How to Set the "Run As Administrator" Flag on a Shortcut in Batch Script
Many system utilities and administrative scripts require elevated privileges to function correctly. When deploying tools to users or setting up a workstation, creating a shortcut that automatically prompts for User Account Control (UAC) elevation is highly desirable. In this guide, we will explore how to programmatically set the "Run as administrator" flag on a Windows .lnk (shortcut) file using Batch Script.
This is a critical technique for developers and system administrators who want to ensure their tools execute with the necessary permissions without requiring users to manually right-click and select "Run as administrator."
Why the "Run as Administrator" Flag is Special
Unlike shortcut properties such as TargetPath, Arguments, or IconLocation, the "Run as administrator" flag is not exposed through the standard WScript.Shell COM object in VBScript or PowerShell. You cannot simply do sc.RunAsAdmin = True.
Instead, this flag is stored in the byte data (specifically, the header) of the .lnk file itself. To set it, we must physically modify the binary structure of the compiled shortcut file.
Inside the .lnk File Format
According to the Microsoft Shell Link (.LNK) Binary File Format specification, the flag that controls "Run as administrator" is located in the LinkFlags section. Specifically, the byte at offset 0x15 (decimal 21) in the file header contains this information. Setting bit 5 of this byte (value 0x20) tells Windows to trigger UAC when the shortcut is launched.
Method 1: Using PowerShell to Modify Bytes (Recommended)
Since manipulating binary data directly in Batch is complex and error-prone, the most robust modern approach is to have the Batch script call PowerShell to read, modify, and rewrite the specific byte in the .lnk file.
Step 1: Create the Standard Shortcut
First, we create a normal shortcut using the standard VBScript method.
@echo off
setlocal
set "shortcut=%USERPROFILE%\Desktop\Admin CMD.lnk"
set "target=C:\Windows\System32\cmd.exe"
:: Create the basic shortcut
(
echo Set ws = CreateObject("WScript.Shell")
echo Set sc = ws.CreateShortcut("%shortcut%")
echo sc.TargetPath = "%target%"
echo sc.Save
) > "%temp%\mksc.vbs"
cscript /nologo "%temp%\mksc.vbs"
del "%temp%\mksc.vbs"
echo [OK] Base shortcut created.
Step 2: Set the Admin Flag
Now, we use PowerShell to modify the 0x15 byte of the generated .lnk file.
:: Modify byte at offset 21 (0x15) to set the RunAsAdmin flag
powershell -command ^
"$bytes = [System.IO.File]::ReadAllBytes('%shortcut%');" ^
"$bytes[0x15] = $bytes[0x15] -bor 0x20;" ^
"[System.IO.File]::WriteAllBytes('%shortcut%', $bytes)"
echo [OK] "Run as administrator" flag set successfully.
pause
Analyzing the PowerShell Logic
ReadAllBytes: Reads the entire shortcut into a byte array.$bytes[0x15]: Accesses the specific byte controlling LinkFlags (hex offset 0x15).-bor 0x20: Applies a Bitwise OR operation with hex20(binary00100000). This ensures the "RunAsUser" flag is set without altering other existing flags in that byte.WriteAllBytes: Saves the modified byte array back to the file.
This byte modification method is highly reliable and is the standard workaround used by enterprise deployment engineers when native COM objects fall short.
Method 2: The NirCmd Tool Alternative
If you operate in an environment where PowerShell is restricted, relying on a third-party command-line utility is the next best option. NirCmd is a popular, lightweight system utility that can create advanced shortcuts.
If nircmd.exe is available in your PATH:
@echo off
set "shortcut=%USERPROFILE%\Desktop\Elevated Config.lnk"
set "target=C:\Tools\ConfigTool.exe"
:: create shortcut with 'runas' verb
nircmd.exe shortcut "%target%" "~$folder.desktop$" "Elevated Config" "" "" "" "runas"
echo [OK] Administrator shortcut created using NirCmd.
pause
The "runas" parameter natively sets the required elevation flag. While requiring an external tool is a drawback, NirCmd simplifies the process considerably if you already use it in your deployments.
Common Mistakes
The Wrong Way: Using runas in the Batch Script Directly
:: WRONG - this creates a generic shortcut that prompts for credentials in CMD
echo sc.TargetPath = "runas.exe"
echo sc.Arguments = "/user:Administrator C:\Tools\tool.exe"
Output Concern:
This creates a shortcut to the runas command-line utility, which opens a console window and asks the user to type the Administrator password. It does not trigger the standard Windows UAC prompt icon or behavior, leading to a confusing user experience.
The Correct Way: Modifying the Link Header
Use the PowerShell byte-modification technique shown in Method 1. This ensures the shortcut bears the UAC shield overlay icon and behaves exactly as if the user right-clicked and selected "Properties > Advanced > Run as administrator."
Complete Admin Shortcut Generator Script
The following script combines the creation and byte-level modification into a single, interactive tool.
@echo off
title Admin Shortcut Generator
setlocal enabledelayedexpansion
:menu
cls
color 0F
echo =============================================
echo ADMIN SHORTCUT GENERATOR
echo =============================================
echo.
set /p "sc_name=Shortcut Name (e.g. My Tool): "
set /p "sc_target=Target Executable Path: "
if not exist "!sc_target!" (
echo [WARNING] Target file does not exist. Shortcut will be dead.
)
set "sc_path=%USERPROFILE%\Desktop\!sc_name!.lnk"
:: Step 1: Create standard shortcut via VBScript
(
echo Set ws = CreateObject("WScript.Shell")
echo Set sc = ws.CreateShortcut("!sc_path!")
echo sc.TargetPath = "!sc_target!"
echo sc.Save
) > "%temp%\mksc_admin.vbs"
cscript /nologo "%temp%\mksc_admin.vbs" >nul 2>&1
del "%temp%\mksc_admin.vbs"
if not exist "!sc_path!" (
color 0C
echo [ERROR] Failed to create basic shortcut. Check permissions.
pause
goto menu
)
:: Step 2: Inject Admin Flag via PowerShell
powershell -noprofile -command ^
"$bytes = [System.IO.File]::ReadAllBytes('!sc_path!');" ^
"$bytes[21] = $bytes[21] -bor 0x20;" ^
"[System.IO.File]::WriteAllBytes('!sc_path!', $bytes)"
if !errorlevel!==0 (
color 0A
echo.
echo [SUCCESS] Shortcut created on Desktop with Admin flag set.
echo Make sure to respond to the UAC prompt when launching.
) else (
color 0C
echo.
echo [ERROR] PowerShell failed to modify the shortcut binary.
)
echo.
pause
color 0F
goto menu
Creating Complex Admin Shortcuts
You can easily adapt this logic to handle arguments or working directories. Simply add those properties during the VBScript creation phase, and apply the PowerShell byte patch afterward.
:: Create shortcut with arguments AND Admin flag
(
echo Set ws = CreateObject("WScript.Shell")
echo Set sc = ws.CreateShortcut("%sc_path%")
echo sc.TargetPath = "%sc_target%"
echo sc.Arguments = "--force-update"
echo sc.WorkingDirectory = "C:\Application"
echo sc.Save
) > "%temp%\mk_args.vbs"
cscript /nologo "%temp%\mk_args.vbs"
del "%temp%\mk_args.vbs"
:: Apply byte patch
powershell -command "$b = [IO.File]::ReadAllBytes('%sc_path%'); $b[0x15] = $b[0x15] -bor 0x20; [IO.File]::WriteAllBytes('%sc_path%', $b)"
Best Practices
- Always create the base shortcut first: You must guarantee the
.lnkfile exists on disk before attempting to read/write its bytes. - Use Bitwise OR (
-bor 0x20): Never hardcode the byte to0x20. A shortcut might have other flags set in that byte (likeHasArgumentsorHasIconLocation). Bitwise OR safely merges the Admin flag with existing flags. - Expect the UAC Shield: When done correctly, Windows automatically adds the yellow/blue UAC shield overlay icon to the shortcut. This provides immediate visual confirmation to the user.
- Target path validation: While not strictly necessary, verifying the target
.exeexists prevents deploying broken shortcuts to user desktops.
Conclusion
Setting the "Run as administrator" flag on a shortcut via Batch Script requires venturing beyond standard COM objects and directly manipulating the .lnk file's binary header. By leveraging PowerShell's byte array capabilities within a Batch wrapper, we can achieve this reliably. This technique is indispensable for packaging administrative scripts and legacy applications that mandate elevated permissions from the moment they are launched.