Introducing Sudo for Windows!
Sudo for Windows is a new way for users to run elevated commands (as an administrator) directly from an unelevated console session on Windows.
Prerequisites
You must be running Windows 11 Insider Preview Build 26052 or higher to use the Sudo for Windows command. (Check for Windows updates). Join Windows Insider Program.
Sudo for Windows is not yet available for Windows 10, but may be in the future.You can also check out the Microsoft Learn docs for more information here.
How to enable Sudo for Windows
To enable Sudo for Windows, navigate to the Settings > For Developers page in Windows Settings and toggle on the “Enable Sudo” option:
You can alternatively enable Sudo for Windows by running the following command in an elevated console session:
sudo config --enable <configuration_option>
According to Microsoft, there is a great warning against using sudo as follows:
How to configure Sudo for Windows
Sudo for Windows currently supports three different configuration options. The configuration can be set from the Settings > For Developers
menu or programmatically, using the command line. The configuration options include:
In a new window (
forceNewWindow
): TheforceNewWindow
configuration option is the default configuration option for Sudo for Windows. Usesudo
in this configuration to run the command in a new window. This is similar to the behavior of therunas /user:admin
command.Input closed (
disableInput
): ThedisableInput
configuration option will run the elevated process in the current window, but with the input handle closed. This means that the elevated process will not be able to receive input from the current console window. This is useful for scenarios where you want to run a command as an administrator, but do not want to allow the command to receive input from the current console window. This configuration option provides some of the convenience of theinline
configuration option while mitigating some of the associated security risks.Inline (
normal
): Thenormal
configuration option is most similar to how sudo behaves on other operating systems. This configuration will run the elevated process in the current window and the process will be able to receive input from the current console session. This is useful for scenarios where you want to run a command as an administrator and want to allow the command to receive input from the current console window. This configuration option provides the most convenience, but you should only choose this option if you are familiar with the associated security risks.
You can select among these configurations from the Settings > For Developers
menu or change the configuration programmatically, in an elevated command line (admin console), using:
sudo config --enable <configuration_option>
Update <configuration_option>
to either forceNewWindow
, disableInput
, or normal
.
How to use Sudo for Windows
To use Sudo for Windows, simply prepend sudo
to the command you want to run as an administrator. For example, to run netstat -ab
as an administrator, you would run sudo netstat -ab
in your console window.
Because sudo
elevates the targeted process to run with administrator-level permission, a prompt will open asking you to verify that you want to continue.
Security Considerations
There are risks associated with running sudo in the Input closed (inputClosed
) or Inline (normal
) configurations. It is possible for malicious processes to attempt to drive the elevated process using the connection established by the unelevated sudo.exe and the elevated sudo.exe process.
The inputClosed
configuration option mitigates risk by closing the input handle. Disconnecting the input handle from the current console window means that unelevated processes cannot send input to the elevated process.
The inline
configuration option runs the elevated process in the current window and the process is able to receive input from the current console session. An unelevated process can send input to the elevated process within the same console windows or get information from the output in the current windows in this configuration.
How is Sudo for Windows different from the existing runas
command?
The sudo
command offers a way to quickly elevate a command as administrator from your current unelevated command line context and is familiar to some users coming from other operating systems. The runas
command offers a way to run programs as any user, including administrator if you so choose. At this point in time, the sudo
command on Windows does not support running programs as other users. Other key differences between sudo
and runas
include:
runas
allows you to run programs as other users, including but not limited to as administrator. This funtionality is on the roadmap for the sudo command, but does not yet exist.sudo
allows you to quickly elevate a process (as administrator):You can choose to do so in a new window, which resembles the
runas
administrator flow.You can choose to connect the elevated process to the current console window with the
disableInput
andnormal
configuration options. This is not supported withrunas
.
runas
can prompt users for a password in the command-line.sudo
can only be elevated via the User Account Control (UAC) security feature designed to protect the operating system from unauthorized changes using verification prompt.
You should consider your particular use-case and plan to use the command that best meets your needs. You should also consider the security implications of running sudo in the inputClosed
and normal
modes. The default forceNewWindow
configuration option is recommended unless you are familiar and comfortable with the risks associated with the other sudo
configurations.
If you’re looking for additional functionality that Sudo for Windows does not provide, check out Gerardo Grignoli’s gsudo which has several additional features and configuration options.
Subscribe to my newsletter
Read articles from EriTech directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
EriTech
EriTech
I am not good at selling myself but I am a developer and currently working in security research.