Adding 'Run as administrator' right-click menu items for VBScript and PowerShell files

One of my post TechEd 2014 resolutions is to finally cast off my Batch script crutches and start running with with PowerShell and/or VBScript. To that end I assigned myself the task of converting a few of my Batch scripts over to these new languages last week. Right away I found myself annoyed. See, the great thing about Batch is you have this nifty "Run as administrator" context menu item that appears when you right-click on any .BAT or .CMD file. If I run a Batch script once with a simple double-click and it fails then I have the right-click option to provide me with a quick and easy way for me to run the script with elevated credentials. This allows me to quickly determine if some aspect of my code requires administrative permissions. I found out real quick that this menu item appears to be missing for .PS1 and .VBS files.

Now I get why Microsoft did this. It’s probably a security measure to prevent you from accidentally hosing your system by running a bunch of scripts in the Administrator context. It’s certainly not a feature I’d want “Joe User” to have access to. Still us more “advanced” users might want to have this menu item present purely to speed up our script testing process. So to solve this little dilemma for myself I put together two Batch scripts (HA, Ha, yes I’m using Batch to ultimately eliminate Batch) to add the right-click options back in for .PS1 and .VBS files. The scripts I wrote are posted below. Note that with the .VBS script you have two options! One uses CSCRIPT.EXE and the other uses WSCRIPT.EXE. If you don’t know the difference then don’t use the scripts. They also come with no warranties! Use at your own risk!


Add Right-click “Run as administrator” for .PS1 files (PowerShell):


@ECHO OFF & CLS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Enable right-click 'Run as Admin' for PowerShell for Windows 7 or Later :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Add Windows context menu item. :: Version: 2.1 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Display status message: ECHO. ECHO Enabling right-click 'Run as Admin' for PowerShell for Windows 7 or Later... ECHO. :: Add value for UAC shield icon: REG ADD "HKCR\Microsoft.PowerShellScript.1\Shell\runas" /v HasLUAShield /t REG_SZ /d "" /f :: Add value to create context menu item: REG ADD "HKCR\Microsoft.PowerShellScript.1\Shell\runas\command" /ve /t REG_EXPAND_SZ /d "\"%%SYSTEMROOT%%\System32\WindowsPowerShell\v1.0\powershell.exe\" -executionpolicy bypass -nologo -file \"%%1\"" /f :: Display completion notice: ECHO. ECHO Done! :: Delay for processing: PING 127.0.0.1 -n 3 > NUL :: Pause to view results: :: ECHO. :: PAUSE EXIT

Remove Right-click “Run as administrator” for .PS1 files (PowerShell):


@ECHO OFF & CLS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Disable right-click 'Run as Admin' for PowerShell for Windows 7 or Later :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Remove Windows context menu item. :: Version: 2.1 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Display status message: ECHO. ECHO Disabling right-click 'Run as Admin' for PowerShell for Windows 7 or Later... ECHO. :: Remove custom 'runas' registry entry: REG DELETE "HKCR\Microsoft.PowerShellScript.1\Shell\runas" /f :: Display completion notice: ECHO. ECHO Done! :: Delay for processing: PING 127.0.0.1 -n 3 > NUL :: Pause to view results: :: ECHO. :: PAUSE EXIT

Add Right-click “Run as administrator” for .VBS files (VBScript - WSCRIPT.EXE):


@ECHO OFF & CLS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Enable right-click 'Run as Admin' for VBS for Windows 7 or Later (WSCRIPT) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Add Windows context menu item. :: Version: 2.0 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Display status message: ECHO Enabling right-click 'Run as Admin' for VBS for Windows 7 or Later (WSCRIPT)... ECHO. :: Add value for UAC shield icon: REG ADD "HKCR\VBSFile\Shell\runas" /v HasLUAShield /t REG_SZ /d "" /f :: Add value to create context menu item: REG ADD "HKCR\VBSFile\Shell\runas\Command" /ve /t REG_EXPAND_SZ /d "\"%%SYSTEMROOT%%\System32\wscript.exe\" \"%%1\" %%*" /f :: Display completion notice: ECHO. ECHO Done! :: Delay for processing: PING 127.0.0.1 -n 3 > NUL :: Pause to view results: :: ECHO. :: PAUSE EXIT

Add Right-click “Run as administrator” for .VBS files (VBScript - CSCRIPT.EXE):


@ECHO OFF & CLS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Enable right-click 'Run as Admin' for VBS for Windows 7 or Later (CSCRIPT) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Add Windows context menu item. :: Version: 2.1 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Display status message: ECHO. ECHO Enabling right-click 'Run as Admin' for VBS for Windows 7 or Later (CSCRIPT)... ECHO. :: Add value for UAC shield icon: REG ADD "HKCR\VBSFile\Shell\runas" /v HasLUAShield /t REG_SZ /d "" /f :: Add value to create context menu item: REG ADD "HKCR\VBSFile\Shell\runas\Command" /ve /t REG_EXPAND_SZ /d "\"%%SYSTEMROOT%%\System32\cscript.exe\" \"%%1\" %%*" /f :: Display completion notice: ECHO. ECHO Done! :: Delay for processing: PING 127.0.0.1 -n 3 > NUL :: Pause to view results: :: ECHO. :: PAUSE EXIT

Remove Right-click “Run as administrator” for .VBS files (VBScript):


@ECHO OFF & CLS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Disable right-click 'Run as Admin' for VBS for Windows 7 or Later :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Remove Windows context menu item. :: Version: 2.1 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Display status message: ECHO. ECHO Disabling right-click 'Run as Administrator' for VBS for Windows 7 or Later... ECHO. :: Remove custom 'runas' registry entry: REG DELETE "HKCR\VBSFile\Shell\runas" /f :: Display completion notice: ECHO. ECHO Done! :: Delay for processing: PING 127.0.0.1 -n 3 > NUL :: Pause to view results: :: ECHO. :: PAUSE EXIT

SCCM: Viewing install commands for deployed applications on a client machine

Recently I was really wrestling with getting a set of install commands working for an application I was deploying through SCCM. Because I was using some variables in my command string I needed to "see" what SCCM was ultimately telling the client to run once the application downloaded and the install kicked off. I was able to determine this by logging onto one of my tests clients and navigating to this log:

C:\Windows\CCM\Logs\AppEnforce.log

Sure enough the final command string that was getting executed was not what I expected. I made some adjustments to my install string based on what i saw in the log and got it working. Hope someone else finds this useful.

Using PowerShell to build a GPO-based WMI filter for the SCCM Client install

We recently upgraded our SCCM 2012 server to SP1. I am now in the process of upgrading all the SCCM clients to the latest version (5.00.7804.1000). I use Group Policy to push the client and I wanted to add a WMI filter to the policy to filter out any systems that already have the correct client version. To do that I needed to know where to look for the client version in WMI on a local machine. PowerShell came to my rescue with this command:

Get-WmiObject -namespace root\ccm -class sms_client

Here's a screenshot of the output I got from an up-to-date computer (note the version number):

Using that I was able to construct the following query for my WMI filter:

select * from SMS_Client where ClientVersion < "5.00.7804.1000"

I applied the filter to our SCCM client install policy and now it only runs on machines running client versions older than the one specified. Nice!

BONUS TIP:
There are several ways to do the GPO-based install, I chose to go with running ccmsetup.exe as a startup script in Group Policy Management at the following location:

"Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown)"

I set it up to run the following install string:

ccmsetup.exe /MP:<MySCCMServerName> SMSSITECODE=AUTO

Scripting: Administering the Windows Firewall with Batch

We needed a way to configure the Windows Firewall during a series of OS Deployments. After doing a bit of research I diced that a batch script using the NETSH command was probably the easiest solution. Here's the scripts I came up with (comment/uncomment desired settings:

Windows 7-2008 or later:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Set Windows Firewall Features for Windows 7-2008 or later :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Auto-set Windows Firewall Features for Windows 7-2008 or later. :: Version: 2.0 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Clear screen to hide "UNC paths not supported" error message: CLS :: Display a message to the user: ECHO Setting Windows Firewall Features for Windows 7-2008 or later... ECHO. :: Run NETSH commands to disable/enable (off/on) individual firewall profiles: netsh advfirewall set domainprofile state off :: netsh advfirewall set privateprofile state off :: netsh advfirewall set publicprofile state off :: Run NETSH commands to disable/enable (off/on) all firewall profiles: :: netsh advfirewall set allprofiles state off :: Run NETSH command to enable Remote Desktop exception: netsh advfirewall firewall set rule group="remote desktop" new enable=Yes :: Display completion notice: ECHO Done! :: Uncomment to view script results: :: ECHO. :: PAUSE EXIT

Windows XP-2003:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Set Windows Firewall Features for Windows XP-2003 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Auto-set Windows Firewall Features for Windows XP-2003. :: Version: 2.0 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Clear screen to hide "UNC paths not supported" error message: CLS :: Display a message to the user: ECHO Setting Windows Firewall Features for Windows XP-2003... ECHO. :: Run NETSH commands to disable/enable firewall: netsh firewall set opmode disable :: Run NETSH command to enable Remote Desktop exception: netsh firewall set service remotedesktop enable :: Display completion notice: ECHO Done! :: Uncomment to view script results: :: ECHO. :: PAUSE EXIT

BONUS - This script will reset the firewall if you make a mistake with your desired settings:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Reset Windows Firewall Features for Windows 7-2008 or later :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Auto-reset Windows Firewall Features for Windows 7-2008 or later. :: Version: 2.0 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Clear screen to hide "UNC paths not supported" error message: CLS :: Display a message to the user: ECHO Resetting Windows Firewall for Windows 7-2008 or later... ECHO. :: Run NETSH commands to reset firewall (restores default settings): netsh advfirewall reset :: Display completion notice: ECHO Done! :: Uncomment to view script results: :: ECHO. PAUSE EXIT

Scripting: My take on Batch-based OS detection

I've seen a lot of OS-detection methods out there. I know PowerShell and VBScript scripts are a lot more robust than batch scripts, but sometimes its easier to just fall back to good old CMD.EXE. To that end here's my take on an OS-detection script. In the past I've run into some issues where an application might create a folder structure that exists on a post-vista OS on a pre-vista one. So rather than check for paths or folders, I've found its better to see if environment variables have been defined, like so:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Detect OS Version - Pre-Post Vista :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Check for PUBLIC folder to determine OS type and execute actions. :: Version: 1.3 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Clear screen to hide "UNC paths not supported" error message: CLS :: Define Variables: SET _OSType=Unknown SET _OSArch=Unknown :: Verify PUBLIC environment variable is defined: IF DEFINED PUBLIC ( SET _OSType=Vista-2008 or later ) ELSE ( SET _OSType=XP-2003 or earlier ) :: Verify PROGRAMFILES(X86) environment variable is defined: IF DEFINED PROGRAMFILES(X86) ( SET _OSArch=x64 ) ELSE ( SET _OSArch=x86 ) :: Display result: ECHO You appear to be running an %_OSArch% version of Windows %_OSType%. :: Uncomment to view script results: ECHO. PAUSE EXIT
Just for grins here's an even more granular method using WMIC:

@ECHO OFF :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Detect OS Version - WMIC Method :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Purpose: Determine OS version using the WMI database. :: Version: 2.0 :: Author: ZeusABJ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Clear screen to hide "UNC paths not supported" error message: CLS :: Define Variables: SET _OSVersion=Unknown :: Query WMI to get the OS Caption to detect OS version: WMIC OS GET Caption | FINDSTR /c:"2000" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=2000 WMIC OS GET Caption | FINDSTR /c:"Windows XP" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=XP WMIC OS GET Caption | FINDSTR /c:"Server 2003" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=2003 WMIC OS GET Caption | FINDSTR /c:"Vista" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=Vista :: Note: The additional "r" after "Server" is not a typo: WMIC OS GET Caption | FINDSTR /c:"Serverr 2008" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=2008 WMIC OS GET Caption | FINDSTR /c:"Windows 7" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=7 WMIC OS GET Caption | FINDSTR /c:"Server 2008 R2" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=2008R2 WMIC OS GET Caption | FINDSTR /c:"Windows 8" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=8 WMIC OS GET Caption | FINDSTR /c:"Server 2012" > NUL IF %ERRORLEVEL% EQU 0 SET _OSVersion=2012 :: Display result: IF %_OSVersion%==Unknown ( ECHO Unable to determine Windows version. ) ELSE ( ECHO You appear to be using Windows %_OSVersion% ) :: Uncomment to view script results: ECHO. PAUSE EXIT
Hope somebody finds this useful!

Scripting: Enable 'Run as Administrator' on VBScripts in Context Menu for Windows 7

Its easy to run a batch script under the local Administrator account in Windows 7/Vista as there is an entry for that in the context menu. The option appears when you right click any batch file. VBScripts however are a different matter. After relying on CMD.exe with admin privileges as a workaround one time too many I decided to see if there was a better way! I found a nice registry import on another site that would add a context menu item for launching VBScripts as local admin. I tried it and it worked beautifully, I was able to right-click any .VBS file on my computer and a "Run as Administrator" option appeared and worked every time. Just for grins though I thought I'd try to create my own implementation using REG ADD with Batch. Here is the result:
@ECHO OFF ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Enable 'Run as Administrator' on VBScripts in Context Menu for Windows 7 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ECHO Enable 'Run as Administrator' on VBScripts in Context Menu for Windows 7: ECHO. :: Add value for UAC shield icon: REG ADD "HKCR\VBSFile\Shell\runas" /v HasLUAShield /t REG_SZ /d "" /f :: Add value to create context menu item: REG ADD "HKCR\VBSFile\Shell\runas\Command" /ve /t REG_EXPAND_SZ /d "\"%%SystemRoot%%\System32\WScript.exe\" \"%%1\" %%*" /f :: Uncomment "PAUSE" to view script results: ECHO. PAUSE
Hope someone finds it useful.

Scripting: Disable Admin-Related Auto-Starts on Windows Servers...

One thing I find really annoying about Windows Servers is the popups you get very time you log in for the first time ('Manage Your Server' for Windows Server 2003 and 'Server Manager' for Windows Server 2008). Of course you can check a box after the initial login to tell it not to pop up the next time you login, but that doesn't suppress it for anyone else who logs in. Also what if you are using MDT to create an image of a Server OS and would like to banish these popups for every login on *all* future deployments? There's probably a host of ways to do this, but I cracked it with the following batch scripts:

Disable Auto-Start Initial Configuration Tasks for Windows Server 2008:

@ECHO OFF ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Disable Auto-Start Initial Configuration Tasks for Windows Server 2008 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ECHO Disabling Auto-Start Initial Configuration Tasks for Windows Server 2008... ECHO. :: Change "DoNotOpenInitialConfigurationTasksAtLogon" value to "1" to disable the Initial Configuration Tasks Auto-Start: REG ADD "HKLM\SOFTWARE\Microsoft\ServerManager\Oobe" /v DoNotOpenInitialConfigurationTasksAtLogon /t REG_DWORD /d 1 /f :: Uncomment "PAUSE" to view script results: :: ECHO. :: PAUSE
Disable Auto-Start Manage Your Server for Windows Server 2003:

@ECHO OFF ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Disable Auto-Start Manage Your Server for Windows Server 2003 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ECHO Disabling Auto-Start Manage Your Server for Windows Server 2003... ECHO. :: Disable "Manage Your Server" Auto-Start for the current user: REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Setup\Welcome" /v srvwiz /f REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\srvWiz" /v CYSMustRun /t REG_SZ /d 0 /f :: Create policy to set "DisableShowAtLogon" value to "0" to disable "Manage Your Server" Auto-Start for subsequent logins: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\MYS" /v DisableShowAtLogon /t REG_DWORD /d 0 /f :: Uncomment "PAUSE" to view script results: :: ECHO. :: PAUSE
You can run them manually or add them to an MDT task sequence.

Scripting: Disable Network Location Wizard for Windows Vista-7-2008

Just set up custom CSS styling for <code> tags which should make it easier for me to post some of my favorite code snippets and scripts. Figured I'd start with a basic batch script I wrote to disable that annoying Network Location Wizard in Windows Vista-7-2008. Just copy and paste the following in your favorite text editor, save it with a .CMD or .BAT extension and run it:

@ECHO OFF ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: TITLE Disable Network Location Wizard for Windows Vista-7-2008 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ECHO Disable Network Location Wizard for Windows Vista-7-2008... ECHO. :: Create blank key "NewNetworkWindowOff" to disable Network Location Wizard for all users: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff" :: Uncomment "PAUSE" to view script results: :: ECHO. :: PAUSE
This script can also be added to an MDT task sequence to automate the application of this setting during a deployment.