails, you could try running a system restore from the recovery console. Boot onto your Windows 7 installation disk, and choose to "repair a windows installation" instead of install. You can select your installation, then will eventually get to a screen where you can choose to do a restore. This should change the registry back to how it was before you made the change, if it has an old enough restore point. Your files will not be modified by a system restore, although some system settings might be.

Best Answer

Related Solutions

Windows – How to run program from command line with elevated rights

Windows – Hide account from login screen but can be used in UAC

Related Question