When writing PowerShell scripts, whether automating a common task or just sending a colleague a script -- it is easy to forget if your script required Admin mode or not. The person at the other end will figure it out pretty quickly; however, people new to PowerShell might not. Here's a way to save yourself that trouble at the onset, when sending a .ps1 script over to somebody to run.
At the very top of your script, simply use the #Requires -RunAsAdministrator directive:
|
|
Now when your friend runs your helpful script in their default PS window they'll get a helpful and immediate message that they need an elevated PS session, instead of the run-of-the-mill "access is denied" red output. 🙂
But you may be wondering, "hey Julian, can't I just have the script self-elevate into a new Admin PS session window, and prompt me?"
And I would tell you, "yes!"*
* interactive self-elevating scripts are not raelly a best-practice in most environments, and really is for Intermediate and crazy scripters using their own sandbox environment, not in prod! What I am about to show you can sometimes trigger any IPS or XDR suite running on your PC, such as Palo Alto Cortex or CrowdStrike. If you don't have a clear line-of-comms to your CISO or SOC team, maybe don't play around running this code on your work PC. 😉
So assuming you're not running some IPS/XDR stuff on your PC, or you're running it on a sandbox to play around, or if you've gotten clearance from your local neighborhood SOC or CISCO -- here's a quick & dirty script that self-elevates:
|
|
This script code uses the .NET Windows Security Principal class to check if running as admin, and launches an elevated PS session if needed.
The thing about this snippet I threw together is: it's common and far better examples exist on every other PowerShell GitHub Repo. And, again, if you operate in an environment with good security hygiene on your endpoints - you'll need SOC or CISCO (and probably Change Mgmt) buy-in to ever be running scripts that interactively self-elevate. Always ask: "I'm I putting training wheels on a script...when I should just be automating something?" With things like the new Terminal for Windows allowing for quick-elevation to a new PS admin session, there's less and less need for this little maneuver these days. So I would just stick with #Requires -RunAsAdministrator.
And don't annoy your SOC and/or CISO:
![Alt text](https://julianwest.me/Blog/posts/images/gonna-cost-us.jpg)
Happy scripting...