The su command is used to create a new process as a different user. The default user is Administrator. A fully qualified user name containing an appropriate domain may be given.
Other arguments may be given after the user name; they are passed as arguments to the shell.
Under 2012/8.1/2012R2/10/2016/2019, you are prompted on the terminal to enter the required password. A new shell process is created in the same console window, but it is run with a process token for the specified user. The SHELL environment specifies which shell is used to run this process.
The environment of the new shell is that of the calling process,
The su command remains around waiting for the child shell process to return, and unloads that user's registry hive when it returns (assuming that it did the load, and it was not already loaded).
2012/8.1/2012R2/10/2016/2019 security does not permit the changing of a user lightly! Three different privileges are required to run this command:
Increase quotas (SeIncreaseQuotaPrivilege) Replace a process level token (SeAssignPrimaryTokenPrivilege) Act as part of the operating system (SeTcbPrivilege)
su tries to enable these privileges if they are not enabled. Thus, if you are in an Administrator group, you won't have to explicitly enable these privileges. However, if you are not in a group such as the Administrator group that allows you to enable these privileges, you must have a user in such a group enable these privileges for you. This privileges can be enabled using standard Windows methods or by using the priv utility.
As part of its operation, su tries to set up the user's registry hive (that is, HKEY_CURRENT_USER). If this operation fails, su continues after warning the user about the failure.
To avoid seeing the same warning messages over and over, you can take the following actions:
If warned about the SeRestorePrivilege privilege, you need to have this privilege enabled. This privilege is automatically enabled by su if you are in a group that allows it to be enabled.
If warned about not being able to locate the user profile, you must log on as the target user, so that the system can create a user profile for the target user.
On Windows 2012/8.1/2012R2/10/2016/2019, when you run su with User Access Control (UAC) enabled, you are prompted to permit the program to run using your unrestricted token so that it may gain the privileges and permissions needed to impersonate another user.
runs the shell as a login shell. In this case, the
-Loption is passed to the shell, and the environment is built from the registry as if the user were newly logged onto the system. 2012/8.1/2012R2/10/2016/2019 also has a per-user registry hive which is loaded for the newly logged on user; per-user environment information is also loaded from this part of the registry. -l
does not load the per-user registry hive.
allows you to specify the new user's password on the command line. However, be careful with this feature as specifying passwords in scripts can pose a security risk.
The following runs the id command as the test user, and displays the names of all groups in which the test user is a member.
su test -c "id -Gn"
Possible exit status values are:
Windows Server 2012. Windows 8.1. Windows Server 2012 R2. Windows 10. Windows Server 2016. Windows Server 2019. A command of the same name and similar functionality exists on many UNIX systems.
PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition
PTC MKS Toolkit 10.3 Documentation Build 39.