When writing PowerShell scripts, whether automating a common task or just sending a colleague a script -- it is easy to forget if your script required Admin mode or not. The person at the other end will figure it out pretty quickly; however, people new to PowerShell might not. Here's a way to save yourself that trouble at the onset, when sending a .ps1 script over to somebody to run.

At the very top of your script, simply use the #Requires -RunAsAdministrator directive:

1
2
3
#Requires -RunAsAdministrator
 
# rest of script here

Now when your friend runs your helpful script in their default PS window they'll get a helpful and immediate message that they need an elevated PS session, instead of the run-of-the-mill "access is denied" red output. 🙂

But you may be wondering, "hey Julian, can't I just have the script self-elevate into a new Admin PS session window, and prompt me?"

And I would tell you, "yes!"*

* interactive self-elevating scripts are not raelly a best-practice in most environments, and really is for Intermediate and crazy scripters using their own sandbox environment, not in prod! What I am about to show you can sometimes trigger any IPS or XDR suite running on your PC, such as Palo Alto Cortex or CrowdStrike. If you don't have a clear line-of-comms to your CISO or SOC team, maybe don't play around running this code on your work PC. 😉

So assuming you're not running some IPS/XDR stuff on your PC, or you're running it on a sandbox to play around, or if you've gotten clearance from your local neighborhood SOC or CISCO -- here's a quick & dirty script that self-elevates:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Check if running as Administrator
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    # Not running as Administrator
    Write-Host "This script needs to be run as Administrator. Restarting with elevated privileges..." -ForegroundColor Yellow

    # Get the current script's file path
    $scriptPath = $MyInvocation.MyCommand.Path

    # Create a new process to start PowerShell with Administrator privileges
    Start-Process -FilePath "powershell.exe" -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$scriptPath`"" -Verb RunAs

    # Exit the current script
    exit
}

# Place the rest of your script here
Write-Host "Running with Administrator privileges." -ForegroundColor Green

This script code uses the .NET Windows Security Principal class to check if running as admin, and launches an elevated PS session if needed.

The thing about this snippet I threw together is: it's common and far better examples exist on every other PowerShell GitHub Repo. And, again, if you operate in an environment with good security hygiene on your endpoints - you'll need SOC or CISCO (and probably Change Mgmt) buy-in to ever be running scripts that interactively self-elevate. Always ask: "I'm I putting training wheels on a script...when I should just be automating something?" With things like the new Terminal for Windows allowing for quick-elevation to a new PS admin session, there's less and less need for this little maneuver these days. So I would just stick with #Requires -RunAsAdministrator.

And don't annoy your SOC and/or CISO:

Alt text

Happy scripting...