Elevation with Executables, Scripts, Commands
cmd.exe
Any program can be executed from the command line in a CMD.EXE
console window. If the program being run is also a console program then it will share the same console window for its input and output. GUI programs run from a console window will "detach" and run on the desktop in their own GUI window as they aren't tied to the console input/output streams.
External commands typically associated with CMD.EXE
are nothing more than other console mode programs, such as XCOPY.EXE
, ICACLS.EXE
, etc. External commands can be selectively elevated via policy but internal commands, such as DEL
and COPY
, are executed at whatever level of elevation that instance of CMD.EXE
currently has.
Internal commands supported by CMD.EXE
cannot be targeted by policies. A technique that could be useful to restrict internal commands can be to not elevate cmd.exe
but instead elevate command lines or read only .bat scripts.
You can block executables, but not the commands within an executable.
Refer to the following references regarding internal vs external commands on Windows NT.
An A-Z Index of Windows CMD commands - SS64
Powershell
Powershell internal functions cannot be easily restricted. For selective control, instead of elevating Powershell, you can elevate access to particular scripts using a command line filter. The scripts should be placed in a read only folder.