|
| 1 | +--- |
| 2 | +title: Sudo for Windows |
| 3 | +description: Learn how to use sudo in your command line to run elevated commands (as an administrator) directly from an unelevated console session on Windows. |
| 4 | +author: mattwojo |
| 5 | +ms.author: mattwoj |
| 6 | +manager: jken |
| 7 | +ms.reviewer: jordiadoumie |
| 8 | +ms.topic: article |
| 9 | +ms.date: 02/02/2024 |
| 10 | +--- |
| 11 | + |
| 12 | +# Sudo for Windows |
| 13 | + |
| 14 | +**Sudo for Windows** is a new way for users to run elevated commands (as an administrator) directly from an unelevated console session on Windows. |
| 15 | + |
| 16 | +## Prerequisites |
| 17 | + |
| 18 | +You must be running Windows 11 Insider Preview Build 26052 or higher to use the Sudo for Windows command. ([Check for Windows updates](ms-settings:windowsupdate)). [Join Windows Insider Program](https://www.microsoft.com/windowsinsider/). |
| 19 | + |
| 20 | +> [!NOTE] |
| 21 | +> Sudo for Windows is not yet available for Windows 10, but may be in the future. |
| 22 | +
|
| 23 | +## How to enable Sudo for Windows |
| 24 | + |
| 25 | +To enable Sudo for Windows, open `Settings > For Developers` and set **Enable sudo** to **On**. |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +>[!WARNING] |
| 30 | +> Sudo for Windows can be used as a potential escalation of privilege vector when enabled in certain configurations. You should make sure to be aware of the [security considerations](#security-considerations) when enabling the sudo command on your machine. |
| 31 | +
|
| 32 | +## How to configure Sudo for Windows |
| 33 | + |
| 34 | +Sudo for Windows currently supports three different configuration options. The configuration can be set from the `Settings > For Developers` menu or programmatically, using the command line. The configuration options include: |
| 35 | + |
| 36 | +- **In a new window** (`forceNewWindow`): The `forceNewWindow` configuration option is the default configuration option for Sudo for Windows. Use `sudo` in this configuration to run the command in a new window. This is similar to the behavior of the `runas /user:admin` command. |
| 37 | + |
| 38 | +- **Input closed** (`disableInput`): The `disableInput` configuration option will run the elevated process in the current window, but with the input handle closed. This means that the elevated process will not be able to receive input from the current console window. This is useful for scenarios where you want to run a command as an administrator, but do not want to allow the command to receive input from the current console window. This configuration option provides some of the convenience of the `inline` configuration option while mitigating some of the associated [security risks](#security-considerations). |
| 39 | + |
| 40 | +- **Inline** (`normal`): The `normal` configuration option is most similar to how sudo behaves on other operating systems. This configuration will run the elevated process in the current window and the process will be able to receive input from the current console session. This is useful for scenarios where you want to run a command as an administrator and want to allow the command to receive input from the current console window. This configuration option provides the most convenience, but you should only choose this option if you are familiar with the associated [security risks](#security-considerations). |
| 41 | + |
| 42 | +You can select among these configurations from the `Settings > For Developers` menu or change the configuration programmatically, in an elevated command line (admin console), using: |
| 43 | + |
| 44 | +- `sudo config --enable <configuration_option>` |
| 45 | + |
| 46 | +Update `<configuration_option>` to either `forceNewWindow`, `disableInput`, or `normal`. |
| 47 | + |
| 48 | +## How to use Sudo for Windows |
| 49 | + |
| 50 | +To use Sudo for Windows, simply prepend `sudo` to the command you want to run as an administrator. For example, to run `netstat -ab` as an administrator, you would run `sudo netstat -ab` in your console window. |
| 51 | + |
| 52 | +Because `sudo` elevates the targeted process to run with administrator-level permission, a prompt will open asking you to verify that you want to continue. |
| 53 | + |
| 54 | +## Security Considerations |
| 55 | + |
| 56 | +There are risks associated with running sudo in the **Input closed** (`inputClosed`) or **Inline** (`normal`) configurations. It is possible for malicious processes to attempt to drive the elevated process using the connection established by the unelevated sudo.exe and the elevated sudo.exe process. |
| 57 | + |
| 58 | +The `inputClosed` configuration option mitigates risk by closing the input handle. Disconnecting the input handle from the current console window means that unelevated processes cannot send input to the elevated process. |
| 59 | + |
| 60 | +The `inline` configuration option runs the elevated process in the current window and the process is able to receive input from the current console session. An unelevated process can send input to the elevated process within the same console windows or get information from the output in the current windows in this configuration. |
| 61 | + |
| 62 | +## FAQ |
| 63 | + |
| 64 | +### How is Sudo for Windows different from the existing `runas` command? |
| 65 | + |
| 66 | + The `sudo` command offers a way to quickly elevate a command as administrator from your current unelevated command line context and is familiar to some users coming from other operating systems. The `runas` command offers a way to run programs as any user, including administrator if you so choose. At this point in time, the `sudo` command on Windows does not support running programs as other users. Other key differences between `sudo` and `runas` include: |
| 67 | + |
| 68 | +- `runas` allows you to run programs as other users, including but not limited to as administrator. This funtionality is on the roadmap for the sudo command, but does not yet exist. |
| 69 | + |
| 70 | +- `sudo` allows you to quickly elevate a process (as administrator): |
| 71 | + - You can choose to do so in a new window, which resembles the `runas` administrator flow. |
| 72 | + - You can choose to connect the elevated process to the current console window with the `disableInput` and `normal` configuration options. This is not supported with `runas`. |
| 73 | + |
| 74 | +- `runas` can prompt users for a password in the command-line. |
| 75 | + |
| 76 | +- `sudo` can only be elevated via the User Account Control (UAC) security feature designed to protect the operating system from unauthorized changes using verification prompt. |
| 77 | + |
| 78 | +You should consider your particular use-case and plan to use the command that best meets your needs. You should also consider the security implications of running sudo in the `inputClosed` and `normal` modes. The default `forceNewWindow` configuration option is recommended unless you are familiar and comfortable with the risks associated with the other `sudo` configurations. |
| 79 | + |
| 80 | +## Sudo for Windows open source repository |
| 81 | + |
| 82 | +Sudo for Windows is open source and welcomes your contributions and feedback. You can find the source code for Sudo for Windows on [GitHub](https://github.com/microsoft/sudo). |
| 83 | + |
| 84 | +## Additional functionality |
| 85 | + |
| 86 | +If you’re looking for additional functionality that Sudo for Windows does not provide, check out [Gerardo Grignoli’s gsudo](https://github.com/gerardog/gsudo) which has a number of additional features and configuration options or check out other solutions from the community. |
0 commit comments