[zadjii]

Yea, that's a limitation of UAC at this point, and probably not one we can avoid. The "Show details" dropdown on the dialog does however show the commandline you requested, so at least that's one way of making sure it's the thing you ran

[londons_explore]

A tool like sudo should probably be sufficiently integrated with UAC to be able to customize that dialogue box...

[Sakos]

You say that like Microsoft isn't an incredibly deeply dysfunctional company with absurd turf wars and conflicting interests between all the teams. You'd think it should be sufficiently integrated, but it's likely office politics made that impossible. How about be glad we got this at all as a first step, then maybe it will build momentum towards a better integrated solution?

[KeepFlying]

You forgot that because of backcompat this solution will now become the unchangeable standard for years and anything more integrated will be in addition, not a replacement.

[Sakos]

And that's OP's fault how? We often have to work with the environment and framework we have, not the one we wish we had where we could just immediately implement the best possible solution.

[Repulsion9513]

lol, parent: "Microsoft is too dysfunctional to make a good product, be glad anyway"

me: "Why should we be glad that Microsoft is not functional enough to make a decent product...?"

HN: flag!

[SushiHippie]

The best way would be, if it could say something like:

Allow $PARENT_PROCESS_NAME to run $COMMAND with administrator rights.

So if you would enter the following in cmd.exe:

  sudo notepad.exe ...

It would say:

Allow Command Processor Shell to run notepad.exe ... with administrator rights.

[zadjii]

Maybe for Windows 2025 we can work with the UAC folks to get something like that. I'm still shocked to this day that we managed to ship this at all. One step at a time :)

[jdhendrickson]

I wish my fellow posters could get out of their own way long enough to congratulate you! this is a great feature. I'm glad you got it into the build and I can tell you're excited about it. I can't remember the last time. I was excited about a feature that I shipped. maybe I'm just burned out but it's really refreshing to see it's shining through your replies. companies like Microsoft and Google need more engineers like you that actually care about shipping cool shit.

[jraph]

> I'm still shocked to this day that we managed to ship this at all

Why?

[Sakos]

Sorry, have you never read anything about Microsoft before? I'm not sure why people are being so critical of OP.

[jraph]

Look, I'm genuinely curious and we happen to have a MS dev here who could provide interesting first hand insight.

I'm not critical. I don't have enough knowledge on the situation to share criticism on the topic yet.

I could have added "Could you expand on this?" to clarify my intent.

[zadjii]

To answer the original question: I've been at MSFT like, 8 years now? And this is probably the third serious attempt my team has made at Sudo for Windows. (I think I heard of a couple other attempts in my tenure as well). After the last attempt, my mantra had always been "this is impossible to actually ship".

It's a tricky feature to ship, cause it is ultimately something that can be used as an escalation of privilege vector. Like, that's the entire idea. And there are a lot of people who (very rightly) get the ick when you say "we want to add this thing which can be used as an EoP to the OS image".

So, it's kinda hard to believe that after four years of thinking it was impossible, we actually managed to get it out the door.

[worewood]

From the diagram on the article I see that sudo is elevated first, then the target program is launched.

Can't you call the target program directly? There must be a way, because explorer.exe is not elevated, and when you right click a program and choose "Run as administrator" you get a pop-up for the target .exe, not for Explorer.

[marwis]

Maybe until UAC is improved you can ship with a launcher process that is signed by publisher "Unknown"?