All Things WinBatch > WinBatch

Edit Hosts File at Login

(1/2) > >>


I am trying to edit the hosts file at login to add a single line to the file. My problem is that I require elevated privileges to edit the file as local administrators are the only users with permission to change / edit this file. I have tried having a small program executed as part of the logon process that calls another program using RunWithLogon but cannot get past error 1932 which talks about the Elevated Privilege requirement. I have also tried ShellExecute as mentioned in the error message but am not sure I understand the concept or how to make it work as an elevated task.

Any help would be appreciated.


Too many unknowns.  You need to indicate which method of starting a script at login you are using since there are several and they can cause your script to run in different security contexts and indicate whether or not the user has the ability to interact with a script's UI.  You also need to indicate which versions of Windows and WinBatch you are using. 

It would also be wise to get a better grasp of scripting in a UAC environment.   The Tech Database and the Consolidated WIL Help file have a good deal of information on the subject.

Thank you for the response. Let me see if I can answer your questions. The systems are running Windows 10 1803. WinBatch is 2018B. The script is called from a program that runs as the logon script defined in Active Directory in the user's profile. That program reads a text file that can be used to "instruct" the logon program to run other programs. I was originally trying call a third program and use the RunWithLogon function to edit the hosts file. That fails with an indication that the program requires elevated privilege which it must not have.

That is a bit convoluted.  You certainly can't use RunWithLogon to elevate or escalate privileges. You can escalate a process by using a combination of RunWithLogon and ShellExecute.  Basically, RunWithLogon switches the process to a restricted Asmin and ShellExecute then elevates the Admin process.  The problem is that it would require user consent or even an admin password depending on how UAC is configured on the system.  There are examples of using RunWithLogon and ShellExecute together in the Tech Database, as well as, other information about UAC:

Generally, MSFT recommends using group policy preferences to create a scheduled task that runs at login and is configured with the desired credentials so you may wish to consider that approach.     

Are you referring to the hosts file in "C:\Windows\System32\drivers\etc"?  If so, WinBatch is more than capable of editing that hosts file directly.  The system account has edit privileges to that file by default so you could possibly just use the system account to edit the file via a scheduled task. 

I'm beginning to get it. Yes - I will be editing the hosts file at the location you mention. I don't have a problem if users are presented with the UAC confirmation prompt. I just don't want them to have to enter administrator credentials that they would not know. I know you mention using the Schdtask route but I'm not sure how that is different. Wouldn't that also require elevated privileges to create the scheduled task? I'll spend some time looking at the articles for running with UAC and the scheduled task. Thank you for your help so far.


[0] Message Index

[#] Next page

Go to full version