Is there any way we can add certificate using cmd/shell/bat silently without administrator rights in windows 10.
I have a command which silently add cert in "Trusted Publisher" :
certutil -addstore "TrustedPublisher" my_certificate.cer
But this command needs administrator command prompt to run.
According to comments below question, this batch should answer your needs:
@echo off
setlocal EnableExtensions EnableDelayedExpansion
REM Check admin mode, auto-elevate if required.
openfiles > NUL 2>&1 || (
REM Not elevated. Do it.
echo createObject^("Shell.Application"^).shellExecute "%~dpnx0", "%*", "", "runas">"%TEMP%\%~n0.vbs"
cscript /nologo "%TEMP%\%~n0.vbs"
goto :eof
)
del /s /q "%TEMP%\%~n0.vbs" > NUL 2>&1
REM Can't be here without elevation.
certutil -addstore "TrustedPublisher" my_certificate.cer
goto :eof
The batch will ask for elevation automatically and then execute your command, in an elevated cmd, and terminate.
openfiles is a standard program shipped with Windows 10 (for Windows 7, for example, I used to do that with fsutils instead).
This program have a particularity: it requires elevation, does nothing harmful with no parameter, and returns a suitable error code without elevation.
So, when you launch it without elevation, it prints an error message and returns 1.
With elevation, it prints things and returns 0.
Because we don't care about what it displays, both its stdout and stderr are sent to NUL.
So, when we're NOT elevated, the || operator will execute the code within parentheses. Otherwise, it skips it and go to the del line just after - this line is designed to clean the temporary file used for elevation, I'll explain it below.
So, we're not elevated. The purpose is to create a very tiny VBS script, within %TEMP% folder. In order to not mess with multiple batchs launched simultaneously, we name this temporary file following the current batch filename (that's the "%TEMP%%~n0.vbs" part).
The VBS contains a single command: it will call "ShellExecute" on the batch file itself (NOT the VBS), with all seen parameters (they're expanded when creating the VBS file, they're not passed to VBS then to BAT again) using the runas keyword - and here is the magic.
This keyword does this (see Microsoft documentation):
runas Launches an application as Administrator. User Account Control (UAC) will prompt the user for consent to run the application elevated or enter the credentials of an administrator account used to run the application.
Unfortunately, we can't call this function directly from a batch (at least not without some ugly tricks), but it's very easy and understandable to do so from a VBS. And VBS is standard on Windows, too.
So, we now launch the VBS, and we terminate the non-elevated batch with goto :eof. The VBS starts, and relaunch the batch, but with elevation (and an UAC prompt). The batch starts again, has all its previous command line parameters, will detect that it's already elevated.
We just need now to clean the temporary VBS file with the del command, and we can continue our batch being sure that we are in an elevated process.