Windows is getting its own version of the popular Linux sudo tool. Sudo for Windows is a new way for users to run elevated commands - as an administrator - directly from an unelevated console session on Windows, Microsoft said.
Sudo (‘su do’ or ‘superuser do’ depending on your point of view) is a tool that allows a system administrator to give users the ability to run commands as root or as another user, on a per-command basis. It’s a well-known and handy feature for Linux users but hasn’t been a part of Windows until now.
“Windows now has a built-in Sudo command. So you can run elevated tools directly from Terminal, without having to right-click and select ‘run as admin’ and start a new session. With this you can do file operations like deleting a protected file, invoking elevated commands, or opening up a new command shell,” Microsoft partner development manager Cory Hendrixson explained.
The new feature – for Windows at least – is coming with the Windows 11 Insider Preview Build 26052. Sudo for Windows isn’t available for Windows 10, but may be in the future, Microsoft said.
“It is an ergonomic and familiar solution for users who want to elevate a command without having to first open a new elevated console,” said Windows Developer Platform product manager Jordi Adoumie.
Adoumie also said Microsoft is going to open source the project on GitHub, and suggested anyone looking for extra functionality beyond that offered by sudo for Windows should look to Gerardo Grignoli’s gsudo, which has a number of additional features and configuration options and describes itself as ‘the missing piece in Windows’.
Getting started with Sudo for Windows
Microsoft said to enable Sudo for Windows, you have to navigate to the Settings > For Developers page in Windows Settings and toggle on the “Enable Sudo” option.
Sudo for Windows currently supports three different configuration options.
The configuration can be set from the Settings > For Developers menu or programmatically, using the command line.
The configuration options are:
In a new window (forceNewWindow)
The forceNewWindow configuration option is the default configuration option for Sudo for Windows.
You can use sudo in this configuration to run the command in a new window. This is similar to the behavior of the runas /user:admin command.
Input closed (disableInput)
The disableInput configuration option will run the elevated process in the current window, but with the input handle closed. Microsoft said this means that the elevated process will not be able to receive input from the current console window.
That is useful when you want to run a command as an administrator, but do not want to allow the command to receive input from the current console window.
Microsoft said this option provides some of the convenience of the inline configuration option while mitigating some of the associated security risks.
Inline (normal)
The normal configuration option is most similar to how sudo behaves on other operating systems, and will run the elevated process in the current window and the process will be able to receive input from the current console session.
“This configuration option provides the most convenience, but you should only choose this option if you are familiar with the associated security risks,” Microsoft said.
How to use Sudo for Windows
To use Sudo for Windows, add sudo to the front of the command you want to run as an administrator. For example, to run netstat -ab as an administrator, you would run sudo netstat -ab in your console window.
Because sudo elevates the targeted process to run with administrator-level permission, a prompt will open asking you to verify that you want to continue.
What about the security risks?
Microsoft noted that there are some risks associated with running sudo in the Input closed (inputClosed) or Inline (normal) configurations. The inline configuration option runs the elevated process in the current window and the process is able to receive input from the current console session.
An unelevated process can send input to the elevated process within the same console windows or get information from the output in the current windows in this configuration.
The inputClosed configuration option mitigates risk by closing the input handle.
Discover how Windows 11 Pro devices can help drive your business forward
It's also worth noting that Windows does have an existing runas command. While sudo allows you to quickly elevate a command as administrator from your current unelevated command line context, the runas command offers a way to run programs as any user, including administrator. Right now, the sudo command on Windows does not support running programs as other users.
“You should consider your particular use-case and plan to use the command that best meets your needs. You should also consider the security implications of running sudo in the inputClosed and normal modes,” Microsoft said.
“The default forceNewWindow configuration option is recommended unless you are familiar and comfortable with the risks associated with the other sudo configurations.”
