Home (RSS)

Launch Batch Scripts as Administrator (with GUI UAC prompt)

posted May 28, 2011, 1:37 AM by Evan Greene   [ updated Dec 12, 2011, 3:58 PM ]

UPDATE 12/12/2011 { Updated with some better code, thanks to Aaron Thoma. }
UPDATE 11/16/2011: I received some feedback from an international user who had issues using this script when special characters were included in the file name.  I've implemented some changes to fix these issues.

Finally got a batch script to prompt for administrator privileges in a GUI.

This will automatically elevate a .CMD or .BAT batch file using the standard UAC prompt.

Just put this at the top of your batch script.

BatchGotAdmin International-Fix Code:
@echo off

:: BatchGotAdmin
REM  --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    exit /B

    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"


This follows the original idea, except it attempts to use the cacls command instead of creating a folder in the system directory.  This is a little cleaner.  Also used proper code so it should work on non-english versions of Windows.

BatchGotAdmin Original Code:
@echo off

:: Get ADMIN Privs
mkdir "%windir%\BatchGotAdmin"
if '%errorlevel%' == '0' (
  rmdir "%windir%\BatchGotAdmin" & goto gotAdmin 
) else ( goto UACPrompt )

    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute %0, "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    exit /B

    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"      
    CD /D "%~dp0"
:: End Get ADMIN Privs


Basically this just creates a VBS Script on the fly and invokes the batch script using it.  It checks to see if the current window is running as administrator by attempting to create a folder that requires administrative access.  If the directory can not be created, then it invokes the UAC dialog, then closes the non-admin window.  The script can also be executed from an already open administrative CLI.

Automatic Updating Fresh Install Kit

posted May 20, 2011, 7:45 PM by Evan Greene   [ updated Jun 18, 2011, 9:51 PM ]

UPDATE: It seems the new Google Chrome Alternative installer will not even work if the installer is launched with administrative privileges.  I'm going to modify my scripts to launch Google Chrome installer before getting admin privileges to work around that.

After a long day of testing, I've found what seems to be a reliable method for creating an automatic updating fresh install kit for deploying to new machines.  Normally, I used a simple batch script that called all of my installers using silent install switches.  This worked, but it required that I had to manually update my installers occasionally.  Today, using a program called Ketarin, I found a way to streamline updating my installation packages so that I no longer have outdated software installers.  The whole configuration was not easy to figure out, though the solution I came to is very simple and straight forward.

1. Download Ketarin 1.6 BETA 6
In order for this to work, I had to use a current beta of Ketarin 1.6.  The 1.5 final could not read UNC paths correctly, causing a crash.  As this article ages, the BETA may become final and newer versions may be released.  Just remember you need at least version 1.6 for this to work, assuming no bugs reappear.

2. Extract Ketarin to your local drive and launch the Ketarin.exe

3. Configure Ketarin with your application installers. 
You should be able to find most of your software from the online database.  Here's my pick of apps.

NOTE: The "Sun" Java installer is actually "Oracle" Java.  Name just hasn't changed for this particular installer.  I also added iTunes to my list once I found a way to silent install it.

4.  Fix Google Chrome
After searching through the database, I noticed that all of the Google Chrome installers used stand alone versions of Chrome that would not auto-update if it was launched from an elevated prompt.  I finally came across Google's "alternative" installer that seemed to work if it was run with admin privileges or normal user.  I used Downthemall Firefox addon to capture the download URL for the alternative installer, and I created my own Google Chrome package. 
To make things easier for everyone else, I created the package "Google Chrome Standalone - supports updating [works with an elevated prompt]" package and it should now show up in the Ketarin database.

5.  Embed silent install switches to all installers.
In order to get Ketarin to install software, I had to add silent install switches to its launch configuration.  This example shows Adobe Flash.  You will have to seek google advice for finding the correct silent install switches for your installers.  Double-click each app that you need to edit.

This example shows Adobe Flash and its silent installer.

 Select "Save to file" option and give it a name so that the installer saves to the current folder.
Go to the "Setup" tab and click the "Add Instruction" button and go to "Start Process."

Set the launcher to "{file}" variable including the double quotes.  Also include your silent install switches in the arguments.  The Adobe Flash installer's silent install switch is -install.

6.  Export your settings as an XML file as apps.xml.  Save it to the Ketarin folder.

7.  Create batch scripts.

Be sure to edit these scripts for your environment.  The prepare script adds my network drives to the registry so that a security prompt will not be shown for each application Ketarin tries to install.  Any network source that you plan to install from must be added to the prepare script so the installers will not prompt you to confirm the process.  If you do not use a network drive for deployment, these registry entries will not be needed.  They are only required if Windows does not completely trust the installation source.  Even when launching with Admin privileges, the security prompt will show without these registry mods.

You will not have to modify any settings in Ketarin if you use my apps xml file - I called everything using variables.  However, if you want to include your own software in Ketarin, you will have to configure that software separately with silent install switches (see step 5).

Download Scripts - There is a total of 3 batch scripts, 3 xml files, and 7zdn.exe.
  • (local) Fresh Install.CMD - This script updates and installs software packages from a a non-network/local source.  It automatically detects 64-bit or 32-bit source.
  • (network) Fresh Install.CMD - This script updates and installs software packages from a network source.  It automatically detects 64-bit or 32-bit source.
  • Prepare.bat - This script creates a trust relationship between your network drive and your computer so that a security prompt will not appear when installing applications.
  • apps32.xml - My pre-configured list of 32 bit applications that Ketarin parses for downloading, updating, and installing 32-bit software.
  • apps64.xml - My pre-configured list of 64 bit applications that Ketarin parses for downloading, updating, and installing 64-bit software.
  • Ketarin_settings.xml - My exported configuration settings for Ketarin.
  • 7zdn.exe - This can be used to extract installers that can not be installed using silent install switches by default.  In this case, I used it for deploying iTunes silently.

8.  Copy the "Prepare.bat", "apps*.xml", 7zdn.exe, and "Ketarin_settings.xml" to the Ketarin folder. 
Feel free to move the other batch scripts (.cmd/.bat) where ever you want - they will work as long as you have provided the correct location to the files they call.

9.  Test scripts

10.  Tweak


Work machine = the machine that you use to create the install kit/business computer.
Receiving machine = the machine that you are deploying software on to/client's computer.

When launching Ketarin into the standard GUI (EG, with no switches), it creates a database in %appdata%\Ketarin or %temp%\Ketarin (depending on the OS).  However, when Ketarin is called with the /database switch, it will read or create the database that you specify.  The code in my batch scripts specifically call the database from the fresh installation kit source and no database is created on the receiving machine - it is kept only on the work machine.  This way there is no remanance left on the receiving machine. My script creates a database in %temp% for the installation procedure, but removes it afterwards so no remanence will exist on the machine.  I had to change my original method, because if a machine only has read access to a network drive, creating a database would not work.  I opted for creating one on a source that the receiving machine will always have write access to (itself).

When creating your install kits from your work machine, be sure to delete %appdata%\Ketarin or %temp%\Ketarin.  The standard GUI only reads the database from these locations, and it may be confusing why your edited files aren't taking affect.

A-DATA Nobility Hard Drive Review

posted Mar 16, 2011, 7:05 PM by Evan Greene   [ updated Mar 16, 2011, 7:06 PM ]

I just benchmarked an A-DATA Nobility 2.5" 500GB Portable Hard Drive.  Click here to see the results.

Introducing: FolderSpan

posted Nov 4, 2010, 12:57 AM by Evan Greene   [ updated Nov 7, 2010, 11:42 PM ]

After running out of room on one of my hard drives, I had to start storing the same media files on different drives.  This made browsing all of my media annoying, because I had to manually go to two different folders.  I decided to make a little tool that would link all drives to one location so I would not have to put up with this annoyance.  FolderSpan is the tool and it suffices the job for the time being.

It's not full of features, and it may have a bug here and there, but when you use it correctly, it will work fine.  I plan to make a few advancements to it in the future to add some features that I know other users will need.  If you want to combine a few folders together, then go ahead and check out FolderSpan.

Windows Vista SP2 Updated Image Using vLite and WPI

posted Oct 15, 2010, 2:45 AM by Evan Greene   [ updated Oct 15, 2010, 4:41 AM ]

How to make a Vista SP2 Installation Disc that includes all OS updates, as well as DotNet updates.  It also gives you the ability to auto-install applications post install without any user intervention.

It runs sysprep at the end to prepare the computer for user setup.

http://www.ryanvm.net/forum/viewtopic.php?t=8634 - My Post here.

How to Make CCleaner Clean All Accounts on the Fly

posted Aug 23, 2010, 1:37 AM by Evan Greene   [ updated Aug 23, 2010, 10:53 AM ]

I've seen a lot of questions on various forums asking how to make CCleaner run it's routine to clean out all user accounts, and not just the one that's currently logged in.  The best answer so far that I've seen consisted of writing a script that executed when the user logged on that ran CCleaner from the command line.  However, I did not see a way how to clean all accounts on the fly.  If you have other user accounts on your machine just for running applications under different credentials, that never log in, the logon script would not be a viable solution.  For this reason, I decided I'd make use of the PsExec tool again to see if I could accomplish what I needed to do.

This is the steps I took to utilize CCleaner on all user accounts so that I could clean them on-the-fly.  It consists of launching CCleaner under different user accounts so that it will clean each of them.

Applications/Tools required: PsExec and CCleaner

1) Open Windows Explorer and browse to: "C:\Documents and Settings\My User Account\Start Menu\Programs\"
2) Create a new folder called "CrapClean"
3) Browse to the "CrapClean" folder
4) Right-Click -> New -> Text Document
5) Name this file: "CClean All.bat" (be sure that file extensions are visible)

Notice I put mine in the All Users folder, but you may wish to put it in your User Account folder, because this example means everyone will have access to the passwords.

6) Right click "CClean All.bat" -> Edit
7) Now just paste this text into the notepad window:

:: Clean Current User Account
"C:\Documents and Settings\All Users\Tools\CCleaner\CCleaner.exe" /auto

:: Clean the account named "Limited" that has the password "MyPassword"
"C:\Documents and Settings\All Users\Tools\PsTools\PsExec.exe" -u Limited -p MyPassword "C:\Documents and Settings\All Users\Tools\CCleaner\CCleaner.exe" /auto

Just change the above code to point to the account names you want to clean.  There's no limit to the accounts you can clean.

8) Make sure your CCleaner is located at "C:\Documents and Settings\All Users\Tools\CCleaner\" and PsExec is at "C:\Documents and Settings\All Users\Tools\PsExec\"

9) Now to run the script, just go to Start->Programs->CrapClean->"CClean All.bat" and the batch script will silent run CCleaner on all user accounts you specified in the script.

NOTE: This does require you to store the password in plaintext.  Be sure to encrypt your drive and not allow any other users access to your account to protect this information.

Firefox Addon to Protect You From Bad Websites

posted Aug 23, 2010, 1:04 AM by Evan Greene

Another Firefox addon I've discovered that may help keep you away from damaging sites is the Web Of Trust (WOT) addon.  After setting up, it will point out sites that may cause damage to your computer.  It doesn't lock down the browser completely like NoScript does, but it can help you avoid potentially bad sites.  It also has no user interaction, unless you attempt to connect to a bad site, so running it will not affect your browsing experience no more than it has to.  Check it out.

Securing Your Browser on Windows XP

posted Aug 22, 2010, 11:24 PM by Evan Greene   [ updated Aug 23, 2010, 2:13 AM ]

In case some disadvantages are holding you back from running your web browser in a virtual container using VMWare ThinApp, there's another method you can use to similarly secure your web browser.  This method involves running your web browser with limited permissions utilizing a program written by Michael Howard called DropMyRights, while also running the web browser under a different user name using PsExec.

1) First, we need to create a limited user account:
    - Start->Run
    - Enter "cmd" in the run box and hit enter
    - A black command-line interface (CLI) window will pop up
    - In the CLI type: "net user Limited MyPassword /add" and hit enter (obviously, you can change the password to whatever you want, but
       make sure you change it throughout each step)
    - You should see the output: "The command completed successfully"

2) Now we need to obtain a couple applications (direct links):
    - DropMyRights - Download the MSI and install it to "C:\Documents and Settings\All Users\Tools\MSDN\DropMyRights\"
    - PsExec - Download this ZIP file and extract it to C:\Documents and Settings\All Users\Tools\PsExec\"

3) Now we just need to set up our shortcuts to the web browser to utilize these tools:
    - Right-Click on the "Firefox" shortcut on the desktop and click on 'Properties'
    - In the Properties dialog, go to the "Shortcut" tab
    - In the "Target" textbox, enter:
       "C:\Documents and Settings\All Users\Tools\PsTools\PsExec.exe" -u Limited -d -p MyPassword "C:\Documents and Settings\All Users\MSDN\
        DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"

    - Click "OK"

4) Now open Firefox.
   - It should open Firefox as user named "Limited" with minimum privileges.

5) All that is left is to set up your registry so that the default web browser will be executed in the limited environment:
    - Start->Run
    - Enter: "regedit"
    - In the registry editor, browse to "HKEY_CLASSES_ROOT\http\shell\open\command"
    - Edit the (Default) entry to:
       "C:\Documents and Settings\All Users\Tools\PsTools\PsExec.exe" -u Limited -d -p MyPassword "C:\Documents and Settings\All Users\MSDN\
        DropMyRights\DropMyRights.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"

6) Also make sure you've edited any other short cuts you may have, such as on the Quick Launch or in Program Files.

Congratulations, you now have a secure web browser that is very similar to a ThinApp.

Note, since the web browser is launched with limited privileges, you cannot download to your normal Download directory.  You will have to download to a directory under the "Limited" user profile or "All Users" profile.  You also cannot launch files from the Firefox download complete window if they are installer applications, because the installer will launch with too little of privilege to install.

Here's another trick I did to handle downloading files. 
- Go to your current user's profile (EG: The account your logged in now that has Administrative privileges) in Windows Explorer. 
- Go to "My Documents". 
- Right-Click->New->Shortcut
- Enter the location to the Limited Profile's download folder: "C:\Documents and Settings\Limited\My Documents\Downloads" and click "Next"
- Enter "Downloads"
- Click "OK"

Now to access your Downloads, just browse to your My Documents and click on "Downloads".

This is almost identical to the behavior of a ThinApp, so the only real reason to using this method is probably because all of the tools used here are 100% free.  This method, however, is not as secure as the ThinApp method, because the browser is still operating on the host system.  If a browser exploit has a way of elevating permissions, then it will have full access to the system.  In the ThinApp, the elevation would only grant it permission to the virtual operating system that the ThinApp runs internally and the malicious code would not harm the host machine.  However, this is a decent alternative way of protecting your web browser.  The best way to protect yourself is to not browse to harmful sites to the begin with, but, of course, this is not always easy to do.  See the next post for a good Firefox addon that can help you stay away from bad sites.

This method is rather redundant, because you launch the web browser under an account that has no privileges, and then you run the DropMyRights application to do it again, which may or may not provide any extra benefit.

DELL Unveils "Secure Browser"

posted Aug 20, 2010, 1:07 AM by Evan Greene   [ updated Aug 20, 2010, 1:41 AM ]


Dell has began developing a "Secure Browser" that "uses virtualization" and "disables plug-ins" until granted permission to run.  The browser contains suspicious files that are downloaded by the browser without the user's knowledge.  This should help protect against sites that exploit vulnerabilities to silently install hostile software on their visitor's machines.  If an infected file does happen to get downloaded, it can be removed by a simple Undo button.  The Secure Browser aims to provide a safer web browsing experience to all Internet users.

The browser appears to be just a re-branded, more secure, version of Firefox 3.6.  It may be a good alternative to using ThinApp to package a custom Firefox configuration.  It provides pretty much the exact same benefits as a Firefox ThinApp.  However, I would still prefer to use the proven, trusty VMWare package over this new, likely buggy, startup project.

VMWare ThinApp - Building, Installing, and Using the Perfect Firefox ThinApp

posted Aug 15, 2010, 12:16 AM by Evan Greene   [ updated Aug 15, 2010, 5:06 PM ]

I just posted a video on Youtube that goes through the steps of creating a VMWare ThinApp.  Click here to watch it.

VMWare ThinApp enables you to run applications in a virtual sandbox which can help prevent malware from reaching your computer.  It does this by packaging applications into a Virtual Operating System (VOS) which intercepts calls to system functions such as read, write, and modify.  This enables all transceiving data to be contained into a controlled environment.  If exploit code is run on the ThinApp, the result of the code, be it malware file generation, command-line with admin priviledges, etc, will not result in the computer running it being compromised, since the VOS prevents the exploit code from executing on the host machine.

In addition to preventing malware, ThinApps are also portable, fast to install, and save your custom settings.  If you need to carry around some software with you on a USB drive that is not normally portable, ThinApp may help you convert it into a portable application.  ThinApps are also fast to install once they have been built.  A simple double-click and it's on your machine.  No need to go through any installation wizard clicking through a series of dialogs to get the application setup on your system.  Furthermore, you don't have to worry about setting up the application ever again.  Once you build a portable ThinApp with custom settings, those settings are there for good.  Even if you format your hard drive, as long as you keep a copy of the ThinApp you built, your settings will remain in tact.

ThinApps may also keep your computer slightly more responsive and speedy, because software will not have to write it's entries into the Windows Registry.  All of the registry entries are stored in the virtual container.  The only entries that are written to the registry are file associations and uninstall information.  If you primarily use software packed into a ThinApp, your computer will stay cleaner and will run as smooth as the day the OS was first installed.

However, accompanied with the advantages are a few disadvantages.  Obviously, ThinApps can not package drivers.  ThinApps may also fail to package software that utilizes drivers to function, such as Antivirus software (not that you would want to virtualize an AV, anyway) or image mounting tools like Daemon Tools.  They also require you to use predefine locations for saving and accessing files.  If you attempt to save files to a folder that was not set up with the correct isolation method when you built the ThinApp, then the file will be saved into the virtual container, rather than on the host system.  This could be irritating if, for an example, you were writing an essay paper and save it to C:\Essays and when you go looking for your files in C:\Essays, you notice they do not exist.  The ThinApp will "contain" these writes to %c_drive%\Essays in the virtual folder that it creates if this folder was not set up with Merged isolation.  Clearly, this sounds a little complicated, but it's rather simple to grasp after you have made a few of these and experiment with how they work.

VMWare ThinApp is not free.  However, VMWare does offer a 60-day trial here.  Go ahead and try it out.

1-10 of 11