How to run script with elevated privileges on Shutdown using gpedit.msc on Windows 11?

Question

I can't run a bat file on Shutdown on Windows 11.

runAs.bat:

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown\changeComputerName.ps1""' -Verb RunAs}"

changeComputerName.ps1:

$computerName = -join ((97..122) | Get-Random -Count 15 | ForEach-Object {[char]$_})
Rename-Computer $computerName

They are both located in:

C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown\

The Shutdown properties is set to run the runAs.bat file which in turn runs a PowerShell process with elevated privileges to change the computer name.

When running the bat file from the terminal, it asks for elevated privileges and then it runs successfully.

Where should I be looking for error/debug info?

Thanks

Answer 1

• You don't need a wrapper batch file in order to execute a PowerShell script on shutdown via the relevant GPO (Group Policy Object) at Computer Configuration\Windows Settings\Scripts (Startup/Shutdown), item Shutdown in the Group Policy Editor (invoke it with gpedit.msc):

  • In the Properties dialog, there is a PowerShell Scripts tab, where you can directly specify a .ps1 file, which is implicitly invoked as:

    • powershell.exe -ExecutionPolicy ByPass -File C:\path\to\your\script.ps1

    • Note: While it makes sense to place such script files in C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown, doing so is not strictly required: you're free to reference script files in other locations.

  • The invocation happens in the context of the built-in, highly privileged
    NT AUTHORITY\SYSTEM account, which, in effect, implicitly amounts to execution with elevation.

• Therefore, all you need to do is to directly pick your C:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown\changeComputerName.ps1 script as to be executed on shutdown, as described above.

---

As for what you tried:

Most likely, the only problem with your own approach was neglecting to use Start-Process's -Wait switch to ensure synchronous execution.

• While requesting elevation with -Verb RunAs quietly succeeds if the calling process itself is already elevated (i.e., no UAC dialog is triggered in that case), it still runs the process (in a new window and) asynchronously by default - except if -Wait is also specified.

• Thus, the asynchronously launched process may not have gotten a chance to execute before the shutdown was initiated.

That said, it is much simpler to specify the target .ps1 directly - without the need for an explicit call to powershell.exe, the Windows PowerShell CLI, and a nested Start-Process call - as shown in the top section.

Answer 2

I was able to get passed this UAC(https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works) limitation by creating a Scheduled Task which runs the .bat file with "Run with highest privileges" checked in the General Tab. The script runs on every logon of every user to the machine.

I also disabled UAC at the beginning and renabled it at the end of my powershell script. By using this PowerShell line:

Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0