How to Schedule a Task to Run with Highest Privileges in a Batch Script
When an administrator runs a script that performs a system-level action (like modifying the registry in HKLM or changing a service), they are often met with a UAC (User Account Control) prompt asking for confirmation. A scheduled task running under that same administrator account will fail when it attempts such an action, because there is no user present to click "Yes" on the prompt.
To solve this, the Windows Task Scheduler has a crucial option: "Run with highest privileges." This tells Windows to run the task with the user's full, elevated administrator token, effectively bypassing the UAC prompt. This guide will teach you how to set this vital option from a batch script using the schtasks.exe command.
CRITICAL NOTE: Creating and modifying scheduled tasks, especially those that require high privileges, is an administrative operation. You must run your script with full administrator privileges.
The Core Problem: UAC and Non-Interactive Scripts
User Account Control (UAC) is a security feature that runs applications with standard user rights by default, even if you are logged in as an administrator. To perform an administrative action, the process must be "elevated." Interactively, this is the prompt you see asking for permission.
A scheduled task running as an administrator does not automatically elevate. If it encounters a command that requires elevation, it will fail with an "Access is denied" error. The "Run with highest privileges" option is the solution.
The Core Command: schtasks /CREATE with /RL HIGHEST
The schtasks.exe utility allows you to set the run level of a task directly from the command line using the /RL switch.
Syntax: schtasks /CREATE ... /RU "UserName" /RL HIGHEST
/RL <Level>: The Run Level for the task.HIGHEST: This is the specific level that grants the task the full administrator token, equivalent to a user right-clicking an application and selecting "Run as administrator."
Basic Example: Creating an Elevated Task
This script creates a task that runs a registry cleanup script. Since modifying HKEY_LOCAL_MACHINE requires elevation, the /RL HIGHEST flag is essential.
@ECHO OFF
REM This script MUST be run as an Administrator.
SET "TaskName=\System\RegistryCleanup"
SET "TaskCommand=C:\Scripts\CleanReg.bat"
SET "RunAsUser=MY-PC\AdminUser"
ECHO --- Creating an Elevated Scheduled Task ---
ECHO.
schtasks /CREATE /TN "%TaskName%" /TR "%TaskCommand%" /SC WEEKLY /D MON /ST 01:00 ^
/RU "%RunAsUser%" /RP "UserPassword" /RL HIGHEST /F
IF %ERRORLEVEL% EQU 0 (
ECHO [SUCCESS] Task created successfully with highest privileges.
) ELSE (
ECHO [FAILURE] An error occurred. Check permissions and if the user is an admin.
)
/RU "AdminUser": Specifies that the task should run as this user./RL HIGHEST: Ensures that when the task runs, it does so withAdminUser's full elevated rights.
Key schtasks Parameters Explained
/CREATE: The action to create a new task./TN <TaskName>: The full path and name for the new task./TR <TaskRun>: The command or script to execute./RU <UserName>: Run as User. The user account the task will run under./RP <Password>: Run as Password. The password for the user specified in/RU./RL <Level>: (Required for this task) The Run Level. The options areLIMITED(default) andHIGHEST.
Common Pitfalls and How to Solve Them
The User Account Must Be an Administrator
This is the most critical point of confusion. The /RL HIGHEST switch does not grant administrator rights to a standard user. It only works if the user account specified in /RU is already a member of the local Administrators group. If you try to use it with a standard user, the task will be created, but it will fail to run with an error.
Solution: Always ensure the user account you are assigning the task to is a local or domain administrator.
Redundancy with the SYSTEM Account
If you create a task to run as the built-in SYSTEM account (/RU SYSTEM), the /RL HIGHEST switch is unnecessary. The SYSTEM account is the most powerful local account and already operates with the highest possible privileges.
REM /RL HIGHEST is not needed here because /RU SYSTEM is already the highest privilege.
schtasks /CREATE /TN "\System\MyTask" /TR "C:\Scripts\MyScript.bat" /SC DAILY /RU SYSTEM
Practical Example: A Self-Elevating "Wrapper" Script
This is an advanced but powerful pattern. It allows a user to run a script that needs admin rights without having to right-click and "Run as administrator". The script checks its own permissions, and if it's not elevated, it creates and immediately runs a high-privilege scheduled task that calls itself.
@ECHO OFF
CLS
SET "TaskName=ElevateMyScript"
REM --- Check for Administrator Privileges ---
net session >nul 2>nul
IF %ERRORLEVEL% EQU 0 GOTO :AdminCode
REM --- If not admin, create and run a temporary scheduled task ---
ECHO [INFO] Not running as Admin. Creating a temporary elevated task...
schtasks /CREATE /TN "%TaskName%" /TR "'%~f0' am_admin" /SC ONCE /ST 00:00 /RU %USERNAME% /RL HIGHEST /F > NUL
schtasks /RUN /TN "%TaskName%" > NUL
schtasks /DELETE /TN "%TaskName%" /F > NUL
EXIT /B
:AdminCode
REM This part of the script only runs when it's elevated.
IF "%1"=="am_admin" SHIFT
ECHO [SUCCESS] Now running with full administrator privileges!
ECHO.
REM --- Your Admin Commands Go Here ---
ECHO Performing an administrative action...
REG QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v SystemRoot
ECHO.
PAUSE
This script cleverly uses the Task Scheduler as a UAC bypass mechanism for itself. The user will see a UAC prompt only the first time the task is run.
Conclusion
The /RL HIGHEST switch is an essential parameter for any scheduled task that needs to perform true administrative actions in a non-interactive session.
- The core command is
schtasks /CREATE ... /RL HIGHEST. - This is the correct way to ensure your task can bypass UAC prompts.
- The user account specified with
/RUmust be a member of the Administrators group for this to work. - The script that creates the task in the first place must also be run as an Administrator.