Elevate / Sudo on PowerShell

Question

I have found a few PowerShell elevate / sudo functions, but none of them seem to work well (in a "as intuitively and seamlessly as on every Unix and Linux distribution" way). They are mostly redundant as they don't work well. If someone has a seamlessly working elevate / sudo on PowerShell they'll know it.

The problems with the functions that I've seen are:

• They only work with external scripts by calling another instance of powershell.exe. i.e. If you want to do something as simple as sudo gci or sudo Get-ChildItem that will generate an error as the methods don't seem to like calling aliases or Cmdlet (for some reason!).

• You cannot seamlessly elevate the existing console session up to Administrator, and this seems to require that an elevate / sudo function opens a completely new console (seems cumbersome to have to open a new console for nothing!)?

Does anyone have a reliable elevate / sudo that they use? I don't expect it to be perfect, if there are good technical reasons why things like the above do not work (maybe to do with limitations of the PowerShell host itself not being capable enough) then that's fine, but it would be good to know how far we can get with a functional elevate / sudo within PowerShell. It's often a shame that, although PowerShell is massively more advanced than bash (and it's object manipulation capabilities blow away Python and Perl imo also), sometimes it seems like some of the most simple capabilities in Unix-land, like sudo, blow away what is possible in PowerShell - I'd love to see those gaps filled so that PowerShell can be shown to be every bit as capable as Unix (and more so!!) for a change.

Answer 1

Nothing native in the box of course, so, an apples/oranges comparison when talking sudo stuff with Windows.

Security boundaries/functionalities are just different, as well all know, and the sudo equivalent in Windows (and thus PowerShell) is RunAs and that will pop Windows UAC, no getting around that, without turning UAC off (don't do this) or setting up an AppCompat shim.

So, when you say functions, are you saying you have already tired these:

Find-Module -Name '*sudo*' | 
Select Name, Version, Type, Description

# Results
<#
Name   Version Type   Description                                                                            
----   ------- ----   -----------                                                                            
Sudo   2.1.0   Module Use functionality similar to sudo in PowerShell. GitHub: https://github.com/pldmgg/Sudo
PSSudo 1.4.0   Module Function for executing programs with adminstrative privileges 
#>

This type of question comes up a lot here and has been answered several times. So, are you saying, you tried the below?

How to sudo on powershell on Windows

Start-Process -Verb RunAs powershell.exe -Args "-executionpolicy bypass -command Set-Location \`"$PWD\`"; .\install.ps1"

Sudo !! equivalent in PowerShell

runas /user:domain\administrator $^

Is there any 'sudo' command for Windows?

doskey sudo= runas /user:Administrator "cmd /k cd \"%cd%\" & $*"

runas /noprofile /user:Administrator cmd 

See also:

Support sudo #3232

5 Windows Alternatives to the Linux sudo Command

Answer 2

gsudo is a sudo for Windows that behaves like Unix sudo (elevates a command or your cmd/ps shell in your current console windows). It works in Powershell, but with limitations: The elevated memory space can't share objects with the non-elevated one, so variables can't be shared, and some kind of marshalling of objects must be done. Currently gsudo does the most naive, but at least honest, marshalling: just strings can be passed to and from. You can pass a string literal with the command that needs to be elevated to gsudo. Then gsudo returns a string that can be captured, not powershell objects.

# Commands without () or quotes  
PS C:\> gsudo Remove-Item ProtectedFile.txt
or
PS C:\> gsudo 'Remove-Item ProtectedFile.txt'

# On strings enclosed in single quotation marks ('), escape " with \"
$hash = gsudo '(Get-FileHash \"C:\My Secret.txt\").Hash'
# For variable substitutions, use double-quoted strings with single-quotation marks inside
$hash = gsudo "(Get-FileHash '$file' -Algorithm $algorithm).Hash"
# or escape " with \""
$hash = gsudo "(Get-FileHash \""$file\"" -Algorithm $algorithm).Hash"

# Test gsudo success (optional):
if ($LastExitCode -eq 999 ) {
    'gsudo failed to elevate!'
} elseif ($LastExitCode) {
    'Command failed!'
} else { 'Success!' }

Or, you can just call gsudo to elevate your current shell, in Powershell:

PS C:\> gsudo
(Accept UAC popup)
PS (ADMIN) C:\> Remove-Item ProtectedFile.txt
PS (ADMIN) C:\> exit
PS C:\>