MakeMeAdmin — temporary admin for your Limited User account

[added March 11, 2005:  Important follow-up here:]

[edited Aug 6, 2012:  That follow-up post now includes the download, as the original hosting server is being decommissioned.]


Common scenario:  you log on with your Windows domain account, which you have removed from the Administrators group (as well as from Power Users, Backup Operators, etc.).  When you need to perform tasks that require elevated privileges, you use RunAs to start a program with the local Administrator account.  You quickly realize two things:

  1. The program running as local Administrator cannot access network resources, since your local account is recognized only on your own computer; and
  2. Any per-user settings apply to the local Administrator’s profile, not to the profile you normally work with.


The first problem often occurs when installing software from a network share, or an ActiveX control from an intranet site that uses Windows authentication.  An area where the second problem crops up is with applications that assume that it will be installed by the same user who will use it.  Some apps also have a “run-once” problem, in which the app needs to be executed one time with admin privileges.  For some, such as Windows Messenger 4.x, each user has to run it one time with admin privs.


The per-user settings problem also occurs with the Power Options applet in Control Panel, which modifies both per-machine and per-user settings.  When you use it from an unprivileged account, an error occurs writing the per-machine settings, so the per-user settings never get written.  When you use it from the local admin account, the per-user settings you write are for the local admin account, not the account you normally use.


There are a number of ways to address the network access problem.  The first of these that I’ll describe also addresses the user profile problem.


Elevating your normal account to admin


The only effective way I know of to address the user profile issue is to make your “normal” account an administrator.  The trick is to do it for the least amount of time necessary. 


The long and painful way


Using an admin account, you can add your normal account into the Administrators group, but that change doesn’t take effect until the next time you log on.  If you’ve tried this, you’ve probably noticed that it’s a pain to add your domain user account into the Administrators group using the GUI – first you need to use RunAs to run the Computer Management / Local Users and Groups console; you then get prompted for network credentials to resolve the domain names because your local admin account isn’t recognized.  And then when you’re done with all that, your current logon still doesn’t have admin privileges because changes to groups and privileges only take effect on subsequent logons.  Finally, you need to remember to remove yourself from the Administrators group and then log back in again to make that change take effect.




MakeMeAdmin.cmd addresses all of these issues.  When you run it, you get a Command Prompt running under your normal user account, but in a new logon session in which it is a member of the Administrators group.  This Command Prompt and any programs started from it use your regular profile, authenticate as you on the network, but have full local admin privileges.  All other programs continue to run with your regular, unprivileged account.


How does it work?  Remember a moment ago when I mentioned that changes to groups and privileges take effect only on subsequent logons?  The critical thing to understand is that you do not actually need to log out in order to log on.  If you use RunAs to start a process with your current account, it creates a new logon session and builds a new token, taking into account group memberships in effect at that instant.  MakeMeAdmin.cmd invokes RunAs twice, prompting you first for your local admin password, then for your current account password.  The bit that runs as local administrator does the following:

  1. Adds your current account to the local Administrators group (using NET LOCALGROUP, avoiding the problem of needing network credentials to resolve names);
  2. Invokes RunAs to start a new instance of cmd.exe using your current account, which is at this instant a member of Administrators;
  3. Removes your current account from the local Administrators group.

The result of the second step is a Command Prompt running in a new logon session, with a brand new token representing your current account, but as a member of Administrators.  The third step has no effect on the new cmd.exe’s token, in the same way that adding your account to Administrators does not affect any previously running processes.


The zip file (attached to this post) also includes a less-privileged version, MakeMePU.cmd, which temporarily elevates you to Power Users instead of Administrators.


A very brief bit about processes and tokens


I’ll try to keep this as brief and broad-brush as possible.  What follows is not 100% accurate and complete, but if you’re unfamiliar with the concepts I think you might find it helpful:

  • Every program in Windows runs in a “process”.  A process may display zero or more windows.  You can see a list of the running processes by starting Task Manager and clicking on the “Processes” tab.  If you click on the “Applications” tab, then right-click on one of the items listed there and choose “Go To Process”, it will show you which process that “application” is running in.
  • A “token” identifies a user, the Windows groups that user belongs to, and a set of system privileges, such as the ability to change the computer’s clock.  When a user logs on (including with RunAs), the system creates a new token for the user, determining at that time what groups the user is a member of and which privileges the user should have.  Once a token is created, one can’t add or (generally) remove any groups or privileges from the token.
  • Every process always has a token.  In almost all cases, its token is a copy of that of its parent process (the process which started it).
  • Whenever a process tries to access a securable object (such as a file or a registry key), an access check is performed by comparing the process’ token to the “access control list” (ACL) of the object.  The result of that access check determines whether the requested access is allowed or denied.


Addressing the network resource access issue


If you prefer to use the local administrator account, but need to use your domain account for network access, there are a couple of other approaches:


From your local admin Command Prompt, you can simply NET USE to authenticate to the specific resources you need to access.  You need to authenticate separately this way for every remote computer you wish to access.  NET USE is logon-session specific, so any connections established in one Command Prompt affect only processes started within the same RunAs session.


Another commonly used approach is to use RunAs with /netonly.  The /netonly option starts the target process in a new logon session with the current token, but with the account you specify for all SSPI-based network access.  You can kind of think of it as implicitly calling NET USE for every remote computer you try to access.  Here’s how you might use it (ignore word-wrapping – this should be one line):

runas /u:%COMPUTERNAME%\Administrator "runas /netonly /u:%USERDOMAIN%\%USERNAME% cmd.exe"

(If you have renamed your builtin Administrator account, change “Administrator” to the new name.)

As with MakeMeAdmin, RunAs is used twice and you’ll get prompted for two passwords:  that of the local Administrator, and that of your current account.  What you’ll get is a Command Prompt running under the local Administrator account, using the local Administrator profile, but authenticating on the network with your domain account.  (Confusingly, the title bar will say that you’re running as the domain user rather than as the local administrator.)


Tradeoffs of MakeMeAdmin vs. using the builtin Administrator account


Personally, I prefer using MakeMeAdmin.  The main issues I have run into with MakeMeAdmin are 1) telling privileged from unprivileged apps, 2) Explorer issues, and 3) issues with objects created while running with elevated privilege.


1.  Telling privileged from unprivileged apps


In two previous posts, I echoed Keith Brown's suggestion to change the admin’s background bitmap for Explorer and Internet Explorer so that you could tell your admin windows from your non-admin ones.  But with MakeMeAdmin, you can have different IE and Explorer windows all running as “you”, but some with administrator privileges and others not.  The background bitmap settings are associated with user accounts, not with privilege levels, so they don’t help you in this scenario.


I promised to provide a solution.  It’s called PrivBar and it adds a toolbar to your IE and Explorer windows that lets you know at a glance at what privilege level that particular instance is running.  At this point I will have to postpone it to a future post – this post is already very long and very overdue!  I will try to post it really soon!  [July 24, 2004, 11:40pm Eastern US time:  It's up!]


2.  Explorer issues


If you want to start explorer.exe from a MakeMeAdmin context, you need to set the Separate Process flag for your normal account, and you must start explorer.exe with /root, in the command line unless there are no other Explorer windows running.  For more information, read my post about using RunAs with Explorer, paying close attention to “More info about Explorer’s Separate Process flag” and the references to explorer.exe command line options.


3.  Objects created while running with elevated privilege


Normally, when a user creates a securable object, such as a file, folder, or registry key, that user becomes the “owner” of the object and by default is granted Full Control over it.  Prior to Windows XP, if the user was a member of the Administrators group, that group, rather than the user, would get ownership and full control.  The user still had ownership and control over the object by being a member of Administrators.  But if you created objects while a member of Administrators and then were removed from the group, your subsequent use of those objects could be limited or completely denied.  Windows XP introduced a configurable option whether ownership and control of an object created by an administrator would be granted to the specific user or to the Administrators group.  The default on XP is to grant this to the object creator; the default on Windows Server 2003 is to grant it to the Administrators group.


I’m not on the Windows team and was not party to the thinking that went into exposing this option and establishing its defaults.  My guess is that it was that on the server, all admins are equal.  If I’m an admin on a server and I create an object and am later reassigned or leave the company, any other admin should be able to access and manage the objects I created without any trouble.  A workstation, however, is more likely to be a single-user device.  Objects I create on my computer, such as documents, should remain under my control even if I change myself from a Computer Administrator to a Limited User (to use XP Home Edition’s terminology).  I think this makes a lot of sense.


However, MakeMeAdmin changes things.  If I use MakeMeAdmin to install programs, my normal account will be granted ownership and full control over the installation folder, the program executable files, and any registry keys the installation program creates.  Those access rights will remain even when I am no longer running with administrator privileges.  That’s not what I want at all.  I want to be able to run the app, create and modify my own data files, but not to retain full control over the program files after I have installed it.  For this reason, I changed the “default owner” setting on my computer to “Administrators group”.


To view or change this setting, open “Local Security Policy” in Administrative Tools, or run secpol.msc.  You need to be an admin to use this tool.  In the left pane, browse to Security Settings \ Local Policies \ Security Options.  The policy name is “System objects: Default owner for objects created by members of the Administrators group”.  The allowable settings are “Administrators group” or “Object creator”.


Coming Real Soon

  • PrivBar
  • Running with a restricted token (what does “protect my computer and data from unauthorized program activity” actually mean)
  • ???


Comments (228)
  1. Dane Watson says:

    Thank you for the excellent informative posting

  2. Andrew Storrs says:

    Thanks Aaron, I’ve been eagerly awaiting this post… Looking forward to the privbar

  3. Daniel Schlößer says:

    On a German Windows one has to change in the batch file the group name from Administrators to Administratoren 😉 It works perfect now!

  4. Wes says:

    Very informative post for me. Thanks for the lesson, now maybe I will try to run as non-admin.

  5. Daniel, thanks for the note. I should have mentioned that the script can be customized, for localization or any other reason. Thanks for pointing it out.

  6. ToddM says:

    I had to make a change or five to get the batch file to handle user names with embedded spaces. Wasn’t exactly a trival change, either, given the existence double quotes already in the cmd file. (And, no, just using " didn’t help, either). Once I’ve got it cleaned-up, I’ll post here.

  7. ToddM – thanks, good point. Does this work for you? (I’ve tried it and it seems to work for me…) Mostly just replace instances of %1 with "%*". I’ve only tried this with the current username with an embedded space – didn’t try domain/workgroup name with embedded space, or a renamed admin account with an embedded space.

    @echo off


    set _Admin_=%COMPUTERNAME%Administrator

    set _Group_=Administrators

    set _Prog_="cmd.exe /k Title *** %* as Admin *** && cd c: && color 4F"


    if "%1"=="" (

    runas /u:%_Admin_% "%~s0 %_User_%"

    if ERRORLEVEL 1 echo. && pause

    ) else (

    echo Adding user %* to group %_Group_%…

    net localgroup %_Group_% "%*" /ADD

    if ERRORLEVEL 1 echo. && pause


    echo Starting program in new logon session…

    runas /u:"%*" %_Prog_%

    if ERRORLEVEL 1 echo. && pause


    echo Removing user %* from group %_Group_%…

    net localgroup %_Group_% "%*" /DELETE

    if ERRORLEVEL 1 echo. && pause



  8. Ari Pernick says:

    "iexplore.exe -new" will do what you want without setting any special settings.

  9. Ari – what does -new do for iexplore.exe? Wasn’t that for starting IE 4.x in a new process? Starting iexplore.exe always results in a separate process now.

  10. Howard Hoy says:

    We use a similar process here for our Zenworks Deployments. In some instances the Zenworks tool will not properly elevate a user which then requires us to add a user to the admin group, then remove them. I have devloped a tool called Authenti-key for NT that allows you elevate installs as an administrator. IT works on 95 – XP. You can create an elevated CMD window and perform any admin task from there. Similar to SU and can be used in scripting.

    Here is a link.

    Great work on the script. !!

  11. Anonymous says:

    Use MakeMeAdmin.cmd when installign software

  12. Anonymous says:

    Use MakeMeAdmin.cmd when installign software

  13. Extra88 says:

    This is an interesting script. It has some room for error but I have an idea about how to avoid that. Some fellow who seems to work for Microsoft in some capacity has written a batch script called MacMeAdmin that…

  14. Marc Poljak says:

    thanks a lot for this superb script. I was looking for a solution that addresses the issues with "RunAs" for a long time.

  15. Carolh says:

    Great utility. The one problem we ran into is that we have the "installation" file on a netware server, and can’t point to the network drive mapping.

  16. Carolh – Correct. SMB sessions (e.g., NET USE connections and drive mappings) belong to a logon session. Since MakeMeAdmin runs in a separate logon session from your main shell, it doesn’t automatically get the shell session’s drive mappings. (I assume the same or similar is true with IPX/SPX stuff.) You can create a new connection within the MakeMeAdmin session using NET USE or the NetWare equivalent.

  17. Clever – I was wondering how you were going to get around the logon problem, but the minute you said "creates a new logon session" I knew where you were going! Cute!

    That said, I’m personally a bit queasy about any RunAs style solutions – because the secure and insecure windows are in the same (ok, I’m hunting for the term, what do you call the ?contexts? ?windows sessions? that which every logged on user under XP fast user switching has one of – I’ll call them window sessions for now – I know there’s a proper term for them) window session, there is a greater chance of cross-application attacks through SendMessage, PostMessage, screen grabs, etc. Personally, I’m pretty happy with the Fast User Switching approach on my home machine (which obviously isn’t a domain member) – I use the account "Admin" (created) for administrative stuff and then there are personal accounts for my wife and I, guests, etc. With 768 MB of RAM, I rarely run into resource issues, even with up to seven simultaneous sessions logged in. It only takes ten seconds to hit Windows-L, click, type in the Admin password, and go do something.

    Of course, to be safer, I should never su to root on my Linux box (since anyone who manages to get access to my personal account could easily alias su to something else), etc. I do try to change all my passwords whenever I am forced to authenticate from a machine I don’t trust (i.e. Internet cafes in airports).

    –Toby Ovod-Everett

  18. "Common scenario: you log on with your Windows domain account, which you have removed from the Administrators group (as well as from Power Users, Backup Operators, etc.) . When you need to perform tasks that require elevated privileges, you use RunAs to start a program with the local Administrator account. You quickly realize" that this is a pain in the posterior! Here’s how to go about it much easier and without the limitations….

  19. Toby – I’ve never had my code called "cute" before. Thanks?

    The term you are looking for in the 2nd paragraph is "desktop" – as in, the Win32 construct that is defined within a Window Station. (See . Any program (more accurately, any thread) running on a particular desktop can access any window running on that desktop, send it messages, simulating keystrokes and mouse events, etc. When you use RunAs, you’re creating a new program running in a different security context, but on the same desktop, so the risk you identified exists. With Fast User Switching, you are switching to a different desktop and are not vulnerable to those kinds of attacks. I pointed to Fast User Switching in an earlier post called "The easiest way to run as non-admin"; it is IMO also the most secure way to run as non-admin for the reason you point out. However, FUS isn’t available for domain-joined machines.

  20. Marc Poljak says:

    Aaron – is there a way to avoid the first command prompt for the local administrator? I would find it great if you know a method how to pipe it, like for example: echo YourSecretPassword| runas /u:%_Admin_% "%~s0 %_User_%" ?

  21. Sean McLeod says:

    I looked at my Local Security Policy on my XP machine and "System objects: Default owner…" is set to "ObjectCreator". However when I check the ownership of files, e.g. Adobe Acrobat Reader and others under "Program Files" the owner is my local machine’s administrators group and not my account (which currently is part of the administrators group).

    My machine isn’t part of a domain.

  22. Anonymous says:

    Rage on Omnipotent » Make me admin

  23. Sean McLeod says:

    I guess another combo option to get the benefits of running your admin session in a separate desktop using FUS and to use the same user account functionality that MakeMeAdmin offers is to try the following:

    Use FUS to login into the Administrator account.

    Have a script in the Administrator’s startup folder that:

    – Kills the explorer.exe process

    – Runs a tweaked MakeMeAdmin script to create a new explorer process with your regular account added to the administrators group

    Now any further processes that are launched by this instance of explorer will be running with your account in the administrators group.

    For those people who can’t use FUS since they’re part of a domain the other option to look into with XP SP2 is the ability to have an active console user and an active RDP session. There was talk that this would be added in XP SP2 specifically to support the use of Mira/SmartDisplay devices.

    If this is enabled in XP SP2 then you could use the above combination just replacing the FUS component with an RDP session back to your localhost.

  24. Sean McLeod, re ownership of files. I just checked an XP SP1 box that I never changed the default owner setting on. DIR /Q in the Program Files folder shows a mix of specific account and BUILTINAdministrators ownership. I’m going to take a completely wild guess here and suggest that the ones that show BUILTINAdministrators were created/installed by the Windows Installer or Automatic Updates services running as System.

    Re your FUS replacement – I’d call that "Scary User Switching". I could come up with something that kept the same acronym, but I’d probably be banned from blogging! 🙂 Seriously, I would expect so many things to break that way, not to mention the security problem of previously running apps trying to do things through the shell – if they manage to do so at all, those things will run with elevated privilege. RDP back to localhost would be good – not as good as FUS since it would still share the same desktop, but could be good.

    FWIW, I made a brief attempt to take the old DESKTOPS SDK sample app and rework it to support different contexts on different (Win32) desktops. It kinda sorta worked, but failed in odd ways, too.

  25. Marc Poljak: as far as I know, RUNAS.EXE does not let you enter passwords through stdin. This is probably to discourage the practice of storing passwords in plain text files.

  26. Sean McLeod says:

    In terms of RDP back to the localhost, if you’re logged onto the console as userX and then RDP back as admin the terminal services component will create a separate desktop for the admin logon session. So I’m not sure why you say it’ll share the same desktop.

    Only issue is that I think the multiple session option will only be available for Windows Media Center Edition machines with SP2 and not regular Windows XP Pro with SP2.

  27. Sean McLeod says:

    In terms of "Scary User Switching" 😉 the only ‘previously running apps’ would be apps started by the 1st instance of Explorer running apps in the admin’s startup group etc.

    These are the same apps that would run anyway when you use FUS and login in as admin. So I’m not sure what ‘security’ issue you’re thinking of in terms of these now communicating with the 2nd instance of explorer running as your regular account with admin group privileges since they already have admin privilige so could do just about anything anyway.

    I was assuming that your admin account wouldn’t have loads of these and that 99% of the actual apps that you want to run with admin privileges like user manager etc. you would launch via the new instance of explorer and these would have a token of consisting of your regular account plus the admin group and be the same as the 2nd instance of explorer. So there shouldn’t be any ‘interaction’ problems between these an explorer.

    If you definitely didn’t want there to be any chance of mixing apps running under the admin account with apps running under your regular account as part of the admin group then another option is a specialised userinit process for your admin FUS session.

    Modify WinLogon’s userinit registry value to run ‘customuserinit.exe’ instead of the standard ‘userinit.exe’. In this custom userinit program check to see what our current user is, if it isn’t administrator then just run the standard userinit.exe and quit.

    If the current user is administrator then use a version of your MakeMeAdmin concept to use runas to run the standard userinit.exe with a token of your standard account in the admin group. The standard userinit will then launch explorer and so all processes now will be running with the same token (standard account in the admin group).

    So you’ll now have 2 FUS sessions, one running as your standard user account without admin privileges and another running as your standard user account with admin privileges on separate desktops.

    The one potential downside I see to the MakeMeAdmin concept is that you may have virus/spyware stuff installed as a browser helper object (BHO) or some other variation. But they don’t have admin rights which is great since you’re not part of the admin group. However if you then use MakeMeAdmin to create a process with yourself in the admin group and then you run an instance of IE now suddenly the spyware BHO will be loaded by this new instance of IE and will now be running with admin rights.

  28. Sean McL, re RDP back to localhost: I’m referring to the fact that your RDP client app (typically mstsc.exe) is on the same desktop as your non-privileged logon. Unprivileged apps could (at least theoretically, I haven’t tried it) send messages to the mstsc window to direct key and mouse events to the remote desktop.

    I’ll tackle your next post after I get some coffee 🙂

  29. Will Brown says:

    Aaron Margosis: I love this blog, thank you so much for the time and effort!

    Aaron && Sean: Considering the whole same desktop/message issue (how hard would it be for malware to find a process with admin rights? furthermore why isnt there any security for messaging), it seems that Sean’s solution, Scary User Switching, as its now officially known :D, seems to be the best one. I’m not sure what the ‘previously running apps’ are either. They only thing they could be are things started by user logon scripts. According to this <; the only things userinit does are run logon scripts, establish network connections, and then start explorer. so if your special MakeMeAdmin account isnt running anything with loginscripts, the first thing to run should be explorer.

    One thing I think might be better. Instead of making a custom userinit application (which would need to call userinit anyway to reestablish network connections), couldn’t we set user specific paths to explorer, by changing Shell in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingsystem.iniboot from "SYS:MicrosoftWindows NTCurrentVersionWinlogon" to "USR:SoftwareMicrosoftWindows NTCurrentVersionWinlogon". Then create the Shell entry in that key for each user and point set them to explorer.exe. Except for your special MakeMeAdmin account, set it to the properly modified MakeMeAdmin.cmd.

    Marc Poljak: storing the admin password in the file would defeat the purpose. i don’t see any prob with using the savecred option to eleminate having to type in the password for the current user account though. it would be saved in the admin’s credentials folder.

  30. Sean McLeod says:

    Will the one issue with your approach is that any processes launched by the login scripts will now be running with the Admin token and not the regular user account in the admin group. Also the network connections will be established with the admin account.

    So you’ll have a mix of accounts which is what I was trying to avoid with the custom userinit approach.

  31. Marc Poljak says:

    Will Brown: Yes, I know that storing a password in a plain text file is a very bad idea, but there are tools with which you can transform a BAT file into a EXE and then obfuscate the code in order to prevent the retrieval of the password via a hex editor. With a script like MakeMeAdmin you can launch a new command shell with elevated privileges or you can launch all kind of things through a logon script. This is useful if you do not have Group Policies and Active Directory at your disposal or an installed "agent" on the client, which runs under the local system account.

    But, with the /SAVECRED option I have the result which I was looking for (well, not quite what I wished, but it works and that’s important!). So, thank you for getting me on the right track.


    Marc Poljak

  32. I experienced a similar problem with right delegation and I developed a little utility called MyRunAs that allow you to run a program impersonating another user (like Windows RunAs) but it generate an executable where there are the user credentials and the program name crypted.

    Take a look on



  33. Sean McLeod – The first time I read your post about what I called "Scary User Switching" I misunderstood exactly what you were doing. I guess it might work – have you tried it?

    Note that once you apply SAVECRED, the creds can be used with other apps as well, not just the one you specified.

  34. Sean McLeod says:

    Aaron, yes what I was proposing was really just a combination of your suggestions with hopefully the best benefits of both, i.e. using a separate admin account with FUS and using MakeMeAdmin to create a logon token that is a combination of your regular (LUA) in the admin group (call this your ‘MakeMeAdmin’ account, although it’s not really a separate distinct user account).

    So you end up with a separate desktop session and all the added security benefits that brings but at the same time instead of running processes in this desktop as the administrator account and the potential hassles that brings with network credentials, installing software etc. you run as your special ‘MakeMeAdmin’ account.

    I’ll test it out on a test machine in the next couple of days and let you know how it works, just a bit busy with some ‘real’ work 😉

  35. Great! says:

    I was wondering what it would take make this into a SHell extension to create a kind of SUPER_Runas feature. Would be awesome to be able to right-click on an app/shortcut and run as any user elevated to Admin or poweruser etc.

  36. Great! says:

    I was wondering what it would take make this into a SHell extension to create a kind of SUPER_Runas feature. Would be awesome to be able to right-click on an app/shortcut and run as any user elevated to Admin or poweruser etc.

  37. Anonymous says:

    Will’s Blog – Adventures of an IT Grad &raquo; Running as Limited User and Having temporary admin priveledges

  38. Anonymous says:

    Nerhood Weblog – Digital Diary – Family, Work, Technology, Books and Media &raquo; MakeMeAdmin &#8211; temporary admin for your Limited User account

  39. Anonymous says: &raquo; Bra verktyg f?r Windows

  40. Whether you use Windows or Linux, each provides for the creation of users with different security privileges. That is, the ability to execute certain functions. In Windows, the highest level is Administrator and in Linux it’s called root. For the purpose of this post, I’ll concentrate on Windows for…

  41. Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions…

  42. Anonymous says: &raquo; The Non-Admin Blog

  43. MakeMeAdmin script updates, and a security setting you should change

  44. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  45. Jason Haley says:

    Installing .inf files if you are living the non-admin lifestyle

  46. Yang says:

    I learn something usefull today!

  47. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  48. I got a shiny new tablet (Toshiba M4) and spent some time installing all the software that I usually…

  49. Ok, ik heb vandaag wat sessies gevolgd over de security improvements in het Longhorn timeframe en hoe…

  50. Very handy tool for those of us that rightly develop under the ‘least privileged’ user context.


  51. Very handy tool for those of us that rightly develop under the ‘least privileged’ user context.


  52. OK, the last entry was a teaser for a blog entry or two on what developers can and IMHO should do regarding…

  53. ken says:

    Anyone know how to gain Administrative Privilages with a Limited Account if you don’t know the password?

  54. Matt says:

    How can you get around typing in the local administrator password?

  55. vxcyvxv says:

    Simply not?

    Well, there’s another way to get this working without needing to pass any password at all.

    Let run a priviledged service which accepts requests from users to spawn a certain process, but only if it is on a whitelist – just like suid-Bit under Linux.

    There’s are two alternatives known: SuSrv+SrvAny with two instances, and the commercial (free for personal use) PolicyMaker Application Security, which allows a certain fine tuning on what access should be actually granted.

  56. Paul Blair says:

    This little utility inspired me to write a service based app that allows you to launch any program as yourself with an admin token. If anyone want’s to try it out and comment, you can grab it here….

    Thanks Aaron. 🙂

  57. Archos says:

    it does’nt work with me…it’s asking for admin password which i don’t know.

  58. Archos – that is correct. You need to have the admin password in order to do this. Otherwise it would be an unauthorized elevation of privilege!

  59. Mike says:

    Not sure what I’m doing wrong, but running this gives me an error after entering the first local admin password:

    Enter the password for ADMINCOMPAdministrator:

    Attempting to start

    d DOMAINmsmith as user "ADMINCOMPAdministrator" …

    RUNAS ERROR: Unable to run – C:DOCUME~1MSMITH~1.DOMDesktopMakeMeAdmin.cmdkeM

    eAdmin.cmd DOMmsmith

    87: The parameter is incorrect.

  60. Mike says:

    Well running it from the root of the c drive works fine. Seems as though it just refuses to run properly from the desktop.

  61. Yinon Ehrlich says:

    I cannot use your batch-files, nor a simple runas.exe.

    My administrator user name and password are in Hebrew. Moreover, the Administrator user name consists of more than one word. All of this is fine for me, it make me feel more secure and it works with "Shift-right-click-run-as".

    But: runas does not accepts it. (I’m using Windows XP Home Ed. SP2).

    Anyone has a suggestion ?


  62. Vatroslav Mihalj says:

    Try using quoatation marks for domain accounts, to avoid interpreting "" as directory separator in batch scripts

  63. Vatroslav Mihalj – I’m not sure what problem you’re trying to solve.  The script should already have quotes in the correct places – see where "%*" is used in the second part of the script.

  64. Mike Logsdon says:

    I have a laptop with only one user.

    The past user, removed ALL users, except for

    the one guy getting the laptop.

    He is a Limited user, and we need to make

    him a Administrator and add a USB printer.

    Do you think this MakeMeAdmin will help?


    Mike Logsdon

  65. Mike Logsdon – Rather than make the new user an admin, log on with the Admin account and install the printer from there.  I assume the previous user did not delete the built-in Admin account.  If there truly are no admin accounts left on the computer, reformat and reinstall Windows.  Note that in order to use MakeMeAdmin, you need to have the password for an admin account, and neither the Admin nor the User account can be blank-password accounts.

  66. Jürgen Barthel says:

    Have written a little tool based on Arons idea.

    Comments please here or to

  67. Aaron H. says:

    Aaron, regarding Mike Logsdon’s concerns, we have the same need.  I thought when you add a local printer, it only installs for that user.  If this is true, when you log on to the machine as the local admin, install the printer, log off and log on as the original user, then the local printer would not be listed.  

    Am I correct in thinking that the local printer is user specific?



  68. Brad says:

    Aaron H.–

    "Local Printers"–those that you physically connect to your computer, as well as those for which you add a port (e.g. Unix Print Services/IP Printing)–exist for all users.  These must be installed by an administrator.

    "Network Printers," for instance those shared over a Domain/SMB can be installed by anyone.  Those printers exist only for the user who installs it.

    Hope this helps…

  69. LyndonB says:

    Why couldn’t this be used to make an attack on Windows from a Limited User Account especialy for users with blank admin passwords

  70. LyndonB, this tool does not enable elevation-of-privilege attacks.  Several points:

    1.  You need to have the admin password in order to use MakeMeAdmin;

    2.  This tool will not help you guess or crack the admin password if you do not have it;

    3.  If you have the admin password and you’re not authorized to have it, you can just log in as the admin – you don’t need to use this tool;

    3.  If the local admin account has a blank password, you can’t use RunAs with that account – blank-pwd accounts can be used only for interactive logon, not for network logon or runas.  And again – if the admin account has a blank password AND you have access to the console, you can log on as the admin at the logon screen.


  71. A systematic approach for working around LUA bugs that avoids unnecessary exposure – &quot;the rest of the story&quot;

  72. Yinon Ehrlich, sorry for the delay in responding.  Two things:

    1.  The version of MMA that is currently posted supports usernames containing spaces; but

    2.  This is what I’ve been told about console apps and right-to-left languages like Hebrew:

    "Console apps don’t support complex script languages, and this is by design. For all console apps on such languages we fall back to English. Now since the administrator user name and password are both in Hebrew the option to use Runas is not valid."

  73. Dear Aaron,

    I find many big enterprises admins apply this technique during some software installation, but there is down side of it.

    It makes non admin user temporarily admin, which make security hole, now user can do anything like creating new local admin on that machine and letter use it as he want 🙂

    But any on personal machine this is very useful and secure technique.




  74. dhananjay singh – There are two sides to the "non-admin" issue:  users who are trusted to know when/how to elevate and do so judiciously, and users who are not trusted to make those decisions.  MakeMeAdmin definitely falls into the first group.  On my Table of Contents page I have separated out my posts based on that distinction:

  75. cibgiu says:

    Tool to pass crypt admin password:


  76. Sidney says:

    I can not get this to work. I get the bright dos window saying Admin but when I go to install it says Im not a admin.

    Please help

  77. Sidney – what are you trying to install?  Note that not everything started from an elevated process will remain elevated:  Look for the section called "When RunAs won’t work" in this post:

  78. I try to be a good citizen, I really try. I tried to take the plunge today to create a non-admin user…

  79. Coby says:

    Please e-mail me back at, I’m a limited account and I don’t have access to the admin’s account, is there any way, maybe through cmd, to become an admin, or at least to make another admin account from a limited account. If not is there any way to find out an admin’s password?

  80. MSBee requires administrative rights to be installed and same thing is true for .Net Framework 1.1 SDK…

  81. I’d heard about this forthcoming edition of Visual Studio 2005 Team System (Team Edition for Database…

  82. Gabor says:

    A new project has been just launched recently called sudoWn. It is based on the original MakeMeAdmin way but it is developed further for desktop PC users. You can find the project page @

  83. Denno says:

    I had to change the system on my computer but did not have access to an admin account thanks to your help i could change the setting (that only could be accessed by an admin) and the computer doesn’t stuff up anymore

    thanks denno

  84. ahmad azry says:

    how do i make my limited account to a admin account without a admin password…

    You can’t.  If that were possible there would be no reason to have limited accounts.

    — Aaron

  85. Rage says:

    Is there a way to gain the orginal password? after the admin password change.


    — Aaron

  86. Les Weston says:

    Hmmm. I mistakenly tested MakeMeAdmin while already logged into my Admin account. Now my Admin account has mysteriously lost its Administrator privileges (it is now showing up as a Limited Account). Is there any way to recover from this situation?

    I tried a System Restore from the “Last known good configuration”, but I had already rebooted before I noticed the problem, so the last “Good” configuration was no better. And my ‘Get Out Of Jail Free’ card (using System Restore to select a restore point that predates the problem) can’t be used because System Restore needs to run from an account with Administrator privileges. Catch 22?

    This is on a system running XP Pro SP1. I’m half way through installing SP2 in a separate partition, so it’s not a huge problem if this installation is beyond repair. But it does make me wary of trying MakeMeAdmin again.


    That problem has been noted before.  Some (at least partial) solutions are discussed in the comments to the follow-up post, particularly here and here.

    One can only do so much with a .cmd script.  Maybe one of these days I’ll make a PowerShell version of the script.

    — Aaron

  87. MakeMeAdmin And Console MatchMaker

  88. Diane Kepo'o says:

    I was wondering if you can humbly post the command line that will automatically input the administrator’s password. We’re trying to eliminate any user interaction when it comes to logging in as the local administrator.

    Thanks so much for the help!


    Windows does not provide such a tool.  Runas.exe accepts passwords and smartcard PINs only through keyboard input. I’m not on the Windows team and never have been so I don’t know for sure, but I suspect the reason for this is to discourage people from putting plaintext passwords in plaintext script files.  For alternatives, see option #5 in Fixing LUA Bugs Part II, but please take note of the risks involved.

    — Aaron

  89. arjen says:

    How can I use it to uninstall programs or application?
    Can someone help me with this…. tnx!

    From a MakeMeAdmin command prompt, you can get to the Add/Remove Programs applet by running “appwiz.cpl”.

    — Aaron

  90. I&amp;#39;d heard about this forthcoming edition of Visual Studio 2005 Team System (Team Edition for Database

  91. bob says:

    I am an admin and I need to find out a limited user’s password without changing it or them knowing. How?

    Sorry, there is no interface to support that.  Why do you need to do that?

    — Aaron

  92. Raghavendra says:

    same as secondary login……
    end task user’s explorer.exe…and then use
    ****runas /user:administrator explorer.exe****
    and there you will login as administrator…
    do the admin tasks and logoff from administrator …….
    now end task and start explorer.exe for user again…and you see that opened applications also wont get affected

    I’ve posted a better solution here that doesn’t require killing your existing explorer.exe instances.  And, BTW, the idea you proposed doesn’t address the scenarios that MakeMeAdmin (the subject of this post) was designed for.

    — Aaron

  93. Problematiken r&#246;rande lokala administrat&#246;rer, man st&#246;ter allt f&#246;r ofta p&#229; administrat&#246;erer som l&#246;ser…

  94. Marco Pires says:

    Hi , this is a useful tool.

    I work in a large construccion company, and we use (in the headquarters) VNC for acessing computers located outside in numerous construccion sites. On these sites , the Pc’s are in workgroups with acess to the domain network. What happens sometimes : people go from site to site , and have to change workgroup. Sometimes when you do this , you stop having access to VNC because the windows xp firewall blocks it . Is there a way to run MakeMeAdmin with the “netsh firewall set AllowedProgram” over ip or computer name?

    If not i’ll just have to go there…


    If the remote system is blocking remote administration, then you’re not going to be able to change the firewall settings remotely.

    — Aaron

  95. Scott says:

    Make one where you dont need ther administrators password because i stuffed up my computer by changing the admins password too fast =(

    You’re asking for a hacker tool.  MakeMeAdmin is not a hacker tool, and I don’t make hacker tools. 🙂

    — Aaron

  96. Earl Savino says:

    Look for transparent solution within a VB6 app to create special shared folder privledges for domain users ONLY when using the VB6 app.

  97. Earl Savino says:

    Look for transparent solution within a VB6 app to create special shared folder privledges for domain users ONLY when using the VB6 app.

  98. dgley says:

    Can you send it a batch file to run in the final window.  I have a bat file containing the net use to map a network drive.  I would like this to run this in the final cmd window so that a drive is mapped in the admin session.

    Is this possible?

    Sure — just add the batch file you want to the _Prog_ variable.  The “/k” option means “run the following command when cmd.exe starts, and then continue running.”  (The similar /c option runs the command you specify and then exits the shell.)  The && strings multiple commands together.


    — Aaron

  99. steve says:

    hi i am having problems with my lap top witch i got from a computer fair the make of the laptop is "stone computers". when i turned it on and tryed to change my user name it wouldnt let me go into the user accounts area as it said i didnt have correct rights to do so. i also tried booting my windows xp disk but it says access denied. i also tried accessing my bios settings but they have also password protected that aswell. iv tried the hiren`s boot cd but i cannot boot from cd. anyone have any ideas on how to gain access to my laptop?

  100. David Gley says:

    We must logon now with a CAC card now.  Since then, I have been unable to use the MakeMeAdmin.  I can logon on the first part as Administrator and it successfully adds me to the administrator group.  It then asks for my limited account password and this is where it fails.  I get the following error in the DOS window:


    Starting program in new logon session…

    Enter the password for MYDOMAINmyuserid:

    Attempting to start cmd.exe /k Title *** MYDOMAINmyuserid as Admin *** as user “MYDOMAINmyuserid” …

    RUNAS ERROR: Unable to run – cmd.exe /k Title *** MYDOMAINmyuserid as Admin ***

    1327: Logon failure: user account restriction.  Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

    Press any key to continue . . .


    Is there anyway to fix this.

    David, does it work if you use MakeMeAdminSC, which comes in the same .zip download?  It uses “runas /smartcard” to do the “re-login” using smartcard credentials instead of a password.  From the MakeMeAdmin followup post:

    MakeMeAdminSC works just like MakeMeAdmin but uses smart card authentication for the current user instead of password authentication, via the runas.exe /smartcard option.  Insert your smart card before running MakeMeAdminSC; it will prompt you for the admin password, then for your smart card PIN.  (In order to work, the smart card needs to be associated with the account you’re currently logged in under.)

    — Aaron

  101. David Gley says:

    It adds me to the Admin group but it also fails in the second logon.  Here is the results:


    Adding user MYDOMAINmyuserid to group Administrators…

    The command completed successfully.

    Starting program in new logon session…

    Reading smart cards…..

    The following errors occurred reading the smart cards on the system:

    No card on reader 2

    Using the card in reader 1.  Enter the PIN:

    RUNAS ERROR: Unable to acquire user password

    Press any key to continue . . .


    David, I suspect that since CAC cards are not standard, off-the-shelf smartcards, they may not be compatible with the expectations of Windows’ built-in credential handling.  Feel free to contact me via the email link above to dig into this further.

    — Aaron

  102. steve b says:

    can this tool be used to make a logoff script reboot or shutdown a windows xp machine?

    it just seems to be impossible


    Sorry, I just don’t understand what you’re asking here.  gpedit.msc will let you specify logon/logoff scripts.


    — Aaron

  103. jake says:

    hey, i have just one problem.  i cant seem to download some of my games without an administrator priviledge?

    Jake —

    Can you describe the problem more precisely?

    — Aaron

  104. Jason says:

    What is the temp admin password? How do you change it?

  105. [deXter] says:

    For users who’d like to automate typing in the admin password, a better alternative to RunAs would be using Mark Russinovich’s PsExec.exe tool (part of the PsTools suite). PsExec allows you to specify the username and password in the commandline.

  106. Les Weston says:

    > For users who’d like to automate typing in the admin password, […] PsExec allows you to specify the username and password in the commandline.

    Isn’t that compromising the security of your PC? Anyone who gets sight of your command line can see the username and password of your Administrator account in plaintext.


  107. dexter_m says:

    If its an issue, then you could make a program to launch psexec. That way you wouldn’t be storing it in plaintext. To make it somewhat more secure, you could perhaps encrypt the password and obfuscate the exe.

  108. Iggs says:

    I’m not a scripting guy, I’m a sysadmin. I would love to use this script for making administative changes on users’. By default Domain Admins are members of local Administrators group, but I never sure what is local administrator’s password is. I tried making changes to the script to prompt me for username and password of an account with admin rights, which is a domain admin account and it works, however for some reason it does it twice. I used SET /P for that, just for the reference, I would like to know how to populate _Admin_ variable with something I want.

    Thank you in advance.

    Iggs:  the only change you should need is to change the set _Admin_ line to
            set _Admin_=MYDOMAINMyAdminAccount
    where MYDOMAIN and MyAdminAccount are replaced with your domain and your domain admin account.  Is that not working?  When you say, “it does it twice”, what do you mean — it does what twice?  Note that with MakeMeAdmin, you get prompted for two passwords:  first the admin account password, then the password of the user you’re temporarily elevating.


    — Aaron

  109. How to automatically set the color and title of *all* CMD shells based on admin/elevation status with a one-time, one-line configuration change to your system.

  110. Vincent says:

    I’ve been using MakeMeAdmin for quite a while, but on a recent install of XP on a laptop, when running Windows Explorer with elevated privileges, the view does not refresh after, for example, deleting or moving files. This happens with other dynamic views, such as Network Connections (if I turn off my wireless network card, it still shows it in the view unless I hit F5). This only happens when I use MakeMeAdmin to elevate privileges, under normal privileges (the user account is only in the Users group) the views refresh, and similarly if I log into the Administrator account, the views behave accordingly.

    I promise I’ve tried hitting Google up as many different ways as I could think of, but I’m at a loss, and out of five computers I run MakeMeAdmin on, this only happens on one. Any help would be most appreciated, thanks.

  111. Iggs says:

    I’m having the same problem. The window with elevated privileges does not refresh, I have to hit F5. Not sure why.

    BTW, this also happens when I use WinSUDO (another great tool).

    Iggs/Vincent/and others:

    Hmm, I thought I had posted about this at some point, but I guess I haven’t.  The problem is that the way Explorer does refreshes is that there is one central location, in one Explorer process, that performs the actual change monitoring. (*)  When a change event occurs, that process notifies the Explorer windows that registered interest.  The problem is that the transferring of the information requires cross-process access, which gets blocked when the desktop Explorer tries to open the admin Explorer process.

    (*) Obvious question is “why was it done this way?”  The answer is (like many other answers) that Windows Explorer was architected for an OS that needed to be able to run on systems with 4MB of RAM.  Since Explorer was never designed to support multiple security contexts (and still isn’t even on Windows Vista), there has not been a need to change this implementation.

    — Aaron

  112. iggs says:

    Aaron, I would like to continue this thread.

    You wrote.


    Iggs:  the only change you should need is to change the set _Admin_ line to

           set _Admin_=MYDOMAINMyAdminAccount

    where MYDOMAIN and MyAdminAccount are replaced with your domain and your domain admin account.  Is that not working?  When you say, “it does it twice”, what do you mean — it does what twice?  Note that with MakeMeAdmin, you get prompted for two passwords:  first the admin account password, then the password of the user you’re temporarily elevating.


    — Aaron


    Sorry for my explanation, when I said it does it twice I meant it asks for the DOMAIN ADMIN account and the password twice and then it asks for the current user password. This is something I’m missing in the script. Not a big deal tho…


    Did you make any changes to the script other than the value of the _Admin_ variable?  Did you leave the SET /P in by accident?

    — Aaron

  113. christian says:

    i got your makeadmin from last year.. it does work once.. but when i try to use it now w windows xp.. it wont work anymore. When i double click the MakeMeAdmin.exe it prompt w this..mydomain/administratore enter new password:_!! but when i press any key n the key board it doesnt show in dos prompt.. so i press enter then ERROR:msg error in line… wrong password!! some one help!! so i can install freelly! thanks..

    Christian —

    When RUNAS prompts you for a password, it does not echo any characters back to the console.  Make sure you type the entire password before you press Enter.

    Hope this helps.

    — Aaron

  114. Chris Smith says:


    I’m very very bad at using PCs. I need to get admin so I can use it to download some things but I’m not quite sure how to use MakeMeAdmin.

    Do I need to know the admin password (Which i dont know)?

    Maybe you can give a newbie step by step for a not very PC tunned person.

    Thanks in advance.

    Yes, you need to have the password for an admin account to use MakeMeAdmin.

    — Aaron

  115. Chris Smith says:

    Is there a way of doing it without? If I knew the password I wouldn’t be looking at MakeMeAdmin to make me admin :/

    If there were, that would constitute a huge hole in the Windows security model — the whole model would be pointless, wouldn’t it? MakeMeAdmin doesn’t support *unauthorized* elevation of privilege.

    — Aaron

  116. Chris Smith says:

    Thats rubbish then. Is there anyway of getting temporary admin rites to download/install something? I really need to get something installed and can’t.

    Thanks for the replies dude.

    Rubbish?  How?  Whose computer are you using, anyway?  If you need something installed, get a legitimate admin of the system to help you out.

    — Aaron

  117. Chris Smith says:

    Its my family PC. Lets just say my dad is the kind of person who thinks that doing the simplist of things will slow down the PC and make it rubbish. My dad is the admin so I dont think there is much of getting what I want done.

    Add me on msn if you can:

    Its not rubbish by the way. Just not as good as I hoped 🙂

  118. deXter says:

    If you don’t have enough knowledge/skill to hack/crack/bypass the admin account of a PC you have physical access to, then your Dad was right in restricting you. Why dont you spend your time learning computers? Maybe your dad will trust you more then.

    Odd logic there, deXter…

    — Aaron

  119. MENDRES says:

    i prompt with this problem while running “MakeMeAdmin”..(my OS:XP prof with SP2)

    Enter the password for MyCompNameAdministrator:_

    Attempting to start D:MakeMeAdminMAKEME.CMD MyCompNamemyuseraccount

    1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

    Press any key to continue…

    MENDRES:  If the local admin account has a blank password, you can’t use RunAs with that account – blank-pwd accounts can be used only for interactive logon, not for network logon or runas.  So in order to use MakeMeAdmin, neither the Admin nor the User account can be blank-password accounts.


    — Aaron

  120. Matt says:

    I’ve been running into some problems with this program. Well, I did download it, and know a little about cmd myself, but every time I run the program, it asks me for a password, which of course I don’t know… Is there something I overlooked to surpass this problem? Please help.

  121. Matt says:

    Sorry for the double post, but here is what it leaves me with

    Attempting to start C:Docume~ …

    RunAs Error: – Unable to run C:Docume~…

    1326: logon failure: unknown user name or bad password


    Matt:  Sorry, but there’s insufficient information here.  Can you provide more detail?

    — Aaron

  122. Baqir says:

    If i don’t have the admin pass? It seems to does not work right?

    Any comment?

  123. Baqir says:

    If i don’t have the admin pass and using a limited account? It seems to does not work right?

    Any comment?

  124. deXter says:


    Why don’t you put a big red heading on the top of this page saying “This is NOT a hacking program- you NEED to know your Admin password for this program to work!”

    Would save you the trouble of having to reply to every newbie 🙂

    deXter:  Great idea.  Or I could just ignore them… 🙂

    — Aaron

  125. Baqir says:

    lol…tehre was no need to say all these things, you could say two things.first, this is not hacking program, second (more logic, i don’t know how…

    any way tnx for ur comments

  126. Patrick Rynhart says:

    Hi Aaron,

    The scenario is that I’m logged in as a Standard User (i.e. non-administrator) on Windows Vista, and I want to access the “me as admin” context.

    If I use MakeMeAdmin then I get an administrative token, but it is filtered (i.e. any application that I launch from that command prompt will trigger a UAC prompt).

    If (in the filtered command prompt) I type

    explorer /separate

    and then right click on a Command Prompt and select “Run as administrator”, then I get an unfiltered command prompt.

    My question is how can I get a command prompt with unfiltered admin rights without having to perform two steps (as above).



    Patrick:  I started playing around a while ago with a version of MakeMeAdmin for Vista, but never finished it.  Frankly, it’s not as important on Vista anyway, since Vista gives you that functionality out of the box (if you’re a member of the Administrators group), with significant improvements over how we needed to do it in XP.

    — Aaron

  127. Ken Green says:

    HP have suggested I contact you.  I am inexperienced in computers.  When I start up a message box appears showing two keys in the left corner and asking which account I want to use to run this program.  I have no idea what program it refers to and have tried OK, cancel, run and X, but it still appears. Please how do I get rid of it? I am using XP and HP computer.

    The message also says "Current user (owner) protect my computer & data from unauthorized program activity. This option can prevent computer viruses etc. but selecting it might cause the program to function improperly.

    All I want to do is to cancel out this box.

    Many thanks

  128. Scott says:


    I apologize in advance if I’m asking this question in the wrong thread. I work for the U.S. government and we use two-factor authentication (Gemplus smartcards) in an Active Directory domain.

    My question (2 parts) is this; is it possible to use a runas command which authenticates through the smartcard? The main reason for this is to load user specific applications (so we have to be in their user environment).

    If not runas, would “net use” be capable?

    Thanks for any advice you can give me.


    First:  try RunAs.exe /smartcard

    Next:  Take a look at the MakeMeAdminSC version of MakeMeAdmin, referenced in the follow-up post to this one:


    — Aaron

  129. Scott says:


    Thank you for your help, and I apologize for not spending more time researching before taking up your time.



  130. najevi says:

    MakeMeAdmin & PrivBar are great tools. Thank you Aaron.

    [i]See also [url=]Les Weston’s

    post.[/url] Les describes the same situation as mine but the posted replies address patches to the code within MakeMeAdmin.cmd and not any immediate remedy to the situation such a user finds themselves in.

    …Using a system restore point is overkill so here is a more ‘surgical’ approach:-[/i]

    I accidentally ran MakeMeAdmin from an account that already belonged to the Administrators group. (I do recall a message indicating something to the effect that user was already a member of some group and I glossed past it.) On later inspection of the MakeMeAdmin.cmd file I found it did not have the [url=]extra few lines of code[/url] designed to exit the command script when this error is detected.

    Some time after closing the marron coloured command prompt window opened by MakeMeAdmin I pressed "Win+L" to switch users only to find two unusual things:


    [*] ‘Administrator’ account appeared in my Welcome Logon screen (previously it had been absent)

    [*] ‘Surgeon’ account did not appear but was accessible using Ctl-Alt-Del. [i](‘Surgeon’ is that user account with Admin privileges that was created during WinXP installation because XP setup requires you to specify at least one user name.)[/i] Surprise of surprises: ‘Surgeon’ had been removed from the Administrators group and since it did not belong to any other group it was not visible from within the ‘User Accounts’ applet accessed via Control Panel.


    So there’s the problem and these are the fixes that worked for me:

    [u]]Fix for (a).[/u]


    [*] Start -> Run… -> regedit -> [Enter]

    [*] navigate to registry key

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList

    [*] add a DWORD value named Administrator

    [*] Assign it a value of 0 (i.e leave as the default)

    [*] logout


    [u]Fix for (b).[/u]


    [*] Start -> Run… -> compmgmt.msc -> [Enter]

    [*] System Tools/Local Usres and Groups/Groups

    [*] Right click Administrators -> Add to group … -> Add…

    [*] in the "Enter the object names to select" box type the account name eg. Surgeon



    p.s. I very much appreciated your [url=

    ]explanation[/url] of why one needs to frequently hit F5 (Refresh) while exploring folders in a different security context than the desktop.

  131. Vivian says:


    Please help me out: I just want to have the passwords as arguments in makemeadmin.cmd.



    Vivian:  MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files.

    — Aaron

  132. Chomno Chan says:

    its doesn’t work for me it didn’t give the second command shell

  133. What becomes of all my earlier non-admin tips, tricks and recommendations vis-à-vis RunAs, MakeMeAdmin, PrivBar and their interactions with IE and Explorer? The short answer is that Vista changes just about everything with respect to running with least

  134. Mischa Kroon says:

    Viruses and Spyware are annoying to deal with that’s why the following is a bit of a guide to make sure

  135. Carlos Vasquez says:


    Is there a way to actually input the admin password, I will be using this on over 2000 laptops and each person assigned to one of these laptops I don’t want to give them the admin password. So I want to see if the makemeadmin batch can be modified.


    [Aaron Margosis] MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files.

    That’s a lot of systems to manage — are they joined to a domain?  What kinds of tasks are you doing that require MakeMeAdmin?  There is likely a more scalable approach.

  136. Rik says:

    Thanks for this handy script, Aaron.  I had to make a small edit to get it to work for me: my Administrator doesn’t have access to my limited user folders so it doesn’t work to have the script call itself.  Instead, I told the script to put a copy of itself in the Shared Documents folder and run from there.  Here’s the edit:

    – runas /u:%_Admin_% “%~s0 %_User_%”

    + if not exist “%AllUsersProfile%Documents%~nx0” copy “%~0” “%AllUsersProfile%Documents”

    + runas /u:%_Admin_% “”%AllUsersProfile%Documents%~nx0″ %_User_%”



    [Aaron Margosis] MakeMeAdmin.cmd needs to be installed in a folder in which all users have at least Read permissions.

  137. djONE says:

    I am having the wirst luck! I need to have a script that reboots both Windows 2000 and Windows XP machines. I put the shutdown.exe file in a remote directory everyone has access to and point a bat file I made to run it from there, however, it days they do not have the correct privileges to run it. I even tried replacing the shutdown.exe method with a vbs script and it gives me the same privileges error! I’m stuck! Don’t know what to do!


    [Aaron Margosis]  See this post.

  138. djONE says:


    Thanks so much for the reply, but isn’t that just a workaround for the current PC I am working on?

    I have a network with both 2000 and XP Pro SP2 computers and we plan to send them all a bat file e-mail that contains a command to re-map their printers to a different server (Since we recently went virtual), and then the second command, would be to execute the shutdown.exe -f -r -t 0 command.

    The shutdown.exe is on a remote server that every computer has access too since I know only XP computers have it, I put it out there remotely so not to run into issues with the 2000 boxes.

    Anyway, the printers switch servers fine, then when the bat file goes to execute the shutdown command, I get the error "A required privelege is not held by the client" and continue to get it; even though I followed the instructions in that link to a tee; though I have a feeling that is only for the one computer that you run those steps on. Correct me if I am wrong though. Also if this is the case, is there a way to do an entire network policy change rather than just localc for that one computer? Or what can I do? I’m so lost and frustrated! I appreciate all your help!

    Thanks again and have a great afternoon!


  139. djONE says:

    Actually, I figured it out somewhat.

    I just downloaded PsTools and put that on the remote server where shutdown.exe was.

    Now I changed the command line to psshutdown.exe instead of shutdown.exe and it works fine without any errors except for them having to accept (Press the “agree” button) the EULA agreement each time for each computer (I was hoping after accepting the terms once, it would save that preference on the remote location, but it didn’t), so oh well.

    Good enough for now, unless you have any other ideas?

    And like I said above, I appreciate all your help! You have been great through all of this!

    Thanks again and take care!


    [Aaron Margosis] PsShutdown might do it.  If you go with shutdown.exe and it is executed in the context of an interactively logged-on non-admin, then the fix needs to be applied on the systems where they are executing the command.

    For the PsShutdown EULA, just run it one time on each system in the non-admin’s context ahead of time…

  140. Jaleel says:


    If I dont have admin privilege in the machine , what can I do…?Example, in our company we dont have admin privilege for a normal user.

    Also, If I have admin privilege, and want to use it very sparingly ( i mean only for the actions which demands admin power) and all other times be a normal user , what should I do? If a user in the domain is elevated to admin, then how can that user run  or develop applications as a non-admin .This is very important requirement to ensure the running of our developing applications will run with a local user of any machine..

  141. this is fake says:

    this is stupid it doesn’t work

    [Aaron Margosis]  ???

  142. peter chasen says:

    I have a new Vista laptop I’ve been struggling with.After reading the above and wasting half a day, I’m returning it!  Then I will buy a Mac

    that is largely free of such aggrivations yet

    still runs Win, and that shall be XP, thank god!

    I think Vista’s a loser and so is Microsoft as

    Google goes into overdrive.

    [Aaron Margosis] This seems like a pretty wildly misplaced complaint.  This is a post about MakeMeAdmin, which was designed specifically for XP/2003.  There is little reason to run it on Vista, since it makes same-desktop-elevation of your current account incredibly easy.  So I don’t understand why you’re upset.

  143. Is there a way to actually input the admin password, I will be using this on over 2000 laptops and each person assigned to one of these laptops I don’t want to give them the admin password. So I want to see if the makemeadmin batch can be modified

    [Aaron Margosis] MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files.

    That said, RunAs has a /savecred option (discussed in a different context in this post).  It doesn’t expose the password directly, but it is possible for the password to be exposed.  Using /savecred also allows the user to run other things with the same account without having to enter a password.  And finally, once you allow something to run as admin, it is impossible to ensure that the admin rights will be used only for the tasks you think you’re authorizing.

  144. Dan says:

    I am trying to run this on a Windows XP Home machine.  I changed the registry for “nondefaultadminowner” to 0 as described and have set an “administrator” password on the computer.  However, when I run MakeMeAdmin from my limited user account, I am unable to type in the command screen.  It does register when I hit return and I get the following error:

    Enter the password for DANAdministrator:

    Attempting to start C:DOCUME~1DANREC~1DesktopMAKEME~1MAKEME~1.CMD DANDan R

    eckner as user “DANAdministrator” …


    DANDan Reckner

    1327: Logon failure: user account restriction.  Possible reasons are blank passw

    ords not allowed, logon hour restrictions, or a policy restriction has been enfo


    Press any key to continue . . .

    Please help me to figure out why I can’t type during the prompt.


    [Aaron Margosis]  Make sure that both accounts have passwords, and that the script is in a location that is readable by both accounts (e.g., not on the admin’s desktop).

  145. Dan says:


    I did not have a password on the limited account and have since set one up.  The script is in a folder on the desktop of the limited account.  However, I am still getting the same error.  Is there any thing else I can try??  Any help would be greatly appreciated.



    [Aaron Margosis] Try putting it in a shared location rather than in a folder belonging to one user.  E.g., copy it to the All Users Documents folder (Shared Documents).

  146. hendri says:

    same as latest question, after i put makemeadmin in shared document(My computer => shared document), after that what must i do???still not know how to work.sorry if my english language worst.thanks before

  147. Ed says:

    Hello Aaron.  Will MakeMeAdmin function for me?  I have CAC-user logon credentials and username/password elevated credentials for my admin work. We are in an Active Directory 2003 domain.  I need to open elevated privelege consoles on remote clients and access (restricted) local and network shares using the elevated privilege account.  The ‘runas’ with IE6 used to be great but our domain has recently deployed IE7 to all clients.  As we all know, IE7 developers killed the simple runas functionality and now I’m stuck.  Fast User Switching is also disabled by GPO.

    I need to load software, add a printer, view security logs, etc, etc, on remote clients with users remaining logged in, a.k.a., get in, do it, and get out quickly.  

    Is MakeMeAdmin doable?

    [Aaron Margosis]  There’s something about CAC cards that is somehow different from “ordinary” smart cards… apparently RunAs doesn’t work with CAC cards.  I looked into it a little while ago but didn’t have a really good opportunity to dig into actual cause.

  148. Exana says:


    can you please tell me how to  got the admin password of my computer to which i have a physical access and using the limited account.


    [Aaron Margosis]  No, I can’t.

  149. Mike says:

    Is there a set way I can change owner/permissions that makes sense?

    I’ve been using PrivBar.dll and LaunchAdmin.exe with great success.  I launch admin programs (Spybot S&D and Adaware) with a modified MakeMeAdmin.cmd.   Also added the "Owner" column to windows explorer.  This works well for a newly installed system.

    When I implement this on an existing system, I demote Userx from "Computer Administrator" to "Limited".  Is there a set way I can change owner/permissions that makes sense?

    For example:

    secpol.msc->Local Policies:Security Options:System objects:Default Owner->Administrators group.



    Replace Owner


    "C:" Administrators –Replace owner on subcontainers and objects


    Permissions (including all child objects)


    "C:"                                         : Administrators(Full Control)

    "C:Windows"                                 : Users(Read & Execute, List Folder Content, Read)

    "C:Program Files"                           : Users(Read & Execute, List Folder Content, Read)

    "C:Documents and SettingsUserxMy Documents": Userx(Full Control)

  150. Faisal says:

    Very interesting script.

    Users in my workplace do not have admin rights on their machines. So to install something we have to login with our credentials.

    I was writing a script that maps the network drive with my credentials and then open iexplorer window  again with my credentials. The problem is that in that I.E window I can see C: drive but can’t see the mapped Network drive. Is there a way this script can help me ?

    My script is:

    @echo off

    Echo Please enter your username.

    set /p User=

    NET USE I: %logonserver%software /USER:mydomain%User% *

    runas /user:mydomain%User% "c:Program FilesInternet Exploreriexplore.exe"

  151. Sam says:

    Hi, At school I have 2 accounts, one Admin/PU for working on the server and past and current student databases etc and one which I use for normal classes.

    I am really struggling to understand what I am supposed to do to set this all up.

    Could you please possibly give me a step by step instruction set up for all of this

    It is appreciated heaps


  152. Ak Shah says:


    Can someone help?

    I had a Administrator Account & Limited Account on my Laptop but i accidentally deleted the Administrator Account. Now the only Account that i have is the Limited Account. There is no Administrator account under user Accounts. How can i get around this? I am not able to access any files.


  153. Les Weston says:

    I think there is another "Administrator" account on XP machines, not protected with a password by default, but removed from the login menu as soon as you create your own Admin account. Take a look at or do a web search for "hidden administrator account" (without the quotes), you might find the answer you are looking for.

    Good luck!


  154. Hey!

    I am using this script! I saw in one comment!

    You must try!


    @echo off

    Echo Please enter your username.

    set /p User=

    NET USE I: %logonserver%software /USER:mydomain%User% *

    runas /user:mydomain%User% "c:Program FilesInternet Exploreriexplore.exe"


    Thanks for every information.

    These are very useful!

    Thank you so much…

    King Regards!

  155. 1uI’ll thingk about it.0w I compleatly agree with last post.  hvr

    <a href="">паркет</a&gt; 2k

  156. JJT says:

    I’m on a pc with both an Administrator and Limited User account.

    However the Limited User a/c has a blank password therefore as I understand it, this solution does not work.

    What alternative solution is there for me that functions like MakeMeAdmin but accepts a Limited User a/c with no password?

    I do have the Admin password.

    I just don’t want the hassle of logging in and out and in and out…

    [Aaron Margosis]  It will probably work if you remove the restriction on blank-password local accounts.  Caveat is that you do increase your security risk by doing this.  Local Security Policy (secpol.msc):  Security Settings Local Policies Security Options; “Accounts: Limit local account use of blank passwords to console logon only”.  Change from Enabled to Disabled.  Probably requires reboot.  Caveat again is that you do increase your security risk by doing this.

  157. sam says:

    hi my 12 year old changed my admin password and now the only way we can use the computer is thro her restricted account ….is there a way to make her account admin with out the admin password….so i can get my account back.. thanx 4 all the help

  158. Soubhik says:

    How to del the temperary profile and log in to the normal administrator account.???

    [Aaron Margosis]  Sorry – no idea what you’re asking here…

  159. awp_map says:

    need help :

    i was so confused for long time..

    how to remove password while i plugged in a flashdisc on limited user? anybody know this ..

    help me please..

  160. Shawn Pete says:

    I use the code below (all on one line in case the line breaks) in a shortcut.  I get the privleges that I need for access to the folder I want, but both PrivBar and TweakUI show my non-admin information.

    C:WINDOWSsystem32runas.exe /netonly /user:armtecproe “%SystemRoot%explorer.exe \armtec-engineerDGMF”

    [Aaron Margosis]  /netonly “indicates that the user information specified is for remote access only”.  In other words, you’re still the same non-admin locally (which is what privbar is reporting), you’re just using the alternate credentials when you access remote computers like “armtec-engineer”.

  161. andrea says:

    I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk).

    Is it possible trough MakeMeAdmin? How?

    Thank you.

  162. andrea says:

    I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk).

    Is it possible trough MakeMeAdmin? How?

    Thank you.

  163. andrea says:

    I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk).

    Obviously I can’t write the password every time the screensaver start

    Is it possible trough MakeMeAdmin? How?

    Thank you.

  164. andrea says:

    Sorry, I posted my question three times by mistake, plese remove the first two, thank you

  165. Waldo120 says:

    When I enter the admin password correctly, then the user password incorrectly, it leaves the user setup as an admin. Is there a fix for this?

    I’d hate to accidentily leave a user as an admin because they mistyped their password.

  166. Waldo120 says:

    Correction, this only happens if after mistyping the password instead of “pressing any key to continue” you instead close the dos window. Can we modify this to remove before “press any key” when the password is wrong?

    [Aaron Margosis]  Go ahead — it’s a .cmd file, so you can edit it with Notepad.  Might be easier just to add an ECHO statement saying “Press any key, DO NOT JUST CLOSE THE WINDOW.”

  167. Waldo120 says:

    I was about to but I think I misunderstand something in the logic about it. Took a second look and realized my misunderstanding. Below is what you can replace the line after runas with. It causes you to have to “press any key to continue” twice when the password is bad, but at least now I can leave the window behind for them to logon and know the user wont be left an admin.

    if ERRORLEVEL 1 echo. && echo Removing user %* from group %_Group_%… && net localgroup %_Group_% “%*” /DELETE && ECHO && pause

    Thought, do goto commands work in cmd files?

  168. Dan says:


    I am trying to run this on a limited user account on XP Home.  I have used this on other computers and it has worked fine.  Both the limited user account and the administrator account have passwords.  Anyways, when I type in the admin password I get:

    RUNAS ERROR: Unable to run C:Docu~…

    1327: Logon failure: …

    Any suggestions??

    [Aaron Margosis]  Put the file in a shared location rather than in one user’s profile.  If that’s not the problem then put it in a location that doesn’t have long file names or where any of the path components have spaces in them.  (The script should handle that, but if 8.3 file names are disabled that could be a problem – or it might be a permissions issue where one account can’t get to the file…)

  169. Dan says:


    Thanks for the quick update.  I have moved the filed to C:MakeMeAdmin – I believe this is a shared location.  I have also tried C:Program FilesMakeMeAdmin.  I still get the same error.  Can you tell me what to check about 8.3 file names (not sure what that means) and what I should check for permissions??


    [Aaron Margosis]  Just re-read your first… The rest of the error text for that error message is:  “Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.”  Are you sure both the admin and non-admin accounts have non-blank passwords?  Do you have logon hour restrictions applied, or is the admin account you’re using disabled?  If your admin account is not called “Administrator”, you need to change the script to use a different account name that has admin rights.

  170. Dobbelina says:

    If you do like this it allows user accounts without password & it makes default owner group Administrators.

    When install is finished, it reverts default owner back to object creator:

    @echo off

    REM ********************************************************************

    REM  This batch file starts a command shell under the current user account,

    REM  after temporarily adding that user to the local Administrators group.

    REM  Any program launched from that command shell will also run with

    REM  administrative privileges.


    REM  You will be prompted for two passwords in two separate command shells:

    REM  first, for the password of the local administrator account, and

    REM  second for the password of the account under which you are logged on.

    REM  (The reason for this is that you are creating a new logon session in

    REM  which the user will be a member of the Administrators group.)



    REM  The following values may be changed in order to customize this script:


    REM  * _Prog_  : the program to run


    REM  * _Admin_ : the name of the administrative account that can make changes

    REM              to local groups (usu. "Administrator" unless you renamed the

    REM              local administrator account).  The first password prompt

    REM              will be for this account.


    REM  * _Group_ : the local group to temporarily add the user to (e.g.,

    REM              "Administrators").


    REM  * _User_  : the account under which to run the new program.  The second

    REM              password prompt will be for this account.  Leave it as

    REM              %USERDOMAIN%%USERNAME% in order to elevate the current user.

    REM ********************************************************************


    set _Admin_=%COMPUTERNAME%Administrator

    set _Group_=Administrators

    set _Prog_="C:mYAPP.EXE"


    if "%1"=="" (

    runas /u:%_Admin_% "%~s0 %_User_%"

    if ERRORLEVEL 1 echo. && pause

    ) else (

    echo Adding user %* to group %_Group_%…

    net localgroup %_Group_% "%*" /ADD

    if ERRORLEVEL 1 echo. && pause


    echo Allowing for blank passwords…

    reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v limitblankpassworduse /t REG_DWORD /d 0 /f

    if ERRORLEVEL 1 echo. && pause


    echo Starting program in new logon session…

    runas /u:"%*" %_Prog_%

    if ERRORLEVEL 1 echo. && pause


    echo Limiting blank passwords…

    reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v limitblankpassworduse /t REG_DWORD /d 1 /f

    if ERRORLEVEL 1 echo. && pause


    echo Removing user %* from group %_Group_%…

    net localgroup %_Group_% "%*" /DELETE

    if ERRORLEVEL 1 echo. && pause

    reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v nodefaultadminowner /t REG_DWORD /d 0 /f

    color CA







    reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v nodefaultadminowner /t REG_DWORD /d 1 /f



  171. John says:


    I dont have admin password and my id not belongs to admin group, i need to put my id in adminstrator group, any idea?

    i tried make me admin but asking admin passwrd,

    Any idea?

    Really thanks

  172. Stan says:

    I forgot my password to my Admin. account, so im stuck with using limited. Does anyone know the easiest way to recover it back? Please msg me on myspace, if you have useful information.

  173. harry says:

    it still asks for an admin password

  174. Dave Hugo says:

    This is a boon.  I needed to change power settings on a machine for a user without a local account who logs in via a domain, and this did the job.  Thank you, thank you.

  175. Annoymous says:

    That is a hack…

    I'm not allowed…

    If anyone gets a virus it's your fault Aaron Margosis!

    Not allowed hacks at moment..

    Admin eh ah eh!

  176. Kevin says:

    Can this website make me a admin in graal online era

  177. Poul Hansen says:

    Made an auto-it (script language you can download)  exe-file, where you put in the Administrator password (SUP) the username og the given user and his password. It ends in a cmd-prompt where the user is ADMIN. And can run programs with ADMIN rights from there . F.i. explorer.exe or iexplore.exe or  your installation program. It can even be used on a terminal server. The ADMIN rights disappear when you exit the CMD-prompt. You ned to compile this  with the auto-it program.

    If your 'Administrators' group er localized you have to change it in the file. The rest should be OK?

    Hope you can use it. No password are hidden in this way. 😉



    ; —————————————————————————-

    ; <AUT2EXE INCLUDE-START: C:Program FilesAutoIt3Examplesmmadmin.au3>

    ; —————————————————————————-


    ;change group  from 'Administrators' to something in your local language f.i. 'Administratorer' in Danish


    $ProgPath=@ProgramFilesDir & "Internet Explorer"


    ; punch in Admin password – so not hidden in this file

    $V_SUP = InputBox("SUP?", "SUP?", "", "*")

    ;username for elevation

    $V_user = InputBox("Username?", "Punch in you username", "", "*")

    ;just truncating strings for use in next runas

    $tmpvar=$group & " " & $V_user & " /add"

    ;MsgBox(8192,"Progpath  ", $progpath)

    ; kør som administrator: elevate user

    RunAs($Admin,@LogonDomain, $V_SUP,0,@comspec & " /c " &  @SystemDir & "net.exe localgroup " & $tmpvar )

    ;input password for elevated user

    $passwd = InputBox("Password?", "Punch in password.", "", "*")

    ;MsgBox(8192, $prog, '"' & $ProgPath & '"' ,30)

    ;******* The user runs this as local ADMIN  ****************

    RunAswait ($V_user,@LogonDomain, $passwd,1,@comspec  , "c:program filesinternet explorer" )

    ;Sletter brugeren fra localadministratorgruppen IGEN – først opsæt  så command


    ;just truncating strings for use in next runas

    $tmpvar=$group & " " & $V_user & " /delete"

    RunAs($Admin, @LogonDomain, $V_SUP,0,@ComSpec & " /c " &  @SystemDir & "net.exe localgroup " & $tmpvar)

    ; —————————————————————————-

    ; <AUT2EXE INCLUDE-END: C:Program FilesAutoIt3Examplesmmadmin.au3>

    ; —————————————————————————-

  178. Poul Hansen says:

    It's a bit messy – I can see that.  Sorry

    Have not cleaned up very well – but it works 😉

  179. James says:

    is it possible to include the administrator password into the program?

    [Aaron Margosis]  No.  By design, RunAs.exe does not provide an interface for submitting a password.  It is designed to be used interactively rather than fully scripted.

Comments are closed.

Skip to main content