Windows - Sudo
This article is on Windows sudo.
See the post Privileged Scheduled Task for a scheduled task-based JEA mechanism to emulate Unix-style sudo on Windows.
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything. Read and act on it at your own peril!
In a previous post Unprivileged Accounts I attempted to describe the concept of non-privileged accounts in Windows, a concept very foreign to modern enterprise computing on servers.
Go and read it as a primer, especially the part about User Account Control, I will wait here.
Are you back? Good.
With Windows 11 (or rather some time after Windows 11 first appeared) Microsoft introduced a Windows version of the famous Unix sudo command.
Let me first explain, very quickly and horribly non-precise, how Unix sudo works.
- In Unix there is one user called the superuser who normally has the user name root.
- In Unix one of the permissions bit on a file is the so-called setuid bit. If this bit is set, the file, if executed, will run with the identity of its owner rather than of the user who executes it.
- One of those programs marked with the setuid bit is a programm called sudo. It is owned by the superuser. If started, it will run with the identity of root.
- The program sudo is configured in a file /etc/sudoers.
- In that file it is outlined which user or group may start which program as what user.
This is it, essentially.
Imagine a Unix-compatible system, here the Windows Subsystem for Linux, with a sudo configuration allowing the start of the program whoami as root. There is no particular purpose in running this program. But it will show the effect of using sudo best and without doing any damage.
benoit@paris:~$ ls -l `which sudo`
-rwsr-xr-x 1 root root 277936 Jun 25 2025 /usr/bin/sudo
benoit@paris:~$ which whoami
/usr/bin/whoami
benoit@paris:~$ ls -l `which whoami`
-rwxr-xr-x 1 root root 35336 Jun 22 2025 /usr/bin/whoami
benoit@paris:~$The first command checks that the sudo program is indeed marked setuid root. The s in the first/owner (PDP-10 6-bit byte) permissions nybble indicates it. (It would be x for execute otherwise.)
The second command checks for the program to allow to run via sudo.
And the third command checks for its permissions, to demonstrate that it is not marked setuid at all. (There actually is an x in the nybble representation for the file owner.)
There is a program visudo that starts an editor (not vi but nano on Ubuntu, for some reason) that allows editing the /etc/sudoers file. (The file can only be edited by root, we should assume.)
benoit ALL=(root) NOPASSWD:/usr/bin/whoamiAfter adding user benoit, user benoit should be able to run whoami both as benoit (directly) and as root (via sudo):
benoit@paris:~$ whoami
benoit
benoit@paris:~$ sudo whoami
root
benoit@paris:~$And this is it. Permissions management is overriden in the hope that the allowed program does not do anything it is not expected to do. This is as irresponsible as JEA but more flexible in its simplicity (it can start GUI programs, for example).
Windows sudo is not like that at all. Windows does not have a setuid mechanism.
Do note that “sudo” actually stands for “superuser do” and Windows sudo is very loyal to the concept of the name. While on Unix there is indeed a specific superuser (and it is one account that can be configured to be used by sudo), on Windows there is no such account. There is a group.
Very unfortunately in Windows there is an Administrators group and anyone added to it becomes a superuser. This is in effect one of the biggest problems for Windows security: it is easier to give an account all rights and privileges than it is to give an account just the rights and privileges it needs, a daily attack on the principle of least-privilege.
A lot of “enterprise” software sees security from the perspective of someone who can ignore permissions because the account can just be added to the Administrators group.
Many home and office users also find themselves with superuser rights because of the ease of assining a user to the Administrators group and the assumption by software that, of course, the user has superuser status.
This led to issues when users did stupid things. With superuser rights. To themselves. A lot.
So Microsoft invented “User Account Control” to alert users every time they are doing something potentially stupid. This was very inconvenient, and it was supposed to be.
To make the inconvenience less inconvenient Microsoft finally introduced a tool for users to allow them to do stupid user things better: sudo.
You can enable sudo as a superuser:
C:\>whoami
paris\administrator
C:\>sudo help config
Get current configuration information of sudo
Usage: sudo config [OPTIONS]
Options:
--enable <enable> [possible values: disable, enable, forceNewWindow, disableInput, normal, default]
C:\>sudo config --enable default
Sudo is currently in Inline mode on this machine
C:\>“Inline mode” means that sudo will run in the same terminal/console as the calling program (usually cmd or PowerShell). It is “normal” and “default”, I guess.
“forceNewWindow” does the same as the traditional Start-Process -Verb RunAs someprogram.exe did and opens a new console window for the program.
And “disableInput” runs sudo-started programs in the same terminal window as the calling program but does not allow for any interactivity.
Windows sudo does not run programs as another user. It does not run them as the superuser, like in Unix. It runs programs as the calling user, but with superuser rights. Let me demonstrate in the most intelligent way I can:
PS C:\> whoami
paris\benoit
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:\> sudo whoami
paris\benoit
PS C:\> sudo whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
PS C:\>If you try this out you will notice, assuming User Account Configuration is configured properly, that every time sudo is used, Windows will ask the user to confirm that he wants do something superuser-like. This remains the idea of User Account Configuration.
If you need superuser rights for several commands, you can just start a shell using sudo, like so:
PS C:\> sudo powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\> whoami
paris\benoit
PS C:\> exit
PS C:\>And exit it when you are done being superuser-like.
Do note that it is still not advisable to use a computer with an account with superuser rights all the time. The reason it is done on Windows is, of course, for compatibility reasons:
- First, which is quite reasonable, for running programs that predate any such permissions or multiuser environments.
- Second, which is less reasonable, for running programs made by software vendors, typically advertising themselves as “enterprise software” vendors, that assume that all users are superusers and that security issues created by such software are the customer’s problem.
Until Microsoft somehow fully virtualises the experience of the superuser, we will have to live with sudo.
Next: TBD