ProfileUnity includes a signed elevation helper, LwL.ProfileUnity.Client.CmdRunner.exe, that allows specific applications or commands to run with elevated privileges â without granting users local administrator access. This is the recommended approach for elevating a shortcut, a PowerShell script, or a CMD command on a per-need basis.
LwL.ProfileUnity.Client.CmdRunner.exe is digitally signed by Liquidware. It can be added to your antivirus exclusion list. See the AV Exclusion List for ProfileUnity for full guidance.
đ Contents
How It Works
CmdRunner acts as an elevation broker. Rather than elevating an entire PowerShell session or granting a user full admin rights, you define a list of pre-approved commands in its companion config file. Each command is assigned a numeric ID. At runtime, a ProfileUnity Shortcut calls CmdRunner with the ID of the command to elevate â CmdRunner then launches that specific process with elevated privileges as a child process.
| File | Location |
|---|---|
| LwL.ProfileUnity.Client.CmdRunner.exe | C:\Program Files\ProfileUnity\Client Net\ |
| LwL.ProfileUnity.Client.CmdRunner.exe.config | C:\Program Files\ProfileUnity\Client Net\ |
Step 1 â Configure the Config File
Open LwL.ProfileUnity.Client.CmdRunner.exe.config in a text editor and locate the ConfigCommands section. Add a <ConfigCommand> entry for each process you want to allow elevation for. Each entry requires a unique id starting at 1.
You must edit the config file in two places to prevent your changes from being overwritten when
LwL.ProfileUnity.Client.Startup.exe runs (on recompose or reboot for persistent machines):
C:\Program Files\ProfileUnity\Client Net\LwL.ProfileUnity.Client.CmdRunner.exe.config-
client.net.zipâ the copy inside the ProfileUnity deployment share
" for quotingInside the XML
command attribute, double-quote characters must be encoded as ". Every executable path that contains spaces must be wrapped this way.
The basic structure of the ConfigCommands section:
  <ConfigCommand id="1" command=""C:\Windows\System32\notepad.exe"" />
  <ConfigCommand id="2" command=""C:\Windows\System32\cmd.exe" /c C:\Scripts\MyScript.bat" />
  <ConfigCommand id="3" command=""C:\Windows\System32\cmd.exe"" silent="false" />
</ConfigCommands>
Config Examples
The following examples cover the three supported invocation methods: direct EXE, PowerShell, and CMD. All examples use notepad.exe as the target for consistency.
Method 1 â Direct EXE
The simplest approach. Provide the full path to the executable, quoted with ".
Method 2 â Via PowerShell
Use PowerShell's Start-Process to launch the target. Note the mix of single quotes (for the inner path) and " (for XML escaping of the outer executable).
The single quotes around the target path are PowerShell string syntax â do not use " for the inner path when using this method.
Method 3 â Via CMD
Use cmd.exe /c to run a command or launch an executable. Useful when the target is a batch file or a command string rather than a standalone EXE.
Method 4 â Interactive Window (silent="false")
When you want to present an interactive cmd.exe or powershell.exe window to the user â rather than running silently in the background â add the silent="false" attribute. Without this, the window will be hidden.
<ConfigCommand id="2" command=""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" silent="false" />
The default behavior when silent is omitted or set to true is to run the process without showing a window. Always use silent="false" when elevating an interactive shell that a user needs to interact with.
Step 2 â Call from a ProfileUnity Shortcut
Once the config file is set up, create a Shortcut in the ProfileUnity Management Console. Set the shortcut target to lwl_userapp_trigger64.exe and pass CmdRunner as the first argument followed by the //RunCommand switch and the /elevate flag.
| Shortcut Field | Value |
|---|---|
| Target / Path | C:\Program Files\ProfileUnity\FlexApp\lwl_userapp_trigger64.exe |
| Arguments | "C:\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.CmdRunner.exe" //RunCommand <index> /elevate |
Full example â run the command at config ID 1:
RunCommand Index Reference
The //RunCommand argument takes a zero-based index that maps to the id values in the config file, which start at 1. The offset of zero means RunCommand 0 maps to config id="1", RunCommand 1 maps to id="2", and so on.
| //RunCommand Argument | Runs Config id= | Behavior |
|---|---|---|
| //RunCommand | All | Runs every ConfigCommand in the file, one after another in ID order. |
| //RunCommand 0 | id="1" | Runs the first defined command only. |
| //RunCommand 1 | id="2" | Runs the second defined command only. |
| //RunCommand 2 | id="3" | Runs the third defined command only. |
| //RunCommand N | id="N+1" | Pattern continues â RunCommand index is always one less than the config id. |
Example â three commands defined, each called from a separate shortcut:
// Shortcut 1 â elevate command at id="1"
"C:\Program Files\ProfileUnity\FlexApp\lwl_userapp_trigger64.exe" "C:\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.CmdRunner.exe" //RunCommand 0 /elevate
// Shortcut 2 â elevate command at id="2"
"C:\Program Files\ProfileUnity\FlexApp\lwl_userapp_trigger64.exe" "C:\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.CmdRunner.exe" //RunCommand 1 /elevate
// Shortcut 3 â elevate command at id="3"
"C:\Program Files\ProfileUnity\FlexApp\lwl_userapp_trigger64.exe" "C:\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.CmdRunner.exe" //RunCommand 2 /elevate
// Run ALL defined commands from a single shortcut
"C:\Program Files\ProfileUnity\FlexApp\lwl_userapp_trigger64.exe" "C:\Program Files\ProfileUnity\Client.NET\LwL.ProfileUnity.Client.CmdRunner.exe" //RunCommand /elevate
Each shortcut in this example calls a different elevated command independently. Users see only the shortcut â they never interact with CmdRunner directly.
| Product | ProfileUnity with FlexApp |
| Product Version | 6.8.7 and above |
| Updated | May 27, 2026 |