Aaron Margosis' "Non-Admin" and App-Compat WebLog

I've been doing this since I saw Keith's article and it generally works well for me.

The only trouble I had was when running a code from VS.NET with VS.NET running as admin. A debug run works ok, but running without debugging started the process but doesn't show the window (and you can't kill it either because it's running as admin).

I suppose the program was sent to the wrong desktop.

Frank - was this ASP.NET? And the window you're looking for IE?

Aaron Margosis pointed out to me today his weblog which contains some good references and information about running as a limited user on Windows. He had an interesting comment on my different credentials post I did almost a year ago in which he uses a shortcut directly to a cmd window with runas instead of using the explorer view. His suggestion is to do: C:\WINDOWS\system32\runas.exe /u:Administrator "%windir%\System32\cmd.exe /k cd c:\ && color fc && title ***** Admin console *****" Makes total sense if you want to use an admin shell. Personally I prefer having the UI available through the explorer view... which has its own limits. This way I don't have to try to remember where the CPL paths are, or what they are called. I just click 'My Computer' and then 'Control Panel' and have at 'er. To each his own. Aaron has some good pointers on his blog about different ways of approaching this. Consider checking it out....

I have tried to follow Aaron's advice about running in Standard User mode, but continually hit the snag that folders don't exist (they do).
e.g. Run As cmd.exe produces error C:\WINDOWS\system32\cmd.exe The directory name is invalid.
This happens with others (windows update). I am running WXP SP1 on a domain.

What step have I missed?

Richard Cass - can you provide more details about how you're getting to that error message? I've never seen that in this context.
Thanks.

My XP Pro SP1 machine is on a domain. Normally I have my user account as part of the Domain Admins as well as a Local Administrator of my PC. No problems there.
I wanted to test whether my users could run as a Standard User (currently they are also in the Local Admins group - most of them are software engineers and compiling & installing seems to require admin rights).
So I removed myself from these admin groups (ie Users group), logged off/on and tried to test for restrictions. As an example I tried to use Run As on the Command Prompt icon, logged in as the domain admin and then had the error message given in my first feedback.
I also tried Windows Update (as a Standard User) and the web page titled Administrators only came up, indicating to use the Run as option. Doing that then gave me the error: C:\WINDOWS\system32\wupdmgr.exe. The directory name is invalid.
I was also getting the usual restriction messages (cannot change some of the network settings etc), but I expected that.

well I want non-admins run certain applications as admins (otherwise they don't work) - but it keeps forgetting that I set them to run as admin. Once I set the run as admin and then reboot, the setting is lost and normal users can't use it.

ch - RunAs-admin is not a permanent setting. You *can* specify on a shortcut that it should run with different credentials, but the user will be prompted for the admin credentials each time the shortcut is invoked.

Richard Cass - I've asked around and everyone seems stumped by the symptoms you've described. One colleague suggested the possibility that the DA account does not have the "bypass traverse checking" privilege. Could you check that? Also, make sure that Domain Admins is a member of the local Administrators group.

I like using a shortcut configured to offer the option of using alternate credentials.
I noticed that the local administrator account was offered as the default username in the "the following user" section. I added my domain account (the one that is a memeber of Domain Admins) to the local machine's Administrators group ("Domain Admins" was already in this group) and now I can pick my domain admin account from the drop-down list in the "the following user" section. I hoped that it would remember it even if I then removed my DA account from the local machine's administrator's group, but no good. Do you know a way to make the "the following user" drop-down list remember just domain\username entries, and not the password, without adding the accounts to the local machine's admins or users group?

How to get Windows Explorer to work with RunAs (and why you might want to).

Jeff Sontag - Sorry, no, it's not configurable and it doesn't remember previously used names. It lists only usernames explicitly listed in the BUILTIN\Administrators group, as well as Client Authentication certificates in the current user's Personal cert store, including smart cards. (You can run certmgr.msc to see your certs).

A possible explanation for the "The directory name is invalid" error: Many shortcuts in the Start Menu have "Start in" set to "%HOMEDRIVE%%HOMEPATH%". If this maps to a network drive on your domain, then if you attempt to Run As a user that cannot see the drive, you will receive the error.

Aaron: Sorry I haven't been back before (RSS is great for the initial Post but not for Comments), but setting the DA permission to have the "bypass traverse checking" privilege did not do anything.

However,
Chad: That was it! Removing the default "Start in" sorted the problem.

Many thanks guys.

A toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is running

What does it mean to

IE Security

Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions...

The idea that the principle of least privilege requires that a user or process be given no more privilege than necessary to perform a job makes a lot of sense in this hostile digital divide we live in. Least privilege has become a passion of mine, and its reflected in everything that I design now adays. Which is why Carina works so well in the face of hostile and malicious code. In today’s show I talk about the security principle of least privilege, how we use it to protect our customer’s information... and how you can use it to protect your desktops. For more information about least privilege please check out some of these links: nonadmin.editme.com - This is a community web site (wiki) for Windows users who want to learn how to run without Administrator privileges, and why they should do this. "RunAs" basic (and intermediate) topics - Aaron Margosis' introduction on how to use the runas command in Windows Secure Coding Practices: Running with Least Privileges in Windows - An older article I wrote for CodeProject on how to develop using least privilege on Windows Developing Software in Visual Studio .NET with Non-Administrative Privileges - Lars Bergstrom's great article that explains how to productively develop software while logged on with non-administrative privileges. Using a Least-Privileged User Account - A small article on TechNet discussing LUA, and how it will affect LongHorn. After listening to customer feedback, we are going to try a new format with this podcast. We will keep these single topic recordings short (somewhere around 5 minutes) so that people with busy schedules can still get a chance to listen to it. We will leave longer shows for more in depth interviews etc. Please let me know if you like the new format. Think strategically. Protect your information. Enjoy! MP3: Scorpion Vault: Understanding Least Privilege (4:59s / ~4.7mb)...

Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

This is really related to runas and privileges, but is a question about cmd.exe and shells, in case someone knows.

Can I find out if my console app. was started from an open cmd.exe console window, or from Start->Run?

I have a Perl script which prints output that the user wants to read.

If started from Start->Run, the window will close immediately. If I put a "press key" prompt in my app, it's annoying in the other case, when the cmd window is staying open anyway and pressing a key would not be needed.

Can I somehow differentiate how the app was called, and prompt for a keypress only if needed?

Sorry, I meant "This is really UN-related..." in the previous post.

Get your friends and family, all those folks that come to you for computer help once their machines have...

I am attempting to follow the shining LUA path, but the following is frustrating me:
====================================
RUNAS ERROR: Unable to run - cmd.exe
5: Access is denied.
====================================
Could this be because the account I am attempting to runAs has a null pwd? Any other thoughts? Where would I find out what access is being denied to whom?

Interesting, when I (as local admin) runAs a nonpriv account I get

RunAs ERROR: 1327: account policy restriction: nonblank password, ...

This is something we developers (unfortunately) try to do all the time: develop as local admin, runAs another less priv'ed account, and see what breaks.

Aha! I made the following discoveries:
-- when I removed my former Admin Account from Administrators, it had all kind of other rights (act as part of the OS, run as a Service, etc.). Just removing from Admins and adding to Users didn't remove these policy-granted rights.
-- Having removed these "extra" privs, I still cannot runAs. Now, I get the same message as when I attempt to run as a nonpriv from a priv account:

"RUNAS ERROR: Unable to run - cmd.exe
1327: Logon failure: user account restriction. Possible reasons are blank passw
ords not allowed, logon hour restrictions, or a policy restriction has been enfo
rced."

-- Gave the local admin a password, guess what happened? It worked, of course.

So where do I go to adjust this ppolicy restriction? and, what process or app caused this policy restriction to be made? (Not ruling out Yours Truly, I have the attention span of a Gnat!).

http://tinyurl.com/6u739 has info on the use of blank passwords as a Local Sec Policy enforcement. But why should this clobber RunAS?

Aaron:
I have discovered that if the user that is "becoming" admin doesn't have read-only rights to the USER.DAT in the Admin's documents and settings folder, the RUNAS will fail. I have also discovered that MAKEMEADMIN will fail for the same reason.

Also, I have seen the MAKEMEADMIN batch file fail in "mid-stream" so that the user was made member of Administrators and then not "demoted" after running the program. Any one else reported this?

Alex

Hi
HELP HELP HELP
When I launch Explorer as Admin (RunAs)
Explorer won't refresh things automatically. For example, if I create a new file, it might not show up in my admin Explorer window. I know pressing [F5] would solve this problem.
Isn't there a possibility to let (admin)-Explorer refresh automatically???

Thank you for your help

Just curious, but do you know of any method to change the default user name when you Run As another user?

I found the answer on another web site. Make a shortcut that runs the command line version of the run as program and use the switches to change the default login.

An example would be:
C:\WINNT\system32\runas.exe /profile /user:somedomain\jmayer sol.exe

Hello,

In your tips and tricks you mentioned the following, "Windows Installer Packages (.msi files) don’t offer a RunAs context menu option. You might be able to get away with hacking the registry to add that option, or you can just run the .msi file directly on the command line of your admin shell."
Where I work, our developers started using .msi files which doesn't allow desktop support to use Runas option for installs.
What steps are needed to set a group policy for our entire environment permitting Runas on .msi?

Instead of having ie.cmd or any other .cmd file for starting a registered application, simply type "start iexplore" from the command prompt. If you can use the Start/Run menu item to run the app, this will work from the command-line.

Hi everybody!

I hope someone can help me with this, because I'm getting really angry.

I'm trying to execute the following command:

"runas /user:user_name cmd.exe"

When I hit return, it asks me for my password, and here is where the
problem begin. I get this error:

"Error 1326. Logon failure: unknown user name or bad password."

I've tried with different combination of user_name and password with
the same result. I'm sure about the user_name and password. I also have
tried this:

"runas /user:mymachine\user_name cmd.exe"

But the problem remains.

I've been looking for a solution in the google, but without any
success. Please, if anybody knows how to fix this, let me know!

Thank you very much for your help!

When I use Runas with the following full command line
%windir%\system32\runas.exe /profile /user:OFFICE\TestUser/savecred "C:\Program Files\Internet Explorer\iexplore.exe"
it comes up with what looks like a command prompt, asking for a password, but the keyboard does not work. I am unable to type in the password, so the command line window closes without anything happening.
Any ideas?

Good article. I pretty much always use runas and have finally gotten the hang of the workarounds. However, the few times it does not work is frustrating. Currently, start menu shortcuts give a "directory name is invalid" error for cmd.exe. Navigating to the file or running from the run menu works fine. Mysterious ..... but not surprising.

Perro - if this is a local account that should work but I've seen times where it just won't. Use the GUI. Navigate to the file and right click. If it's a valid username and the password has not expired, you should be ok.


JB

To provide access to local items requiring Administrator priveleges in our network environment, we created a Service Account with the appropriate authority. Then, we wrote a Visual Basic application where Windows EXE programs are launched via the "RUN AS" using the Service Account within the VB program. The problem we have is with command line (CMD) programs. We have yet to determine a programmatic method to launch the CMD including the credentials required to RUN AS as either VB lines or external BAT files. We need this to allow users access to items like "IPConfig /release"

RJT,

Below is a vb script I wrote years ago to flush dns using ipconfig.  You could easily modify it to ipconfig /release ipconfig /renew.  Look out for line wraps in this post.

On Error Resume Next

strComputer = "ITLWWS02"

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

vBatPath = "C:\temp\"
vBatFile = "flushdns.bat"
vLocBatFile = vBatPath & vBatFile
vRemBatFile = "\\" & strComputer & "\c$\temp\"
set fs = CreateObject("Scripting.FileSystemObject")

if fs.FileExists(vLocBatFile) Then
fs.DeleteFile(vLocBatFile)
End If

if fs.FileExists(vRemBatFile) Then
fs.DeleteFile(vRemBatFile)
End If

set vOutPutFile = fs.CreateTextFile(vLocBatFile, True)
vOutputFile.writeLine "ipconfig /flushdns"
vOutputFile.writeLine "echo flushdns Completed"
vOutputFile.writeLine "echo flushdns Completed > c:\temp\flushdns.log"

fs.CopyFile vLocBatFile, vRemBatFile

CmdLine = vLocBatFile
Path = "c:\test"

set objwbemLocator = CreateObject("WbemScripting.SWbemLocator")
set objwbemServices = objwbemLocator.ConnectServer(strComputer, "", "", "", "", "", 0, null)

set Process = objwbemServices.Get ("Win32_Process", 0, null)
Process.Create CmdLine, Path, , ProcessID

wscript.echo "Complete"

Seems to me that 1) there is no good way to make a shortcut programatically with runas selected and 2) there is no way to set a runas shortcut to user the calling user's environment, such as the /env command from the command line.  Am I missing something?

I am using Vbscript/VBA to create a new shortcut for a database.  It appears IShellLinkDataList is not accessible this way -- it is not in the shell createshortcut action nor is it exposed by the WMI interface.  Using runas.exe forces me to hardcode the alternate user, which is too kludgy.  Currently I advise the users to manually set it in the advanced tab of the shortcut I create using the Shell object. Thanks.

Hi to all, I just used the RunAs command using these parameters: %windir%\system32\runas.exe /profile /netonly /user:regiea\administrator "C:\CPS\SmallExe\CPS.exe" (it's a system that we used in the office and I am logged as a standard user) to run a program as administrator. I was able to do the usual things that we used to do without the RunAs but when I check for the network printer, it is not listed in the printer setup of the program. Running the program as a limited user doesn't give me the right to access some modules so I tested to run it as administrator with the RunAs command. Any idea why?

In today’s Webcast we first started off with a continuation from last week.  Last week we explored...

How to provide password for Runas remote shutdowm command in the text file.
This remote shutdowm will be triggered from an application with user account having appropriate remote shutdown privilege. But when I ran that in the command line, it is asking for password. I want to provide the password in the runas command itself.
Any help please?

Is there a away to supply password automatically? I want to make a batch file using "runas" that runs without asking for a password. I tried :


echo mypassword >pass.txt
runas /noprofile /env user:domain\administraor cmd <pass.txt

I get an access  denied error.

Any ideas?

thanks in advance,
Rajesh

A systematic approach for working around LUA bugs that avoids unnecessary exposure - &quot;the rest of the story&quot;

PingBack from http://foo.aylott.co.uk/?p=10

I used a slipstreamed version of windows 2000 and changed the "Administrator" user to "admin" (if I do this post install, the folder becomes "Administrator" instead of the shorter version, which is why I didn't opt to do that). Anyway, the RunAs GUI keeps defaulting to "Administrator" which is extremely annoying. Is there anyway to change this behavior (besides renaming the "admin" user to "Administrator" of course)?

sometimes we need to let our limited user accounts run as admin accounts only for SPECIFIC applications. of course, mark detailed well the procedure on how to do this. It seems you have to give your limited user the admin name and pw for him/her to enter into the run as dialog. but what if you dont want to give your limited user the the admin password? the limited user could then just log on to the admin acct.

how can i specify that information securely in a desktop shortcut in a way that the user cannot dig out? Does anyone here have a teenage child?-you know what i mean.

i found this little utility called 'encrypted runas' from wingnut software. Mark, what do yo think of it?

How would I trouble shoot windows crashing when trying to use the runas command.

There's another tidbit with windows.

Microsoft ended remote concurrent logons with SP2. I have a fix for that so I can have users logged on remotely without kicking me (the admin) off of my login. Also I have had problems with fast user switching. For some reason my admin can have any password length. But my other users have to default to 13 chars.

Try this, Setup a limited account. Make a password over 13 chars. Login to the user. It lets you good. Now switch user, to admin without logging off your new account. Set your screen saver time to 1 min. Make sure it goes to welcome screen on return of user. Now try to logon. For some reason it only lets me type 13 chars into the password box now. Or it just won't logon.

PingBack from http://red.caek.org/?p=10

Hi Folks....

I may have missed it in the context but... Iwant to be able to allow end users who do not have the Admin privilages required to be able to get WIndows Updates using the wupdmgr.exe, but I cannot seem to get it right where I can setup the shortcut to start when I double-click on it...??

I have changed the START IN box to reflect %WINDIR% -- Nod Good

I have pressed SHIFT and then selected RUN AS option and selected "teh Following user" with user name admin and entered the admin's password and clicked OK -- No Good

What amI doing wrong..???

How can I get this to work.????

Regards

Julius

Aoron,

Thanks a lot for this insightful post and I keep referring back to it every now and then :). Just for the records I've been running my Win XP under a non-admin a/c for past one year and "till date" there wasn't any issue that I couldn't deal with using RunAs.
Now the problem is that ncpa.cpl (it's the control applet for network connections) doesn't want to run at all with RunAs, all it does is open the explorer (and that is being run under the current logged-on user priveleges). There were two ways I tried it out:
1) Opened a admin cmd shell using RunAs first, then typed in ncpa.cpl at the prompt: it opens a explorer window running under logged-on user a/c.
2) Specified ncpa.cpl as the parameter to the RunAs, something like:
C:\WINDOWS\system32>runas /user:xxx "RunDLL32 shell32.dll,Control_RunDLL ncpa.cpl "
Produces the same results as in 1.

The funny thing is running ncpa.cpl from a normal command shell (i.e. cmd shell running under logged-on user) opens the network connections applet just fine (obviously the stuff like Repairing Wireless Network etc. commands are disabled).
I also tried the above two steps for another control applet: timedate.cpl and it worked as expected.

Is there something I am missing, I really need to get ncpa.cpl working due to my flaky wireless connexn :(.

Thanks!

Never mind, just read your next post on the same thing and got it to work under explorer by checking the "Run in separate process" flag.

Hey,

I'm running a Java program (wrapped in an EXE) that can be launched through two shortcuts on my desktop.  The first has target:
C:\vbmax\maxpw.exe

The second has a target:
%windir%\system32\runas.exe /user:services /savecred C:\vbmax\maxpw.exe

The EXE being launched runs a batch file that is launched using the command:
C:\WINDOWS\system32\runas.exe /user:services /savecred C:\vbmax\regquery.bat

This batch file needs to be launched on startup of my program to get a registry key value, otherwise my program throws an error and terminates. The first shortcut works everytime for launching the batch file, but I need to launch my program as services. The second shortcut does not always work (i.e. launch the batch file and get the result), only if I've previously logged into the services account.

Any ideas?  It appears to me that unless I've previously logged in as services, my batch file when launched will not be able to run as services for some reason.

Any help would be MUCH appreciated.

Mike

PingBack from http://red.caek.org/?p=11

I've a case where a program generates an access violation when run with the user as 'administrator' but not when run as 'kathy'( for example). Even if 'kathy' and 'administrator' both have administrator privilages.

Where should I look?

Great information. We are looking to lock down our users here but at the same time minimize their pain. Setting up the Admin CMD windows will  help out a lot.

Hello,

I´m trying to execute the command interpreter as a domain user.

My machine isn´t joined on a doimain.

I always receive a same message when the following command is executed:

runas /user:MYDOMAIN\MYUSER_ON_THIS_DOMAIN cmd
Attempting to start cmd as user "MYDOMAIN\MYUSER_ON_THIS_DOMAIN" ...
RUNAS ERROR: Unable to run - cmd
1326: Logon failure: unknown user name or bad password.

I was pretty shure that I typed the rigth password.

What am I doing wrong?

[ ]s

What do you think about sudo for windows...?

Hi Aaron

Is there a specific security reason that the enviroment variable %APPDATA% is not defined under a RunAs shell ?

Just experienced some programs ( well UltraEdit to be precise) using that enviroment variable to locate its 'Application Data' Folder and that obviously can give some problems when you start up a RunAs shell.

Henrik

I want to know by editing which registry key, I will be able to reset my admin password to blank.

Thanks & waiting for the reply

-- kunal

Hi Aaron,

My partner and I have been running as normal users in XP for over three years with very few issues. We make extensive use of the command-line Runas command and built .cmd files to create shortcuts to our most common administrative tools. We also rely on the /savecred switch which makes life so much easier when running as a standard user. We are also beta testing Vista as we have several books and white papers to write on it (you'll be seeing the first chapter of our Definitive Guide to Vista Migration coming out very soon from Realtime Publishers).

We have a few bones to pick with UAC and Runas in Vista. The first is that none of our .cmd Runas commands work in Vista anymore. They all come up with error 740: "the process requires elevation". So basically, there is no longer any way to create command files to easily launch administrative processes. It works in the UI, of course, but we find that that is also a problem. As you know the first job of any hacker is to find out the name of a high privileged account. Well, it will be a no-brainer in Vista because all anyone has to do is select Run as Administrator to view a complete list of all activated administrative accounts on the system. Then all they need is to figure out the password. Not sure this is very good for corporate organizations. At lesat in XP, the Run As GUI is hidden and users need to hold down the Shift key as they right-click a shortcut.

We think Vista needs a new switch for the Runas command so that you can create .cmd files to launch your most common administrative tools. UAC is great, but when you need to manage systems, it won't take long for system administrators to just turn it off if they have to use the GUI and type in their passwords each time they want elevated privileges.

Just our opinion,

Nelson Ruest

I love this article -- I've been dealing with all of these issues for over a year.  My solution was to refine an in-house admin console to include a "launch pad."  I run the admin console as an admin and then anything it launches inherits the privileges.

The launch pad has "favorite" folders [network unc and local] which are opened via Internet Explorer.  They can also be opened with CMD.EXE (it automatically maps Z: and runs CMD there).  

It also has "favorite" applications, including Internet Explorer, Word, etc, to get around the problem of doing a "RunAs" on a shortcut per se.

It also has "favorite" connections, URI controlled FTP, telnet, etc, connections, which honestly don't need to be run under a different context, but it's just flippin' easy to have everything I need in one place.

This is all customizable.

It's an in-house app, of course, and is powerful beyond compare.  It has replaced EMCO Network Management, DameWare utilities, and SMS, all of which we've tried and disliked.

What do you guys think it's worth? :)

To run an .msi as admin do a 'Runas' on the 'Command Prompt' under Accessories, and run the .msi from the command prompt.

Hi Aaron

In Xp, I have made a registry entry on the file type '*' to give a "Run as Admin..." right click menu item in Explorer on all files. This calls the runas console as usual with the account you specify.

Doing this, instead of using the GUI "Run as..." spares me some mouse clicks and selecting the right account in the "User name" Drop down edit box ( very annoying, as someone else also has commented on earlier, because, in my case the default Administrator is listed first). Further more I get the bonus that all registered and unregistered file extension gets a faster Run As path. (The GUI RunAs only seems to work on certain extensions)

The .reg file looks like this and does only change the '*' right click menu for the current user.

-----------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\*\shell\Run as Admin...\command]

@="%SystemRoot%\\system32\\runas.exe /user:%COMPUTERNAME%\\YourAdminAccount \"%L\""

-----------------------------------------------

Now I just wondered if you can see any security implications with this approach ?

Henrik

Clarification

'YourAdminAccount' in the above registry file example must be replaced with the name of your Admin account e.g.:

@="%SystemRoot%\\system32\\runas.exe /user:%COMPUTERNAME%\\SuperMe \"%L\""

Henrik

Oh boy

%SystemRoot% does not expand so one has to hard code

@="C:\\Windows\\system32\\runas.exe /user:%COMPUTERNAME%\\SuperMe \"%L\""

and I just discovered that it only works on files registered as executable (of course stupid).

I might better find some other way to spare me from all those mouse clicks when I want to run as admin.

Sorry for the clutter

Henrik

Yeh the REG_EXPAND_SZ type had slipped my mind that was oc the problem. :)

Anyway - I thought that I wouldn't post it because the raw REG_EXPAND_SZ in a .reg file looks ugly but here it is: ( also changed the '*' to 'exefile' to only show for exe and lnk files)

---------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\Run as Admin...\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,\

 6e,00,61,00,73,00,2e,00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,\

 00,3a,00,25,00,43,00,4f,00,4d,00,50,00,55,00,54,00,45,00,52,00,4e,00,41,00,\

 4d,00,45,00,25,00,5c,00,53,00,75,00,70,00,65,00,72,00,4d,00,65,00,20,00,22,\

 00,25,00,4c,00,22,00,00,00

---------------------------------------------------

Do you know if it's possible to use a human readable notation for REG_EXPAND_SZ in .reg files ? - e.g:

@=ascii(2):%SystemRoot%\\system32\\runas.exe /user:%COMPUTERNAME%\\SuperMe "%L"

Henrik

And now you cannot change 'SuperMe' to the your Admin Account name but has to manually go to the reg path

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\Run as Admin...\command]

and do the changes, ( unless you've got a "Absolute hex-pitch" http://en.wikipedia.org/wiki/Absolute_pitch ;) )

Henrik

Why the heck would you even bother with LUA if you try to run with blank admin passwords?!

With Vista, is it possible to perform a runas.exe /user:<specific user domain\account> through the GUI like can be done with the CLI?

I only have "run as administrator" in my menu option and i cannot specific different accounts, it just always opens up the programs without asking me who i want to run it as.

Is this feature gone or am I missing something?

Thanks,

Ewic

I have the same question as Ewic. A bit frustrating when I can't run admin tools as a specific user.

Same question as above.  I used the runas command to run selected apps and consoles as my domain admin account.  When trying to open up command prompt with privileges to run some vbscripts.  It returns back,

"Cscript error: Loading your settings failed. (Access is denied.)"

I guess the workaround is to change the local GPO to prompt for credentials instead of prompt for consent.  Found it over at Josh's windowsconnected site, http://windowsconnected.com/blogs/joshs_blog/archive/2006/12/01/windows-vista-tip-run-as-administrator.aspx.

After installing a required application for some client's, when they try to Right Click and select "RunAs" on an advertised shortcut, for example in the AdminToolPak, the GUI dialogbox that allows alternative credentials to be entered does not appear. If the application causing the issue is removed, "RunAs" functions properly again.

Is there a registry key that controls the GUI interface for RunAs?

Hello All,

Is it possible to start runas and type password for user automaticaly on Windows Vista?

I'm use command line:

runas.exe /user:i_am some_program.exe

<ENTER>

Than password input has required.

How to input password automatically via parameters or type it by another program?

Thank you

IE is definitely the most insecure gateway to a PC. So I was thinking: why not run it in a guest account...

im confused about something simple

the only reason to use RunAs or MakeMeAdmin, is for convenience over the Fast User Switching?

Interesting reading.  Is there a way to programmitically display the RUNAS GUI to install a setup.exe. I could simulate the front end but that seems excessive.

I need to run the timedate.cpl passing parameters in the line command. It's possible?

Sorry...My english is not very well.. Do you know how parameters are accepted by timedeate.cpl? Is possible running with runas? TKS...

Whats the point of having a commad that cannot be used programaticaly, in fact why does windows even bother with tere commad shell at all, it like the guys at MS said those UNIX guys always seem to messing around at with "some kind of text window???" lets have one too it will make it look like we know what we're doin!

         ____

            / ___|______/

       _n__/ =|]  |_____|

     ~{8-B )------|)____

        u  \  ____|_____|

            \____|      \

Im not accessing it from a script im a accessing it from java's runtime.exec with other exe i can run them and read from their stdOut and write to their stdIn, only RunAS doesn't use stdIn like most command line apps, so i cannot pass in the password to it. The password is not stored in plain text anywhere so there is no chance of it being read. Besides I'M THE ADMINISTRATOR so if i want to write the password i ten foot high letters on the outside of the building then thats my look-out surley.

Its ok i fixed the problem apparently i needed to install Solaris, not windows. As windows isn't very good at this type of interaction with none ms products.

Where does the password come from, then?  Is it embedded in your Java source?

- Over secure connection.

I have groups of users that need to be given admin access to their workstation just to be able to update software on their PC as needed.

In the 'good old' unix days - I could just set the sticky bit on the program - and the privilege would follow the application.

Is there a Windows equivalent to 'trusted' applicaiton.

I'm not a scripting guy, I'm a sysadmin. I would love to use this script for making administative changes on users'. By default Domain Admins are members of local Administrators group, but I never sure what is local administrator's password is. I tried making changes to the script to prompt me for username and password of an account with admin rights, which is a domain admin account and it works, however for some reason it does it twice. I used SET /P for that, just for the reference, I would like to know how to populate _Admin_ variable with something I want.

Thank you in advance.

I just installed Vista on my computer.

I went to winzip to download the latest version.

I downloaded it to a ( Updates ) folder that I created within the new windows explorer.  On the top left section I Clicked on the Organize drop down and created the new folder.

I can download winzip110.exe without issue.

Every time I trywinzip110 in order to install winzip I get the following error:

Directory name is invalid.

Thanks

"Its ok i fixed the problem apparently i needed to install Solaris, not windows. As windows isn't very good at this type of interaction with none ms products."

Windows isn't too hot at interaction WITH ms products either!

I have the problem whyby I am using runas from the command prompt in Vista and it goes away to call the app/program, I am then prompted with a password box (as expected) I type this in, then....................NOTHING, yep nothing actually happens.

I also got round the run as administrator option to be able to run explorer as my own admin account, all appears to function correctly with explorer opening, it's only after trying to access something I realise it hasn't actually raised my credentials at all! HELP  

How to automatically set the color and title of *all* CMD shells based on admin/elevation status with a one-time, one-line configuration change to your system.

Problems in vista with runas and similar tools like cpau, runasprofessional, emco runas...

The tools can pipe a password to run applications with anohter useraccount. Now the tools have got problems to run applications with an activated uac on vista. I only know the tool runasspc from robotronic who can work together with uac on vista.

The only way i found to use the other tools is to deaktviate uac or use the built-in administrator account.

Any other solution?

you can not pipe a password in runas like cpau.

On vista cpau is not working.

Now i use the tool runasspc.

Thanks

I am having a problem when I use Run As to start an application, with opens the app, but does not include any local/network printers.  Is there a solution to this problem?

It happens in both 2000 and XP, this used to work about one month ago.

Hi all, I have read through most of this to apologies if this is a repeat.

I was having problems using the RUNAS command from a XP/SP1 worksation, logged on as a normal users account. I was trying to run a command box as a admin user from another domain, based on windows 2000.

First I Mapped a network drive to the \\windows2000server\c$ as (Z:\) in the other domain & selected the connect using a different user name, input my admin name and password so <otherdomain\admin><password> in the relevant box’s. Then brought up a command box, switched to z:\ then typed <runas /user:otherdomain\admin "cmd"> but got 1326: Logon failure. So tried <runas /netonly /user:otherdomain\admin "cmd"> but got 3: The system cannot find the path specified. So it was authenticating at some level? So it got me thinking where is it checking for the user credentials…

RESOLUTION: On my local workstation I added in the <otherdomain\admin> account into the local administrators group (rebooted). Then typed runas /netonly /user:otherdomain\admin "cmd">. SUCCESS! A new cmd box appeared with cmd(running as otherdmain\admin) in the top box. I then loaded my excel spreadsheet with all my lovely macros in it from via the command prompt, and all functioned as it it was being run by an administrator in the other domain, except on this domain on a standard users workstation.

So I think what that equates to is that runas wont work unless the user name your “running as” has the relevant permissions on the local machine your running it from

So yes no need to map network drives or what have you just sort the permissions out and run a cmd box and type runas /netonly /user:otherdomain\admin "cmd"

How can I execute applications with RUNAS in MS ACCESS 2003 VBA?

-------------------

I want to execute applications via a database. The user must login, and when logged-in, the user can execute applications.

For the moment I use de SHELL command in VBA.

Works very nice but when I need to us RUNAS it is not working.

SHELL ("RUNAS x") does not work because it is closing each time the CMD window. When I place the string RUNAS x after starting CMD manually, it works fine.

Regards, André

Password sending and runas.  The short answer is that with out a real bodge you can not use runas.  A defferent exe that I found runas102.exe http://www.anbsoftware.co.uk/netadmin/runas/

Will let you pass the password

copy it to your %windir$%

open us a cmd prompt and type runas102.exe /?

Works a treat

Hi Aaron:

Yes in plain txt it is risky.

This is the runas102.exe that will let people pass a password.  

From there once you have the context of using runas102.exe you can move it in to a VBS (encoded) script.  As a strong suggestion, do not use domain admin credentials.

Is a vbs encoded script decyptable, Yes found the tool on good old google.

They wanted to use runas with a password from the comand line, with runas102.exe you can.  

Obviously in each case security would need to be looked at.

On a funnier note you can only use the application in the context of the user you are running as.  If you runas a local power or admin user, from the application you will not be able to directly save to the network.

"bodge"= Australian for some times work sometimes does not.

http://en.wikipedia.org/wiki/Bodge

Cheers

Paul

You can activate UAC UI through VB-Script and then start your batch file with elevated rights: http://newyear2006.wordpress.com/2007/02/04/datum-unter-vista-per-vbscript-setzen-mit-uac-unterstutzung/

I am currently building applications on Longhorn and need to run as a different service account.  At the command prompt, I've entered '>runas /user:domain\serviceaccount cmd'.

I enter in the password when prompted. and then get this error:

RUNAS ERROR: Unable to run - cmd

1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

The password is correct so I'm at a loss as to what to do next.

Rose

How do you get the runas to authenticate on the domain along with the local computer?  I am trying to run an install which requires access to network shares.  Without domain authentication, I cannot make this happen!

What becomes of all my earlier non-admin tips, tricks and recommendations vis-à-vis RunAs, MakeMeAdmin, PrivBar and their interactions with IE and Explorer? The short answer is that Vista changes just about everything with respect to running with least

PingBack from http://www.rachner.us/blog/?p=6

Great post!

I've read through much of this and haven't seen anything that addresses my issue.

I'm trying to connect to another network via VPN and use resources there (https: and sharepoint websites in particular). My local PC is not known to the domains I reach through the VPN, so I can't log onto my local PC with a remote Windows account. I start the VPN client, enter my remote credentials and I get in. But once there, I can not get remote websites to honor my remote credentials. I've tried starting IE via runas with the remote credentials, but it doesn't make any difference. IE just hangs, showing "opening page ..." on the bottom left. Any ideas? Thanks

There is a tool "admintoolslauncher" which centralizes most of the adminstrative tasks under one application. One single log-in with administrative rights and you can launch all tools from one pool. It is limited to all windwos os before Vista. It can be found in this blog: http://www.stackenbloggen.de/PermaLink,guid,3406fa39-d95e-4ee3-bd64-7f55870b26ff.aspx

I needed to cause a domain replication to happen from a script:

Here is how I did it....

Set WshShell = CreateObject("WScript.Shell")

WshShell.run "runas /user:domain\username /noprofile ""repadmin /syncall ldap.domain.com"""

Wscript.sleep 2000

WshShell.SendKeys "password{ENTER}"

Yes Aaron, all those things are true, but after encrypting the file to a .vbe, The password is no longer exposed. As far as losing focus shorten the time, and be aware it could happen.

I use Runas allot, with various usernames, and domains.

There is a limit on the number of domain\usernames that can be stored in the list.

How do i flush the domain\username cache?

On an XP SP2 box, logged in as LUA, when I try to launch the Windows Defender ui using runas administrator, I get  the error:

"Application failed to initialize. 0x80070005. Access is denied."

Any thoughts for a work-around?

Thanks!

Frank

All this effort to try an impersonate a tool that linux has always had and just works.  Why don´t you all start making the switch to linux.  Eventually you will all be much happier people.

Hi friends,

I have one problem, my system is on network and I can access internet if I run firefox or IE as different user. I do that with “runas”,

It runs fine for couple of minutes but after that it starts running as login user… please help

Thanks

Lahens

I improved Hendrik's work on a RunAs Shell Explorer extension by adding an option for MSI files and making the dialog pause if you enter the password incorrectly.

Note: You need to change the user to match your user.

Thanks for this page Aaron!

Windows Registry Editor Version 5.00

; %SystemRoot%\system32\cmd.exe /C "%SystemRoot%\system32\runas.exe /user:PCPOOL\adm_oezbek "%L" | pause"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\Run as Admin...\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,00,\

 64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,43,00,20,00,22,00,25,00,53,00,79,\

 00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,\

 73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,61,00,73,00,2e,\

 00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,00,3a,00,50,00,43,00,\

 50,00,4f,00,4f,00,4c,00,5c,00,61,00,64,00,6d,00,5f,00,6f,00,65,00,7a,00,62,\

 00,65,00,6b,00,20,00,22,00,25,00,4c,00,22,00,20,00,7c,00,7c,00,20,00,70,00,\

 61,00,75,00,73,00,65,00,22,00,00,00

 ; %SystemRoot%\system32\cmd.exe /C "%SystemRoot%\system32\runas.exe /user:PCPOOL\adm_oezbek "%L" | pause"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Run as Admin...\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,00,\

 64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,43,00,20,00,22,00,25,00,53,00,79,\

 00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,\

 73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,61,00,73,00,2e,\

 00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,00,3a,00,50,00,43,00,\

 50,00,4f,00,4f,00,4c,00,5c,00,61,00,64,00,6d,00,5f,00,6f,00,65,00,7a,00,62,\

 00,65,00,6b,00,20,00,22,00,25,00,4c,00,22,00,20,00,7c,00,7c,00,20,00,70,00,\

 61,00,75,00,73,00,65,00,22,00,00,00

; %SystemRoot%\system32\cmd.exe /C "%SystemRoot%\system32\runas.exe /user:PCPOOL\adm_oezbek "%SystemRoot%\system32\msiexec.exe /i \"%L\"" | pause"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msi.Package\shell\Run as Admin...\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,00,\

 64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,43,00,20,00,22,00,25,00,53,00,79,\

 00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,\

 73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,61,00,73,00,2e,\

 00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,00,3a,00,50,00,43,00,\

 50,00,4f,00,4f,00,4c,00,5c,00,61,00,64,00,6d,00,5f,00,6f,00,65,00,7a,00,62,\

 00,65,00,6b,00,20,00,22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\

 6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\

 00,5c,00,6d,00,73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,\

 20,00,2f,00,69,00,20,00,5c,00,22,00,25,00,4c,00,5c,00,22,00,22,00,20,00,7c,\

 00,20,00,70,00,61,00,75,00,73,00,65,00,22,00,00,00

For all who search a runas solution on vista.

runasspc on robotronic.de/runasspcEn.html

can use it on vista like runas on xp.

Is there a way to bring up the GUI runas prompt from the command line?  I know this sound strange but hear me out... We have a program that has an inventory of our servers and I can make a right-click item for each server to run a command.  However there are multiple domain/workgroup for different servers.  Instead of having to create a separate item for each possible login we could use (based on what server we select), is there anyway to just make the command (exe or dll) bring up the runas gui for any given executable?  The command line version of runas will prompt for a password, but not for user name and password.

Hi,

I'm trying to start a bat file from the network. I'm getting an error saying:

Enter the password for ATUUSER4\Administrator:

Attempting to start C:\Batch\MAKEME~1.CMD " as user "ATUUSER4\Administrator" ...

RUNAS ERROR: Unable to run - C:\Batch\MAKEME~1.CMD "

5: Access is denied.

Any ideas what could be wrong?

XP Pro Sp2

How to run Control Panel as Administrator in Windows XP:

runas.exe /u:Administrator "explorer /separate,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}"

Hello!

There is a really nice app called Advanced Run (http://www.ilyns.com/advanced-run.asp). This is a great alternative for a standard Windows Run dialog box. You are able to specify user credentials to run whatever command you need. You are able to open documents with ‘Advanced Run…’ context menu item. You are able to specify Shell Verbs to perform advanced actions over the document you work with. Command templates and shortcuts are really great features that allow user to increase his performance by automating frequently actions. Furthermore, there is a possibility to share settings over a local network. Personally I believe people need such a great program because it’s not convenient and not flexible to use RUNAS command and other alternates such as Sudo for Windows are not such user friendly and powerful. Check it out!

use the utility in the above link to run explorer with different user account in ur machine

use the utility in the below link to run explorer with different user account in ur machine

http://simplytoknow.blogspot.com/2008/11/run-windows-explorer-as-another-user.html

Very useful information. Thanks a lot

*******************************

******** Temp Solution ********

*******************************

Thank you for above discussion and brief summariztion to run id/pwd in cmd:

1. cmd "runas" CANNOT do this

2. need VB or C

3. need install 3-party software

Luckily found PsTools v2.44 By Mark Russinovich (thanks!!) and tested whole day - pretty good and easy to use!!

1. Accept ID/Pwd in script. No more keyboard.

2. No need install in other client PC(s)

3. Suitable to W2K, XP, 2003

4. Slient to users. Run at backend.

http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

Happy Sharing and enjoy. :)

Karl

Please, post the ie.cmd lines here on blog also. Old link is not working.

Okay.  I am not sure if this would be considered basic OR intermediate for that matter but here is my problem and I hope someone can help.

First things first I !cannot! run any third party programs NOR can I do any reg hacks as the guidelines of my position strictly prohibit them.

I am working with Windows Vista and have the dissappearing Control Panel issue which requires the Software Licensing and SL UI Notification Service to be restarted.  I wanted to make this easy objectivly that has not happened.

All computers are Local only there is no domain.

All computers have had a user added that is an Admin, as part of the trial process, whether or not this is needed I do not know.

The problem I am running into is when I am trying to elevate inside of CMD.EXE the account is still not granted the right to run the required NET STOP/START to disable and reenable the services.

I was looking at the /trustlevel switch but the only level I can find is 0x20000 which is the basic user.  I need to run CMD.EXE at the administrative level to enable the ability to run the NET STOP/START that is required.

I cannot Turn off UAC either by the way, lucky me right?

As with post #631638 above, I am also having trouble running the ncpa.cpl network applet as Administrator.

I have the "Launch folder windows in a separate process" flag set for both the target Administrator account as well as my Limited User account, but it still won't work.

The ncpa.cpl is the only applet that won't run as Admin... everything else works fine.

Any ideas?