https://devblogs.microsoft.com/commandline/introducing-sudo-for-windows/ Skip to main content [RE1Mu3b] Microsoft Windows Command Line Windows Command Line Windows Command Line * Home * DevBlogs * Developer + Visual Studio + Visual Studio Code + Visual Studio for Mac + DevOps + Windows Developer + Developer support + ISE Developer + Engineering@Microsoft + Azure SDK + Command Line + Perf and Diagnostics + Notification Hubs + Math in Office + React Native * Technology + DirectX + PIX + Semantic Kernel + SurfaceDuo + Windows AI Platform * Languages + C++ + C# + F# + TypeScript + PowerShell Community + PowerShell Team + Python + Q# + JavaScript + Java + Java Blog in Chinese * .NET + All .NET posts + .NET MAUI + ASP.NET Core + Blazor + Entity Framework + AI + Machine Learning + NuGet + Servicing + Xamarin + .NET Blog in Chinese * Platform Development + #ifdef Windows + Azure Government + Azure VM Runtime Team + Bing Dev Center + Microsoft Edge Dev + Microsoft Azure + Microsoft 365 Developer + Microsoft Entra Identity Developer Blog + Old New Thing + Power Platform + Windows MIDI and Music dev * Data Development + Azure Cosmos DB + Azure Data Studio + Azure SQL Database + OData + Revolutions R + SQL Server Data Tools * More [ ] Search Search * No results Cancel Introducing Sudo for Windows! [png] Jordi Adoumie February 7th, 202418 9 Introducing Sudo for Windows We're excited to announce the release of Sudo for Windows in Windows 11 Insider Preview Build 26052! Sudo for Windows is a new way for users to run elevated commands directly from an unelevated console session. It is an ergonomic and familiar solution for users who want to elevate a command without having to first open a new elevated console. We are also excited to announce that we are open-sourcing this project here on GitHub! We're working hard to add more information about the project in the GitHub repo and will be sharing more details about our plans in the coming months! If you're looking for additional functionality that Sudo for Windows does not provide, check out Gerardo Grignoli's gsudo which has a number of additional features and configuration options. You can also check out the Microsoft Learn docs for more information here. How to enable Sudo for Windows To enable Sudo for Windows, navigate to the Settings > For Developers page in Windows Settings and toggle on the "Enable Sudo" option: For Developer Settings You can alternatively enable Sudo for Windows by running the following command in an elevated console session: sudo config --enable sudo configuration How to configure Sudo for Windows Sudo for Windows currently supports three different configuration options: 1. In a new window (forceNewWindow) 2. Input closed (disableInput) 3. Inline (normal) To change the configuration option, use the drop-down menu in the Settings > For Developers page in Windows Settings: For Developers - Sudo Configurations You can alternatively change the configuration option by running the following command in an elevated console session: sudo config --enable Configuration Option 1: In a New Window In this configuration, Sudo for Windows will open a new elevated console window and run the command in that window. This is the default configuration option when sudo is enabled. For example, if you run: sudo netstat -ab A new window will open and the command will be run in that window: sudo netstat -ab Configuration Option 2: Input Closed In this configuration, Sudo for Windows will run the elevated process in the current window, but the new process will be spawned with its stdin closed. This means that the new process will not accept any user input, so this configuration will not work for processes that require further user input after elevation. Configuration Option 3: Inline This configuration is most similar to the behavior of sudo on other operating systems. In this configuration, Sudo for Windows will run the elevated process with its stdin, stdout, and stderr all connected to the current window. This means the new elevated process can take in input and route output to the current window. How does it work? When elevating a process from the command-line with sudo, a UAC dialog will appear asking the user to confirm the elevation: UAC Dialog Once the user confirms the elevation, the process will be elevated based on the configuration option selected by the user. You can check out the optional parameters for the sudo command by running sudo -h in your console. In a New Window In this configuration, sudo.exe will launch a new elevated console window and run the command in that window. The new window will be launched with the same working directory as the current window. The new window will also be launched with the same environment variables as the current window. This configuration has a similar flow to the runas command. Input Closed and Inline In these configurations, sudo.exe will launch a new elevated process, an elevated sudo.exe process, and the original unelevated sudo.exe will establish an RPC connection with the new elevated process. In other words, information is passed from the unelevated sudo instance to the elevated one. Specifically, the console handles from the unelevated process are passed to the elevated process which allows the elevated process to read input from the unelevated process and write output to the unelevated process. However, when sudo is configured in the "Input Closed" configuration, the elevated process will essentially not be passed the console's input handle, so it will not be able to read input from the user. Here is a diagram of how the process hierarchy looks: sudo diagram It is important when running sudo in the "Inline" or "Input Closed" configurations to be aware of the security implications. It is possible that a medium integrity process can drive the elevated process. This risk is mitigated in the "Input Closed" configuration because the elevated process will not be able to read input from the user. Over the coming months we will be working on expanding documentation for Sudo for Windows and will be sharing more details about the security implications of running sudo in the "Inline" configuration. What's next? Our team is working on open-sourcing Sudo for Windows and we're excited to share more details about our plans in the coming months. In the meantime, we'd love to hear your feedback! Please share your feedback directly in the GitHub repository. [png] Jordi Adoumie Product Manager, Windows Developer Platform Follow Posted in Command Line Command-Line Linux tools Open-Source Windows Windows Console Windows TerminalTagged Bash cmd Command-Line Linux LinuxTools sudo Terminal Windows WSL Read next Windows Terminal Preview 1.20 Release Happy New Year! The Windows Terminal team is back with our first preview release of the year! Windows Terminal Preview 1.20 introduces several changes such as the ... [png]Christopher Nguyen January 30, 2024 0 comment Self-help support for Azure using Help API : CLI Extension Today, Azure customers navigate across multiple tools, portals and knowledge bases to troubleshoot Azure incidents. Azure is now introducing Help API, an offering that ... [png]Nithya Sivam January 12, 2024 2 comments 18 comments Leave a commentCancel reply Log in to join the discussion. * [png] Dylan Taylor February 8, 2024 10:44 am 3 collapse this comment copy link to this comment I love it but new window over inline by default feels like a really bad choice. It's unfamiliar to users on other platforms, which this is copying. I suggest changing that. Log in to Vote or Reply + [png] Lachlan Picking February 9, 2024 1:56 am 1 collapse this comment copy link to this comment New window is preferable (especially over inline) as a default for security reasons. If a user understands the implications of using inline or input closed then giving them the option to do so is reasonable I suppose, but making them the default is just unnecessary and asking for trouble. Log in to Vote or Reply * [png] Paulo Pinto February 8, 2024 11:16 am 0 collapse this comment copy link to this comment I would have expected an explanation why the engineering effort to create sudo for Windows, when we already have runas for years. Log in to Vote or Reply + [png] Jordi AdoumieMicrosoft employee February 8, 2024 12:06 pm 0 collapse this comment copy link to this comment Thanks for the feedback. Check out https:// learn.microsoft.com/en-us/windows/sudo/# how-is-sudo-for-windows-different-from-the-existing-runas-command in the docs! Log in to Vote or Reply o [png] Ioan N February 9, 2024 4:08 am 0 collapse this comment copy link to this comment Instructions unclear, accidentally deleted /etc/sudoers from Windows. Log in to Vote or Reply + [png] Edwin Martinez II February 9, 2024 5:32 am 0 collapse this comment copy link to this comment +1!!! Log in to Vote or Reply * [png] Kevin Lausen February 8, 2024 5:37 pm 0 collapse this comment copy link to this comment Does this have logging capabilities yet? Will this eventually have scriptable rules... Ie... This command -> Do it this way for safety... Other command (only this group of users) -> allowed to do this way for convenience... Will there ever be a workaround to use a password, instead of the annoying UAC? Will this eventually have sudo insults? I may jest a touch on the last one, but Windows Tested by a Company, on a powerful machine; can be a great Linux User experience. I never thought I would feel this way, but I just found out how to enable systemd recently, and windows is finally good if you pay enough. Thanks for all the hard work Dev teams! Log in to Vote or Reply * [png] Ralf Ronneburger February 8, 2024 11:27 pm 2 collapse this comment copy link to this comment You wrote that "When elevating a process from the command-line with sudo, a UAC dialog will appear asking the user to confirm the elevation" and in the window it shows that the run programm is a Microsoft Program. How does this protect from things like "sudo cmd /c myrootkit.exe" (which could be the elevation asked for inside an evil installer)? Log in to Vote or Reply + [png] Lachlan Picking February 9, 2024 2:20 am 0 collapse this comment copy link to this comment Realistically, I don't think it does at this point. If you click Show more details on the consent dialogue, you'll see the full command line, but I'm very skeptical that users will consistently do that, especially when the prompt is saying things like "Verified Publisher: Microsoft Corporation". I don't think the consent dialogue is really doing its job here and needs a bit more work before this leaves preview. [DEL:Actually, for the default New Window configuration, I'm a little curious why they're not just using ShellExecute and letting the normal elevation process do its thing which would presumably solve the misleading consent dialogue (at least in that case). I imagine it's because they want to pass on the working directory and environment variables... I'm not sure how I feel about that. The convenience aspect is obvious, I guess, but my understanding is that the AppInfo service specifically avoids doing that for good reasons. Hmm.:DEL] EDIT:Nevermind, I started watching the video and it seems like they do actually ShellExecute (or something similar) for the New Window configuration. Apparently they still change the environment variables though? That is curious. Log in to Vote or Reply * [png] Edwin Martinez II February 9, 2024 5:20 am 0 collapse this comment copy link to this comment Linux much??? What was wrong with just the basic UAC interaction demanding that a user approve elevated privileges with a local admin password? I fear that you have taken a step in the direction towards unnecessarily complicating such a simple concept as command line "sudo" with the perception that you have somehow made the life of admins and developers "easier" while still being secure. At least, take the sensible route and eliminate the UAC interaction in favor of something like mandatory membership in a designated security group before allowing a user to just invoke "sudo" as a CLI command without ALL of the silly back and forth between different windows and the like. If you want to be like Linux, then be like Linux. Log in to Vote or Reply + [png] Edwin Martinez II February 9, 2024 5:22 am 0 collapse this comment copy link to this comment And make sure you enable detailed logging of the the full command line and arguments when a user invokes your version of "sudo". Log in to Vote or Reply + [png] Michael Taylor February 9, 2024 7:17 am 1 collapse this comment copy link to this comment At least, take the sensible route and eliminate the UAC interaction in favor of something like mandatory membership in a designated security group before allowing a user to just invoke "sudo" as a CLI command without ALL of the silly back and forth between different windows and the like. We have that, it's called the Administrators group. Auto-allowing someone to do something because they are a member of some group is a security hole and easily hacked. That's the whole point of UAC. If you allow unrestrained access by users in certain groups then you have not yet been a victim of an inside hack. You are fortunate. Honestly I think this entire tool is a useless security risk. If you cannot run an elevated terminal, or know how to do it using runas, then maybe you shouldn't have that kind of access. Making it easier to run as admin makes it easier to hack your system. I would never install this tool and I would go so far as to say we would have a company block on any team member installing it. Log in to Vote or Reply * [png] Matrix Tools, LLC February 9, 2024 6:44 am 0 collapse this comment copy link to this comment Can you share your console setup?! I love the colors and the basketball "prompt" !!! how did you pull that off!? Log in to Vote or Reply + [png] Jordi AdoumieMicrosoft employee February 9, 2024 8:51 am 0 collapse this comment copy link to this comment Absolutely! I actually have covered the setup in various depths and forms so I'll start there, but feel free to reach out if you have any issues or any more questions. Make Windows Terminal Look AWESOME in Just 5 Minutes: https:/ /www.youtube.com/watch?v=yxzYixOmPHg&t=140s Video where I actually code up the NBA segment for Oh my Posh from scratch: https://www.youtube.com/watch?v=NR7i0SKFbtI&t= 589s Blog post about how to set up: https://joadoumie.github.io/ jordi-rants/2023/10/24/oh-my-posh-nba-segment.html GitHub Gist of my profile (.json file that describes the structure of the oh my posh segments): https:// gist.github.com/joadoumie/5353b15418e98c7c678e0e6cbde1d6f7 Log in to Vote or Reply * [png] Dustin Briles February 9, 2024 6:45 am 1 collapse this comment copy link to this comment Copying my comment on the YouTube video: The Windows and *nix sudo commands are different enough that they should have different names. Copying the name didn't work out so well when "curl" was made an alias for "Invoke-WebRequest". I also don't see many people complaining about e.g. ifconfig vs ipconfig. If sudo on Windows supports the exact same same syntax, flags, options, etc as sudo on *nix, I could see the case for keeping the names the same since the user-facing functionality would be very similar. But even then, just the UAC prompt alone makes it different enough that I'd call it something else. My natural inclination is that two tools with the same name should do the same thing, and this is not true of sudo on Windows. All that being said, I LOVE this idea of making something better than "runas". Good job! Log in to Vote or Reply + [png] Jordi AdoumieMicrosoft employee February 9, 2024 8:47 am 0 collapse this comment copy link to this comment I hear you! We thought about some of the options you're calling out here. A lot of customers voiced having the muscle memory of doing similar flows on various operating systems was more important to them and that's where we landed. I totally understand your perspective and I do really appreciate the feedback. I'm always trying to learn from people like you so I can help to build things that will make your life better. Log in to Vote or Reply o [png] Pavel Lyalyakin February 9, 2024 10:28 am 0 collapse this comment copy link to this comment Muscle memory? Please rename cmd.exe into bash in one of the next Windows updates then. And I think that renaming notepad.exe into nano is also a good idea following your excellent logic. And in the end just rename Windows into WinBSD. Log in to Vote or Reply * [png] Pavel Lyalyakin February 9, 2024 10:21 am 0 collapse this comment copy link to this comment It's a bad idea to name the new command "sudo". Does it share code with the original sudo utility? If not then call it something else. Log in to Vote or Reply Topics AccessibilityAF_UNIXANSI/VT Sequencesautomountbackground tasksBash BASICBuffersBuildBuild2017Build2019Build2020Build2021chmodChocolatey cmdColorCommand-LineConPTYConsolecontainersCreators Updatedaemons DrvFsDvfFsEncodingfilesystemfontifconfiginotifyinteropLinuxLinuxTools metadataMS-DOSMSBuildnetworkingOpen-SourceOpenSSHPowerShell PseduoConsolePseudo ConsolePTYreleaseRenderingsettingssocketsStore sudoSyscallsTabs & SetsTeletypeTerminalThemesTmuxTTYUbuntuUnicode UTF-8VIntageVisual StudioWhat's NewWin10SWindowsWindows 10Windows 10 SWindows Package Managerwingetwinget.exewingetcreatewinuiWSLwslconf Zoom Top Bloggers * [png] Christopher Nguyen Product Manager II, Windows Terminal * [png] Mike Griese Senior Software Engineer * [png] Craig Loewen Senior Product Manager * [png] Sil Vilerino Senior Software Engineer * [png] Demitrius Nelon Senior Product Manager Archive * February 2024 * January 2024 * November 2023 * October 2023 * September 2023 * August 2023 * May 2023 * February 2023 * January 2023 * November 2022 * October 2022 * September 2022 * August 2022 * July 2022 * June 2022 * May 2022 * March 2022 * February 2022 * December 2021 * November 2021 * October 2021 * August 2021 * July 2021 * May 2021 * April 2021 * March 2021 * January 2021 * December 2020 * November 2020 * October 2020 * September 2020 * August 2020 * July 2020 * June 2020 * May 2020 * April 2020 * March 2020 * February 2020 * January 2020 * December 2019 * November 2019 * October 2019 * September 2019 * August 2019 * July 2019 * June 2019 * May 2019 * February 2019 * December 2018 * November 2018 * October 2018 * September 2018 * August 2018 * July 2018 * June 2018 * May 2018 * April 2018 * March 2018 * February 2018 * January 2018 * December 2017 * November 2017 * October 2017 * August 2017 * July 2017 * June 2017 * May 2017 * April 2017 * February 2017 * January 2017 * November 2016 * October 2016 * September 2016 * July 2016 * June 2016 * April 2016 * March 2016 Stay informed [ ] [Subscribe] By subscribing you agree to our Terms of Use and Privacy Policy Share on Social media * * * Login Theme * light-theme-iconLight * dark-theme-iconDark Insert/edit link Close Enter the destination URL URL [ ] Link Text [ ] [ ] Open link in a new tab Or link to existing content Search [ ] No search term specified. Showing recent items. Search or use up and down arrow keys to select an item. Cancel [Add Link] Code Block x Paste your code snippet [ ] Cancel Ok Feedback usabilla icon What's new * Surface Laptop Studio 2 * Surface Laptop Go 3 * Surface Pro 9 * Surface Laptop 5 * Surface Studio 2+ * Copilot in Windows * Microsoft 365 * Windows 11 apps Microsoft Store * Account profile * Download Center * Microsoft Store support * Returns * Order tracking * Certified Refurbished * Microsoft Store Promise * Flexible Payments Education * Microsoft in education * Devices for education * Microsoft Teams for Education * Microsoft 365 Education * How to buy for your school * Educator training and development * Deals for students and parents * Azure for students Business * Microsoft Cloud * Microsoft Security * Dynamics 365 * Microsoft 365 * Microsoft Power Platform * Microsoft Teams * Microsoft Industry * Small Business Developer & IT * Azure * Developer Center * Documentation * Microsoft Learn * Microsoft Tech Community * Azure Marketplace * AppSource * Visual Studio Company * Careers * About Microsoft * Company news * Privacy at Microsoft * Investors * Diversity and inclusion * Accessibility * Sustainability Your Privacy Choices Your Privacy Choices * Sitemap * Contact Microsoft * Privacy * Manage cookies * Terms of use * Trademarks * Safety & eco * Recycling * About our ads * (c) Microsoft 2024