substitute user 



su [-] [-l] [-p passwd] [[domain\]user [argument ...]


The su command is used to create a new process as a different user. The default user is Administrator. A fully qualified user name containing an appropriate domain may be given.

Other arguments may be given after the user name; they are passed as arguments to the shell.

Under 8.1/2012R2/10/2016/2019/11/2022, you are prompted on the terminal to enter the required password. A new shell process is created in the same console window, but it is run with a process token for the specified user. The SHELL environment specifies which shell is used to run this process.

The environment of the new shell is that of the calling process, unless the - option is given.

The su command remains around waiting for the child shell process to return, and unloads that user's registry hive when it returns (assuming that it did the load, and it was not already loaded).

8.1/2012R2/10/2016/2019/11/2022 security does not permit the changing of a user lightly! Three different privileges are required to run this command:

Increase quotas   (SeIncreaseQuotaPrivilege)
Replace a process level token   (SeAssignPrimaryTokenPrivilege)
Act as part of the operating system   (SeTcbPrivilege)

su tries to enable these privileges if they are not enabled. Thus, if you are in an Administrator group, you won't have to explicitly enable these privileges. However, if you are not in a group such as the Administrator group that allows you to enable these privileges, you must have a user in such a group enable these privileges for you. This privileges can be enabled using standard Windows methods or by using the priv utility.

As part of its operation, su tries to set up the user's registry hive (that is, HKEY_CURRENT_USER). If this operation fails, su continues after warning the user about the failure.

To avoid seeing the same warning messages over and over, you can take the following actions:


On Windows 8.1/2012R2/10/2016/2019/11/2022, when you run su with User Access Control (UAC) enabled, you are prompted to permit the program to run using your unrestricted token so that it may gain the privileges and permissions needed to impersonate another user.



runs the shell as a login shell. In this case, the -L option is passed to the shell, and the environment is built from the registry as if the user were newly logged onto the system. 8.1/2012R2/10/2016/2019/11/2022 also has a per-user registry hive which is loaded for the newly logged on user; per-user environment information is also loaded from this part of the registry.


does not load the per-user registry hive.

-p passwd 

allows you to specify the new user's password on the command line. However, be careful with this feature as specifying passwords in scripts can pose a security risk.


The following runs the id command as the test user, and displays the names of all groups in which the test user is a member.

su test -c "id -Gn"


Possible exit status values are:


Successful completion.


An error occurred.


Windows 8.1. Windows Server 2012 R2. Windows 10. Windows Server 2016. Windows Server 2019. Windows 11. Windows Server 2022. A command of the same name and similar functionality exists on many UNIX systems.


PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition


id, priv, registry, sh

PTC MKS Toolkit 10.4 Documentation Build 39.