Welcome to MSDN Blogs Sign in | Join | Help

"RunAs" basic (and intermediate) topics

In this posting: 

  • What is RunAs? 
  • How to use RunAs from the GUI (even if you can’t see it)
  • Using RunAs from the command line
  • When RunAs won’t work
  • Useful RunAs shortcuts and related tips for the non-admin

 

Did you know that millions of people run as non-administrator every day?  It’s true!  What do they do when they come to a point where something requires administrator privileges?  Simple:  they call their helpdesk.  And if they ask really nice, a sysadmin makes a note to stop by sometime within the next month.  When he arrives, he logs in as administrator and performs some magical administrative tweak that renders the user’s computer unbootable.  “Oops!”  Of course, that’s not really true.  The sysadmin can now log in remotely to render the user’s computer unbootable, without even leaving his desk!  (I’m sure there’s research going on somewhere about how remote administration is contributing to increased sysadmin obesity.)

 

If you are your own helpdesk (i.e., you administer your own machine), how do you run something with admin privileges?  Fast User Switching is the best option (see previous blog entry), but it isn’t available in Windows XP if your computer is joined to a domain.  You can log out, shutting down all your apps, and log back in as administrator.  Sometimes that will be necessary (I needed to do that when installing the beta of Microsoft Office 2003), but most of the time logoff is more disruption than necessary.  At these times, the Secondary Logon service is your friend, typically exposed through RunAs.

 

The Secondary Logon service was first introduced in Windows 2000, and is in Windows XP and Server 2003.  When you start a new process through RunAs, you provide credentials for the account you want the process to run under – for example, the local Administrator account.  Assuming the credentials are valid, the Secondary Logon service then causes several things to happen:

  • creates a new logon session for the specified account, with a new token;
  • ensures that the new process’ token is granted appropriate access to the current window station and desktop (the specifics change somewhat for XP SP2, but aren’t important here);
  • creates a new job in which the new process and any child processes it starts will run, to ensure that the processes are terminated when the shell’s logon session ends (correcting a problem with the NT4 Resource Kit’s SU utility).

Is this description too nerdy?  The net is that it lets you run programs as a different user on the same desktop with your other running programs.  The new process and (generally) any programs it starts will run under this new account.

 

The “How to develop code as a non-admin” item in Keith Brown’s upcoming book, A .NET Developer's Guide to Windows Security, covers some of the same ground I’m covering here.  We cover the details differently and offer different tips, though, so you should read us both!

 

RunAs GUI, in Windows XP and Server 2003:

 

In Windows Explorer or the Start menu, right-click on any Application (.exe) or Microsoft Common Console Document (.msc) file or shortcut, and choose “Run As…” from the context menu.  In the “Run As” dialog, choose the 2nd radio button (“the following user”) enter the user name and password for the account, and click OK.  (I’ll discuss the first radio button and the “protect my computer and data…” option in a future post.)

 

I said “any”, but that’s not quite true.  If the shortcut is a “special Microsoft Windows Installer link”, you’ll need to hold down the Shift key while right-clicking to get Run As on the menu.  (Don’t ask me why.  It’s better than in Windows 2000, where you never saw Run As on the right-click menu unless you pressed Shift.)  On my Start menu, these “special” shortcuts include Adobe Reader 6.0, MSN and Windows Messenger, and MapPoint 2004. 

 

The “hold down Shift” trick is also needed to get Run As on the context menu for most Control Panel shortcuts – specifically those that link to a .cpl file.  RunAs doesn’t work for all Control Panel items, though.  Some of them, such as Folder Options, Fonts, Network Connections, and Scheduled Tasks, actually run within Windows Explorer, which by default doesn’t play well with Run As.  More on that in a future post.

 

There’s also a little problem with the Power Options applet.  According to Keith Brown’s analysis (no longer online? I can’t find it), when you click OK or Apply, it writes both per-machine and per-user settings.  If you are a normal User, it quietly fails when writing the per-machine settings and never writes the per-user settings.  (As of XP SP2 RC1, this is “fixed” in that it at least tells you that it failed to save the settings.)  If you use RunAs to run it as the local administrator, the per-user settings it writes are those of the administrator account, not your user account.  Sadly, to change your own power settings, you need to be an admin.  (This is addressed by my MakeMeAdmin script, which I’ll describe in an upcoming post.  Stay tuned!)

 

You can avoid the right-click context menu and make “Run as…” the default action for a particular .exe or .msc shortcut by opening its Properties dialog, clicking Advanced, and checking “Run with different credentials”.  When you invoke the shortcut, you’ll get the RunAs dialog, and the shortcut’s target will run under the account you specify.

 

RunAs from the command line:

 

RUNAS.EXE is a console (a.k.a., “text mode”) application that prompts for alternate account credentials and starts a new process under that account.  Console applications are often started from a cmd.exe command prompt, but they can also be started from the Start/Run dialog or from an Explorer shortcut.

 

RUNAS.EXE offers more flexibility than the GUI, including the ability to authenticate with a smart card, to use the account only for network authentication but continue to use your current account locally, and to control which profile and environment to use.  Type “RUNAS” without parameters at a command prompt to see its command line options.  Look up “runas” in Windows XP Help and Support for more info and examples.

 

When RunAs won’t work:

 

A common source of frustration and confusion is to start an application with RunAs, only to find that it is continuing to run in your original logon session.  (First, how do you tell?  My favorite tool here is Process Explorer from SysInternals.  Add “User name” to the displayed columns.  Starting with v8.30, ProcExp no longer requires admin privs – thanks, Mark!  Also look for my PrivBar utility in another upcoming post.)

 

The problem is that when started, many applications – such as MS Word and Windows Explorer – look on the current desktop for an already running instance of itself.  If found, the new process will send a message to the previous instance to handle the request and then exit.  That previous instance will often be running under the account you originally logged on with, not that of your alternate credentials.  A similar effect occurs when a new app is not started directly by the parent app, but is instead started through the shell, via ShellExecute[Ex] or through DDE.  The new process then inherits the security context of the shell, and not of your alternate account.  The cmd.exe start command will do this in certain circumstances.

 

I promise to discuss how to get Windows Explorer to play nicer with RunAs in a future post.  In the meantime, Keith Brown’s “How to develop code as a non-admin” describes how you can use Internet Explorer to achieve some of the same results (search the item for “But I hate the command prompt!”).

 

Some tips and tricks:

 

I really like Keith’s recommendation to change the background bitmap for your admin IE, but there’s an easier way to do it:  the TweakUI Power Toy.  Run it as admin and navigate to Internet Explorer \ Toolbar Background.  And here’s a bitmap I like to use.

 

Many people like to keep a cmd.exe shell running as local admin.  To reduce the possibility of mistakes, I strongly advise making it obviously different from your normal command shells.  The easiest, one-time setup is to click on the admin shell’s system menu, choose “Defaults” and change the colors.  This is a per-user setting, so all future console windows running as local admin will appear in the colors you choose.

 

Another way is to specify distinguishing characteristics in the cmd.exe command line.  For example:

cmd.exe /k cd c:\ && color fc && title ***** Admin console *****

The /k option says to run the commands that follow, and not exit after running them.  (FYI, /c runs the commands and then exits.)  The commands that are executed change the current directory to the root of C: (somewhat safer than being in the system32 folder), the color command changes the console’s color to light red on bright white (run “color /?” to see other choices), and the title command changes the window title to something distinctive.  I keep a shortcut in my Quick Launch bar that invokes runas with that command line.

 

Yet another way, suggested by MS employee John Lambert (NT), is to associate a custom icon with the shortcut.  The icon will appear in the Alt-Tab window, the taskbar, and of course the upper-left corner of the cmd window itself.  Note that this works only with a cmd.exe target, and you need to use the GUI RunAs option, not the runas.exe console app.  Here is an icon you can use.

 

The admin command shell is a popular way to start apps with elevated privileges.  You don’t have to be a total nerd to enjoy its power, though.  Examples:

 

Windows Installer Packages (.msi files) don’t offer a RunAs context menu option.  You might be able to get away with hacking the registry to add that option, or you can just run the .msi file directly on the command line of your admin shell. 

 

In general, the command shell recognizes file associations, so you can invoke a data file on the command line and it will start the associated application.

 

You can start Control Panel applets from the command line just by typing the name of the .cpl file.  Some examples:

Start “Date and Time Properties”:

C:\>timedate.cpl

Start “Add or Remove Programs”:

C:\>appwiz.cpl

Start “System Properties”:

C:\>sysdm.cpl

 

To start Internet Explorer from the command shell, you can type the full path ("C:\Program Files\Internet Explorer\iexplore.exe" – rather a PITA even with command completion).  I just keep an ie.cmd file in a folder in my path (posted here as a .txt – just rename it to .cmd).  It starts IE, and takes an optional URL parameter.  E.g.,

C:\>ie blogs.msdn.com

 

That will have to do for now.  Please continue to post comments, and I’ll try to get everything addressed.

Published Wednesday, June 23, 2004 1:46 AM by Aaron Margosis

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: “RunAs” basic (and intermediate) topics

Wednesday, June 23, 2004 5:06 AM by Frank de Groot
I've been doing this since I saw Keith's article and it generally works well for me.

The only trouble I had was when running a code from VS.NET with VS.NET running as admin. A debug run works ok, but running without debugging started the process but doesn't show the window (and you can't kill it either because it's running as admin).

I suppose the program was sent to the wrong desktop.

# re: “RunAs” basic (and intermediate) topics

Wednesday, June 23, 2004 9:26 AM by Aaron Margosis
Frank - was this ASP.NET? And the window you're looking for IE?

# Running with Least Privilege on Windows

Wednesday, June 23, 2004 12:22 PM by Dana Epp's ramblings at the Sanctuary
Aaron Margosis pointed out to me today his weblog which contains some good references and information about running as a limited user on Windows. He had an interesting comment on my different credentials post I did almost a year ago in which he uses a shortcut directly to a cmd window with runas instead of using the explorer view. His suggestion is to do: C:\WINDOWS\system32\runas.exe /u:Administrator "%windir%\System32\cmd.exe /k cd c:\ && color fc && title ***** Admin console *****" Makes total sense if you want to use an admin shell. Personally I prefer having the UI available through the explorer view... which has its own limits. This way I don't have to try to remember where the CPL paths are, or what they are called. I just click 'My Computer' and then 'Control Panel' and have at 'er. To each his own. Aaron has some good pointers on his blog about different ways of approaching this. Consider checking it out....

# re: “RunAs” basic (and intermediate) topics

Monday, July 05, 2004 10:38 AM by Richard Cass
I have tried to follow Aaron's advice about running in Standard User mode, but continually hit the snag that folders don't exist (they do).
e.g. Run As cmd.exe produces error C:\WINDOWS\system32\cmd.exe The directory name is invalid.
This happens with others (windows update). I am running WXP SP1 on a domain.

What step have I missed?

# re: “RunAs” basic (and intermediate) topics

Tuesday, July 06, 2004 1:21 AM by Aaron Margosis
Richard Cass - can you provide more details about how you're getting to that error message? I've never seen that in this context.
Thanks.

# re: “RunAs” basic (and intermediate) topics

Tuesday, July 06, 2004 5:05 AM by Richard Cass
My XP Pro SP1 machine is on a domain. Normally I have my user account as part of the Domain Admins as well as a Local Administrator of my PC. No problems there.
I wanted to test whether my users could run as a Standard User (currently they are also in the Local Admins group - most of them are software engineers and compiling & installing seems to require admin rights).
So I removed myself from these admin groups (ie Users group), logged off/on and tried to test for restrictions. As an example I tried to use Run As on the Command Prompt icon, logged in as the domain admin and then had the error message given in my first feedback.
I also tried Windows Update (as a Standard User) and the web page titled Administrators only came up, indicating to use the Run as option. Doing that then gave me the error: C:\WINDOWS\system32\wupdmgr.exe. The directory name is invalid.
I was also getting the usual restriction messages (cannot change some of the network settings etc), but I expected that.

# doesn't work

Tuesday, July 06, 2004 11:27 AM by ch.
well I want non-admins run certain applications as admins (otherwise they don't work) - but it keeps forgetting that I set them to run as admin. Once I set the run as admin and then reboot, the setting is lost and normal users can't use it.

# RunAs with Explorer

Wednesday, July 07, 2004 1:34 PM by Aaron Margosis's WebLog

# re: “RunAs” basic (and intermediate) topics

Wednesday, July 07, 2004 1:44 PM by Aaron Margosis
ch - RunAs-admin is not a permanent setting. You *can* specify on a shortcut that it should run with different credentials, but the user will be prompted for the admin credentials each time the shortcut is invoked.

# re: "RunAs" basic (and intermediate) topics

Thursday, July 08, 2004 12:22 PM by Aaron Margosis
Richard Cass - I've asked around and everyone seems stumped by the symptoms you've described. One colleague suggested the possibility that the DA account does not have the "bypass traverse checking" privilege. Could you check that? Also, make sure that Domain Admins is a member of the local Administrators group.

# re: "RunAs" basic (and intermediate) topics

Friday, July 09, 2004 8:54 PM by Jeff Sontag
I like using a shortcut configured to offer the option of using alternate credentials.
I noticed that the local administrator account was offered as the default username in the "the following user" section. I added my domain account (the one that is a memeber of Domain Admins) to the local machine's Administrators group ("Domain Admins" was already in this group) and now I can pick my domain admin account from the drop-down list in the "the following user" section. I hoped that it would remember it even if I then removed my DA account from the local machine's administrator's group, but no good. Do you know a way to make the "the following user" drop-down list remember just domain\username entries, and not the password, without adding the accounts to the local machine's admins or users group?

# RunAs with Explorer

Saturday, July 10, 2004 12:54 AM by Aaron Margosis's WebLog
How to get Windows Explorer to work with RunAs (and why you might want to).

# re: "RunAs" basic (and intermediate) topics

Saturday, July 10, 2004 11:36 PM by Aaron Margosis
Jeff Sontag - Sorry, no, it's not configurable and it doesn't remember previously used names. It lists only usernames explicitly listed in the BUILTIN\Administrators group, as well as Client Authentication certificates in the current user's Personal cert store, including smart cards. (You can run certmgr.msc to see your certs).

# The directory name is invalid

Wednesday, July 14, 2004 3:16 PM by Chad Pankratz
A possible explanation for the "The directory name is invalid" error: Many shortcuts in the Start Menu have "Start in" set to "%HOMEDRIVE%%HOMEPATH%". If this maps to a network drive on your domain, then if you attempt to Run As a user that cannot see the drive, you will receive the error.

# re: "RunAs" basic (and intermediate) topics

Thursday, July 15, 2004 11:37 AM by Richard Cass
Aaron: Sorry I haven't been back before (RSS is great for the initial Post but not for Comments), but setting the DA permission to have the "bypass traverse checking" privilege did not do anything.

However,
Chad: That was it! Removing the default "Start in" sorted the problem.

Many thanks guys.

# PrivBar -- An IE/Explorer toolbar to show current privilege level

Saturday, July 24, 2004 11:40 PM by Aaron Margosis' WebLog
A toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is running

# Running restricted -- What does the

Friday, September 10, 2004 12:10 AM by Aaron Margosis' WebLog
What does it mean to

# IE Security

Saturday, October 23, 2004 7:11 AM by Digging .NET
IE Security

# PrivBar - An IE/Explorer toolbar to show current privilege level

Monday, October 25, 2004 2:53 PM by Lockergnome's IT Professionals
Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions...

# RunAs with Explorer

Friday, October 29, 2004 4:54 PM by The stuff I see and read about

# Understanding Least Privilege

Tuesday, February 15, 2005 10:54 AM by Scorpion Software Corporate Weblog
The idea that the principle of least privilege requires that a user or process be given no more privilege than necessary to perform a job makes a lot of sense in this hostile digital divide we live in. Least privilege has become a passion of mine, and its reflected in everything that I design now adays. Which is why Carina works so well in the face of hostile and malicious code. In today’s show I talk about the security principle of least privilege, how we use it to protect our customer’s information... and how you can use it to protect your desktops. For more information about least privilege please check out some of these links: nonadmin.editme.com - This is a community web site (wiki) for Windows users who want to learn how to run without Administrator privileges, and why they should do this. "RunAs" basic (and intermediate) topics - Aaron Margosis' introduction on how to use the runas command in Windows Secure Coding Practices: Running with Least Privileges in Windows - An older article I wrote for CodeProject on how to develop using least privilege on Windows Developing Software in Visual Studio .NET with Non-Administrative Privileges - Lars Bergstrom's great article that explains how to productively develop software while logged on with non-administrative privileges. Using a Least-Privileged User Account - A small article on TechNet discussing LUA, and how it will affect LongHorn. After listening to customer feedback, we are going to try a new format with this podcast. We will keep these single topic recordings short (somewhere around 5 minutes) so that people with busy schedules can still get a chance to listen to it. We will leave longer shows for more in depth interviews etc. Please let me know if you like the new format. Think strategically. Protect your information. Enjoy! MP3: Scorpion Vault: Understanding Least Privilege (4:59s / ~4.7mb)...

# Table of contents, Aaron Margosis' non-admin blog

Monday, April 18, 2005 8:22 PM by Aaron Margosis' WebLog
Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

# How was cmd.exe started

Sunday, May 15, 2005 5:51 AM by rduke15 at gmail.com
This is really related to runas and privileges, but is a question about cmd.exe and shells, in case someone knows.

Can I find out if my console app. was started from an open cmd.exe console window, or from Start->Run?

I have a Perl script which prints output that the user wants to read.

If started from Start->Run, the window will close immediately. If I put a "press key" prompt in my app, it's annoying in the other case, when the cmd window is staying open anyway and pressing a key would not be needed.

Can I somehow differentiate how the app was called, and prompt for a keypress only if needed?

# re: How was cmd.exe started

Sunday, May 15, 2005 5:47 AM by rduke15 at gmail.com
Sorry, I meant "This is really UN-related..." in the previous post.

# Spread the LUA joy

Friday, June 10, 2005 12:12 PM by tonyso
Get your friends and family, all those folks that come to you for computer help once their machines have...

# re: "RunAs" basic (and intermediate) topics

Sunday, June 19, 2005 12:01 PM by Alex Mondale
I am attempting to follow the shining LUA path, but the following is frustrating me:
====================================
RUNAS ERROR: Unable to run - cmd.exe
5: Access is denied.
====================================
Could this be because the account I am attempting to runAs has a null pwd? Any other thoughts? Where would I find out what access is being denied to whom?

# re: "RunAs" basic (and intermediate) topics

Sunday, June 19, 2005 12:22 PM by Alex Mondale
Interesting, when I (as local admin) runAs a nonpriv account I get

RunAs ERROR: 1327: account policy restriction: nonblank password, ...

This is something we developers (unfortunately) try to do all the time: develop as local admin, runAs another less priv'ed account, and see what breaks.

# re: "RunAs" basic (and intermediate) topics

Sunday, June 19, 2005 12:37 PM by Alex Mondale
Aha! I made the following discoveries:
-- when I removed my former Admin Account from Administrators, it had all kind of other rights (act as part of the OS, run as a Service, etc.). Just removing from Admins and adding to Users didn't remove these policy-granted rights.
-- Having removed these "extra" privs, I still cannot runAs. Now, I get the same message as when I attempt to run as a nonpriv from a priv account:

"RUNAS ERROR: Unable to run - cmd.exe
1327: Logon failure: user account restriction. Possible reasons are blank passw
ords not allowed, logon hour restrictions, or a policy restriction has been enfo
rced."

-- Gave the local admin a password, guess what happened? It worked, of course.

So where do I go to adjust this ppolicy restriction? and, what process or app caused this policy restriction to be made? (Not ruling out Yours Truly, I have the attention span of a Gnat!).

# re: "RunAs" basic (and intermediate) topics

Sunday, June 19, 2005 12:46 PM by Alex Mondale
http://tinyurl.com/6u739 has info on the use of blank passwords as a Local Sec Policy enforcement. But why should this clobber RunAS?

# re: "RunAs" basic (and intermediate) topics

Sunday, June 19, 2005 11:16 PM by Aaron Margosis
Alex --
As you found in that URL
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdp_log_tyry.asp
local accounts with blank passwords can be used to log on only at the console logon screen, not through any other manner. If you have a computer in a secure location (e.g., a home computer) where you can trust everyone who has physical access, this is very convenient. RUNAS was specifically and deliberately disallowed with blank passwords. The reason is because if it were allowed and a LUA user accidentally downloaded some malware, RUNAS would offer an easy elevation of privilege for the malware to run code as an admin. There is a security option that will allow blank password for all other logon types, but I would strongly advise against changing it.

# re: "RunAs" basic (and intermediate) topics

Sunday, July 10, 2005 4:42 PM by Alex Mondale
Aaron:
I have discovered that if the user that is "becoming" admin doesn't have read-only rights to the USER.DAT in the Admin's documents and settings folder, the RUNAS will fail. I have also discovered that MAKEMEADMIN will fail for the same reason.

Also, I have seen the MAKEMEADMIN batch file fail in "mid-stream" so that the user was made member of Administrators and then not "demoted" after running the program. Any one else reported this?

Alex

# re: "RunAs" basic (and intermediate) topics

Monday, August 08, 2005 5:33 AM by jodah
Hi
HELP HELP HELP
When I launch Explorer as Admin (RunAs)
Explorer won't refresh things automatically. For example, if I create a new file, it might not show up in my admin Explorer window. I know pressing [F5] would solve this problem.
Isn't there a possibility to let (admin)-Explorer refresh automatically???

Thank you for your help

# re: "RunAs" basic (and intermediate) topics

Monday, August 08, 2005 10:59 PM by Aaron Margosis
Alex Mondale - 1. Under what (normal) circumstances would the admin not have full control over its own NTUSER.DAT file? 2. The error handling in MAKEMEADMIN should always remove the user from the admins group, unless you close the console window prematurely.

Jodah - I know of no fix for that particular annoyance. Just F5 after every operation.

# re: "RunAs" basic (and intermediate) topics

Monday, August 29, 2005 3:23 PM by Jason Mayer
Just curious, but do you know of any method to change the default user name when you Run As another user?

# re: "RunAs" basic (and intermediate) topics

Tuesday, August 30, 2005 1:40 PM by Jason Mayer
I found the answer on another web site. Make a shortcut that runs the command line version of the run as program and use the switches to change the default login.

An example would be:
C:\WINNT\system32\runas.exe /profile /user:somedomain\jmayer sol.exe

# re: "RunAs" basic (and intermediate) topics

Thursday, September 29, 2005 2:32 PM by Derrell Rivers
Hello,

In your tips and tricks you mentioned the following, "Windows Installer Packages (.msi files) don’t offer a RunAs context menu option. You might be able to get away with hacking the registry to add that option, or you can just run the .msi file directly on the command line of your admin shell."
Where I work, our developers started using .msi files which doesn't allow desktop support to use Runas option for installs.
What steps are needed to set a group policy for our entire environment permitting Runas on .msi?

# Starting IE from cmd.exe

Friday, October 14, 2005 8:17 AM by HairyMonster
Instead of having ie.cmd or any other .cmd file for starting a registered application, simply type "start iexplore" from the command prompt. If you can use the Start/Run menu item to run the app, this will work from the command-line.

# re: "RunAs" basic (and intermediate) topics

Tuesday, December 13, 2005 5:07 AM by Perro_Flaco
Hi everybody!

I hope someone can help me with this, because I'm getting really angry.

I'm trying to execute the following command:

"runas /user:user_name cmd.exe"

When I hit return, it asks me for my password, and here is where the
problem begin. I get this error:

"Error 1326. Logon failure: unknown user name or bad password."

I've tried with different combination of user_name and password with
the same result. I'm sure about the user_name and password. I also have
tried this:

"runas /user:mymachine\user_name cmd.exe"

But the problem remains.

I've been looking for a solution in the google, but without any
success. Please, if anybody knows how to fix this, let me know!

Thank you very much for your help!

# re: "RunAs" basic (and intermediate) topics

Tuesday, December 13, 2005 9:55 AM by Daveib
When I use Runas with the following full command line
%windir%\system32\runas.exe /profile /user:OFFICE\TestUser/savecred "C:\Program Files\Internet Explorer\iexplore.exe"
it comes up with what looks like a command prompt, asking for a password, but the keyboard does not work. I am unable to type in the password, so the command line window closes without anything happening.
Any ideas?

# re: "RunAs" basic (and intermediate) topics

Tuesday, December 13, 2005 10:26 PM by Aaron Margosis
Daveib - several things:
1. It might just be a typo, but you need a space between TestUser and /savecred.
2. The console doesn't echo any characters when you type a password at the RunAs prompt.
3. Are you invoking runas.exe from the Run dialog or from a command shell (cmd.exe)? If the former, runas.exe is probably telling you what the error is, but the console window is closing before you can see it. Try running it within a command shell instead of from the Run dialog.
HTH

# re: "RunAs" basic (and intermediate) topics

Monday, January 23, 2006 11:08 AM by kcnpeppa
Good article. I pretty much always use runas and have finally gotten the hang of the workarounds. However, the few times it does not work is frustrating. Currently, start menu shortcuts give a "directory name is invalid" error for cmd.exe. Navigating to the file or running from the run menu works fine. Mysterious ..... but not surprising.

Perro - if this is a local account that should work but I've seen times where it just won't. Use the GUI. Navigate to the file and right click. If it's a valid username and the password has not expired, you should be ok.


JB

# re: "RunAs" basic (and intermediate) topics

Tuesday, January 24, 2006 12:35 AM by Aaron Margosis
JB/kcnpeppa --
The issue you raised was covered in an earlier comment: http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx#183263

HTH

# re: "RunAs" basic (and intermediate) topics

Tuesday, January 31, 2006 10:28 AM by RJT
To provide access to local items requiring Administrator priveleges in our network environment, we created a Service Account with the appropriate authority. Then, we wrote a Visual Basic application where Windows EXE programs are launched via the "RUN AS" using the Service Account within the VB program. The problem we have is with command line (CMD) programs. We have yet to determine a programmatic method to launch the CMD including the credentials required to RUN AS as either VB lines or external BAT files. We need this to allow users access to items like "IPConfig /release"

# re: "RunAs" basic (and intermediate) topics

Tuesday, January 31, 2006 11:43 AM by Aaron Margosis
RJT - the best way to grant users the ability to do things like "ipconfig /release" is simply to add them to the "Network Configuration Operators" local group. Members of this group can manage a small set of network configuration features, such as the "ipconfig" operations. Note that it does not grant the ability to configure the firewall.

# re: "RunAs" basic (and intermediate) topics

Tuesday, February 07, 2006 1:41 PM by jimmer
RJT,

Below is a vb script I wrote years ago to flush dns using ipconfig.  You could easily modify it to ipconfig /release ipconfig /renew.  Look out for line wraps in this post.

On Error Resume Next

strComputer = "ITLWWS02"

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

vBatPath = "C:\temp\"
vBatFile = "flushdns.bat"
vLocBatFile = vBatPath & vBatFile
vRemBatFile = "\\" & strComputer & "\c$\temp\"
set fs = CreateObject("Scripting.FileSystemObject")

if fs.FileExists(vLocBatFile) Then
fs.DeleteFile(vLocBatFile)
End If

if fs.FileExists(vRemBatFile) Then
fs.DeleteFile(vRemBatFile)
End If

set vOutPutFile = fs.CreateTextFile(vLocBatFile, True)
vOutputFile.writeLine "ipconfig /flushdns"
vOutputFile.writeLine "echo flushdns Completed"
vOutputFile.writeLine "echo flushdns Completed > c:\temp\flushdns.log"

fs.CopyFile vLocBatFile, vRemBatFile

CmdLine = vLocBatFile
Path = "c:\test"

set objwbemLocator = CreateObject("WbemScripting.SWbemLocator")
set objwbemServices = objwbemLocator.ConnectServer(strComputer, "", "", "", "", "", 0, null)

set Process = objwbemServices.Get ("Win32_Process", 0, null)
Process.Create CmdLine, Path, , ProcessID

wscript.echo "Complete"

# re: "RunAs" basic (and intermediate) topics

Wednesday, February 15, 2006 4:06 PM by Kaplaa
Seems to me that 1) there is no good way to make a shortcut programatically with runas selected and 2) there is no way to set a runas shortcut to user the calling user's environment, such as the /env command from the command line.  Am I missing something?

# re: "RunAs" basic (and intermediate) topics

Wednesday, February 15, 2006 9:31 PM by Aaron Margosis
Kaplaa:
1) Search MSDN for SLDF_RUNAS_USER
2) The RunAs dialog doesn't offer as many options as the RunAs.exe console app.  How about something like a shortcut to:
runas.exe /env /u:targetuser targetprogram.exe
?

# re: "RunAs" basic (and intermediate) topics

Thursday, February 16, 2006 9:41 AM by Kaplaa
I am using Vbscript/VBA to create a new shortcut for a database.  It appears IShellLinkDataList is not accessible this way -- it is not in the shell createshortcut action nor is it exposed by the WMI interface.  Using runas.exe forces me to hardcode the alternate user, which is too kludgy.  Currently I advise the users to manually set it in the advanced tab of the shortcut I create using the Shell object. Thanks.

# re: "RunAs" basic (and intermediate) topics

Thursday, February 16, 2006 4:34 PM by Aaron Margosis
Kaplaa - as far as I can tell, that setting is not exposed to any of the scripting interfaces.  C++/COM appears to be required.

# re: "RunAs" basic (and intermediate) topics

Thursday, February 23, 2006 1:39 AM by Regina
Hi to all, I just used the RunAs command using these parameters: %windir%\system32\runas.exe /profile /netonly /user:regiea\administrator "C:\CPS\SmallExe\CPS.exe" (it's a system that we used in the office and I am logged as a standard user) to run a program as administrator. I was able to do the usual things that we used to do without the RunAs but when I check for the network printer, it is not listed in the printer setup of the program. Running the program as a limited user doesn't give me the right to access some modules so I tested to run it as administrator with the RunAs command. Any idea why?

# re: "RunAs" basic (and intermediate) topics

Thursday, February 23, 2006 1:47 AM by Aaron Margosis
Regina - try using MakeMeAdmin instead (see http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx).  If your standard user account is a domain account, the local admin account you're using with runas will not have any authenticated access to network resources, nor to printers configured under your standard user account.  Also, if you use "/netonly" in the runas command, you're not running with admin privileges locally - you are merely authenticating as the built-in local admin when making remote requests - which won't be of value since your local accounts are not recognized on remote systems.

# WebCast's Notes: Least Privilege and New System.Security Features

Wednesday, March 08, 2006 7:32 PM by Dan Sellers's WebLog

In today’s Webcast we first started off with a continuation from last week.  Last week we explored...

# re: "RunAs" basic (and intermediate) topics

Tuesday, March 21, 2006 10:43 AM by Ganesh
How to provide password for Runas remote shutdowm command in the text file.
This remote shutdowm will be triggered from an application with user account having appropriate remote shutdown privilege. But when I ran that in the command line, it is asking for password. I want to provide the password in the runas command itself.
Any help please?

# re: "RunAs" basic (and intermediate) topics

Tuesday, March 21, 2006 10:48 AM by Aaron Margosis
Ganesh:  RunAs accepts passwords only from the keyboard.  It was designed this way to help people avoid the unsafe practice of putting passwords in script files.

# re: "RunAs" basic (and intermediate) topics

Monday, March 27, 2006 4:25 AM by Rajesh
Is there a away to supply password automatically? I want to make a batch file using "runas" that runs without asking for a password. I tried :


echo mypassword >pass.txt
runas /noprofile /env user:domain\administraor cmd <pass.txt

I get an access  denied error.

Any ideas?

thanks in advance,
Rajesh

# re: "RunAs" basic (and intermediate) topics

Monday, March 27, 2006 9:29 AM by Aaron Margosis
Rajesh - RunAs accepts passwords only from the keyboard.  It was designed this way to help people avoid the unsafe practice of putting passwords in script files.
(I need to put this in the post itself...)

# Fixing &amp;quot;LUA Bugs&amp;quot;, Part II

Monday, March 27, 2006 12:34 PM by Aaron Margosis' WebLog
A systematic approach for working around LUA bugs that avoids unnecessary exposure - &quot;the rest of the story&quot;

# All about Foo &raquo; Permissions

Monday, April 03, 2006 9:06 AM by All about Foo » Permissions
PingBack from http://foo.aylott.co.uk/?p=10

# re: "RunAs" basic (and intermediate) topics

Sunday, April 16, 2006 10:29 PM by asdf
I used a slipstreamed version of windows 2000 and changed the "Administrator" user to "admin" (if I do this post install, the folder becomes "Administrator" instead of the shorter version, which is why I didn't opt to do that). Anyway, the RunAs GUI keeps defaulting to "Administrator" which is extremely annoying. Is there anyway to change this behavior (besides renaming the "admin" user to "Administrator" of course)?

# re: "RunAs" basic (and intermediate) topics

Sunday, April 16, 2006 10:35 PM by Aaron Margosis
asdf - As far as I know, "Administrator" (or localized equivalent) is hardcoded in Windows 2000.  In Windows XP it defaults to the actual name of the builtin admin account (the account with the SID ending with -500).

# runas vs. encrypted runas

Sunday, May 14, 2006 5:58 AM by Stefan
sometimes we need to let our limited user accounts run as admin accounts only for SPECIFIC applications. of course, mark detailed well the procedure on how to do this. It seems you have to give your limited user the admin name and pw for him/her to enter into the run as dialog. but what if you dont want to give your limited user the the admin password? the limited user could then just log on to the admin acct.

how can i specify that information securely in a desktop shortcut in a way that the user cannot dig out? Does anyone here have a teenage child?-you know what i mean.

i found this little utility called 'encrypted runas' from wingnut software. Mark, what do yo think of it?

# re: "RunAs" basic (and intermediate) topics

Sunday, May 14, 2006 12:09 PM by Aaron Margosis
Stefan -
Already answered.  See Fixing LUA Bugs, Parts I & II:
http://blogs.msdn.com/aaron_margosis/archive/2006/02/16/533077.aspx
http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx

Utilities such as the one you mentioned are dealt with after item #5.  Not highly recommended.

# re: "RunAs" basic (and intermediate) topics

Wednesday, May 24, 2006 4:50 PM by mookie
How would I trouble shoot windows crashing when trying to use the runas command.

# re: "RunAs" basic (and intermediate) topics

Wednesday, May 24, 2006 5:06 PM by Aaron Margosis
mookie -- I don't know.  What do you mean by "windows crashing"?  Blue screen?  Explorer has an access violation?  Monitor falls off the back of the desk?  The windows in your house falling out of their frames and smashing on the floor?

# re: "RunAs" basic (and intermediate) topics

Saturday, May 27, 2006 12:08 PM by Adam Curtis
There's another tidbit with windows.

Microsoft ended remote concurrent logons with SP2. I have a fix for that so I can have users logged on remotely without kicking me (the admin) off of my login. Also I have had problems with fast user switching. For some reason my admin can have any password length. But my other users have to default to 13 chars.

Try this, Setup a limited account. Make a password over 13 chars. Login to the user. It lets you good. Now switch user, to admin without logging off your new account. Set your screen saver time to 1 min. Make sure it goes to welcome screen on return of user. Now try to logon. For some reason it only lets me type 13 chars into the password box now. Or it just won't logon.

# re: "RunAs" basic (and intermediate) topics

Saturday, May 27, 2006 10:21 PM by Aaron Margosis
Adam Curtis - Sorry, but I get absolutely no repro.  First of all, XP never supported concurrent remote desktops - you could have one logon per user, and only one would ever run "connected" at a time, either at the console or via Remote Desktop.  If another user connected via RD, other sessions were disconnected.  If you connected via RD with an account that was already logged on, you connected to the session already running - you never got two separate interactive logon sessions for the same user.

I tried the password scenario you described, and that didn't repro at all.  The text box in which you enter the password might look the same if you type characters after the available space has been filled, but you still need to type the full >13 character password in order to log on.

# Windows Security &raquo; Running as a Limited User, Part 2

Sunday, June 04, 2006 2:58 AM by Windows Security » Running as a Limited User, Part 2
PingBack from http://red.caek.org/?p=10

# The Directory Name is invalid.

Tuesday, June 06, 2006 2:45 AM by Jolly181
Hi Folks....

I may have missed it in the context but... Iwant to be able to allow end users who do not have the Admin privilages required to be able to get WIndows Updates using the wupdmgr.exe, but I cannot seem to get it right where I can setup the shortcut to start when I double-click on it...??

I have changed the START IN box to reflect %WINDIR% -- Nod Good

I have pressed SHIFT and then selected RUN AS option and selected "teh Following user" with user name admin and entered the admin's password and clicked OK -- No Good

What amI doing wrong..???

How can I get this to work.????

Regards

Julius

# re: "RunAs" basic (and intermediate) topics

Wednesday, June 14, 2006 8:26 PM by Sachin
Aoron,

Thanks a lot for this insightful post and I keep referring back to it every now and then :). Just for the records I've been running my Win XP under a non-admin a/c for past one year and "till date" there wasn't any issue that I couldn't deal with using RunAs.
Now the problem is that ncpa.cpl (it's the control applet for network connections) doesn't want to run at all with RunAs, all it does is open the explorer (and that is being run under the current logged-on user priveleges). There were two ways I tried it out:
1) Opened a admin cmd shell using RunAs first, then typed in ncpa.cpl at the prompt: it opens a explorer window running under logged-on user a/c.
2) Specified ncpa.cpl as the parameter to the RunAs, something like:
C:\WINDOWS\system32>runas /user:xxx "RunDLL32 shell32.dll,Control_RunDLL ncpa.cpl "
Produces the same results as in 1.

The funny thing is running ncpa.cpl from a normal command shell (i.e. cmd shell running under logged-on user) opens the network connections applet just fine (obviously the stuff like Repairing Wireless Network etc. commands are disabled).
I also tried the above two steps for another control applet: timedate.cpl and it worked as expected.

Is there something I am missing, I really need to get ncpa.cpl working due to my flaky wireless connexn :(.

Thanks!

# re: "RunAs" basic (and intermediate) topics

Wednesday, June 14, 2006 8:50 PM by Aaron Margosis
Sachin, the answers to your questions are in this follow-up post about RunAs and Explorer:  http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx

The full Table Of Contents for all my non-admin blog posts is here:  http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

# re: "RunAs" basic (and intermediate) topics

Wednesday, June 14, 2006 8:51 PM by Sachin
Never mind, just read your next post on the same thing and got it to work under explorer by checking the "Run in separate process" flag.

# re: "RunAs" basic (and intermediate) topics

Monday, June 19, 2006 2:47 PM by Mike Freake
Hey,

I'm running a Java program (wrapped in an EXE) that can be launched through two shortcuts on my desktop.  The first has target:
C:\vbmax\maxpw.exe

The second has a target:
%windir%\system32\runas.exe /user:services /savecred C:\vbmax\maxpw.exe

The EXE being launched runs a batch file that is launched using the command:
C:\WINDOWS\system32\runas.exe /user:services /savecred C:\vbmax\regquery.bat

This batch file needs to be launched on startup of my program to get a registry key value, otherwise my program throws an error and terminates. The first shortcut works everytime for launching the batch file, but I need to launch my program as services. The second shortcut does not always work (i.e. launch the batch file and get the result), only if I've previously logged into the services account.

Any ideas?  It appears to me that unless I've previously logged in as services, my batch file when launched will not be able to run as services for some reason.

Any help would be MUCH appreciated.

Mike

# Windows Security &raquo; Running as a Limited User, Part 2

Wednesday, August 02, 2006 3:35 AM by Windows Security » Running as a Limited User, Part 2
PingBack from http://red.caek.org/?p=11

# re: &quot;RunAs&quot; basic (and intermediate) topics

Tuesday, August 22, 2006 9:34 AM by Jbee

I've a case where a program generates an access violation when run with the user as 'administrator' but not when run as 'kathy'( for example). Even if 'kathy' and 'administrator' both have administrator privilages.

Where should I look?

Sounds like a profile issue -- I'm guessing that "Administrator" installed the program, and that the app was designed/implemented with the implicit assumption that the account that installed the app would be the account that uses the app.  Contact the vendor.

-- Aaron

# re: "RunAs" basic (and intermediate) topics

Thursday, August 31, 2006 5:18 PM by Joe Smokie
Great information. We are looking to lock down our users here but at the same time minimize their pain. Setting up the Admin CMD windows will  help out a lot.

# re: &quot;RunAs&quot; basic (and intermediate) topics

Friday, September 01, 2006 7:39 PM by Leandro Oliveira

Hello,

I´m trying to execute the command interpreter as a domain user.

My machine isn´t joined on a doimain.

I always receive a same message when the following command is executed:

runas /user:MYDOMAIN\MYUSER_ON_THIS_DOMAIN cmd
Attempting to start cmd as user "MYDOMAIN\MYUSER_ON_THIS_DOMAIN" ...
RUNAS ERROR: Unable to run - cmd
1326: Logon failure: unknown user name or bad password.

I was pretty shure that I typed the rigth password.

What am I doing wrong?

[ ]s

The reason you're running into this problem is because your non-domain computer doesn't know anything about the domain you're trying to authenticate against.  I.e., it doesn't know how to authenticate anything against the MYDOMAIN domain.  Because it's not in the domain or in any trusting domain, it can't know with any degree of assurance what server can authenticate that user.

HTH

-- Aaron

# re: &quot;RunAs&quot; basic (and intermediate) topics

Wednesday, September 13, 2006 5:24 PM by Eric

What do you think about sudo for windows...?

Without referencing the security implications of any specific implementation of SUDO-like functionality for Windows, I wrote a bit about the issues around automatic elevation implementations in Option #5 in Fixing LUA Bugs, Part II.  On the whole, I would consider it something to be avoided if possible.

-- Aaron

# re: "RunAs" basic (and intermediate) topics

Saturday, September 23, 2006 3:19 AM by Henrik Jensen
Hi Aaron

Is there a specific security reason that the enviroment variable %APPDATA% is not defined under a RunAs shell ?

Just experienced some programs ( well UltraEdit to be precise) using that enviroment variable to locate its 'Application Data' Folder and that obviously can give some problems when you start up a RunAs shell.

Henrik

# reseting the admin password using registry keys

Wednesday, October 04, 2006 9:24 AM by Kunal Sharma

I want to know by editing which registry key, I will be able to reset my admin password to blank.

Thanks & waiting for the reply

-- kunal

# re: "RunAs" on Windows Vista

Monday, October 09, 2006 5:31 PM by Nelson Ruest

Hi Aaron,

My partner and I have been running as normal users in XP for over three years with very few issues. We make extensive use of the command-line Runas command and built .cmd files to create shortcuts to our most common administrative tools. We also rely on the /savecred switch which makes life so much easier when running as a standard user. We are also beta testing Vista as we have several books and white papers to write on it (you'll be seeing the first chapter of our Definitive Guide to Vista Migration coming out very soon from Realtime Publishers).

We have a few bones to pick with UAC and Runas in Vista. The first is that none of our .cmd Runas commands work in Vista anymore. They all come up with error 740: "the process requires elevation". So basically, there is no longer any way to create command files to easily launch administrative processes. It works in the UI, of course, but we find that that is also a problem. As you know the first job of any hacker is to find out the name of a high privileged account. Well, it will be a no-brainer in Vista because all anyone has to do is select Run as Administrator to view a complete list of all activated administrative accounts on the system. Then all they need is to figure out the password. Not sure this is very good for corporate organizations. At lesat in XP, the Run As GUI is hidden and users need to hold down the Shift key as they right-click a shortcut.

We think Vista needs a new switch for the Runas command so that you can create .cmd files to launch your most common administrative tools. UAC is great, but when you need to manage systems, it won't take long for system administrators to just turn it off if they have to use the GUI and type in their passwords each time they want elevated privileges.

Just our opinion,

Nelson Ruest

Nelson, thanks for posting.

Re /savecred -- see my post Fixing LUA Bugs, Part II (item #5, last resort) for my opinion re the use of /savecred.

RunAs.exe on Vista is no longer the same animal it was on XP.  Now, nothing runs elevated unless the user specifically goes through a confirmation step that is a lot hardier than what we had on XP.

The names of accounts with admin privileges has never been secret, and protection of those names has never offered significant defense.  (E.g., from a non-admin command prompt, run "NET LOCALGROUP ADMINISTRATORS" on an English-language system.)  On systems with password-based logons (rather than smartcards, for example), strong passwords are absolutely required.  "All they need is to figure out the password" should be somewhere in the range from very difficult to infeasible.  (Search for Steve Riley and Jesper Johansson articles on password security.)

One way to avoid going through the UAC prompt without giving up the security that UAC provides is to launch a command shell as admin (one UAC prompt) and then run admin apps from that command shell.

Hope this helps - and sorry for the delayed response.

-- Aaron

# re: "RunAs" basic (and intermediate) topics

Tuesday, October 17, 2006 12:02 PM by Andrew Jones

I love this article -- I've been dealing with all of these issues for over a year.  My solution was to refine an in-house admin console to include a "launch pad."  I run the admin console as an admin and then anything it launches inherits the privileges.

The launch pad has "favorite" folders [network unc and local] which are opened via Internet Explorer.  They can also be opened with CMD.EXE (it automatically maps Z: and runs CMD there).  

It also has "favorite" applications, including Internet Explorer, Word, etc, to get around the problem of doing a "RunAs" on a shortcut per se.

It also has "favorite" connections, URI controlled FTP, telnet, etc, connections, which honestly don't need to be run under a different context, but it's just flippin' easy to have everything I need in one place.

This is all customizable.

It's an in-house app, of course, and is powerful beyond compare.  It has replaced EMCO Network Management, DameWare utilities, and SMS, all of which we've tried and disliked.

What do you guys think it's worth? :)

# re: "RunAs" basic (and intermediate) topics

Sunday, October 22, 2006 10:12 PM by Krangath

To run an .msi as admin do a 'Runas' on the 'Command Prompt' under Accessories, and run the .msi from the command prompt.

# re: "RunAs" basic (and intermediate) topics

Wednesday, October 25, 2006 6:43 AM by Henrik

Hi Aaron

In Xp, I have made a registry entry on the file type '*' to give a "Run as Admin..." right click menu item in Explorer on all files. This calls the runas console as usual with the account you specify.

Doing this, instead of using the GUI "Run as..." spares me some mouse clicks and selecting the right account in the "User name" Drop down edit box ( very annoying, as someone else also has commented on earlier, because, in my case the default Administrator is listed first). Further more I get the bonus that all registered and unregistered file extension gets a faster Run As path. (The GUI RunAs only seems to work on certain extensions)

The .reg file looks like this and does only change the '*' right click menu for the current user.

-----------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\*\shell\Run as Admin...\command]

@="%SystemRoot%\\system32\\runas.exe /user:%COMPUTERNAME%\\YourAdminAccount \"%L\""

-----------------------------------------------

Now I just wondered if you can see any security implications with this approach ?

Henrik

# re: "RunAs" basic (and intermediate) topics

Wednesday, October 25, 2006 9:40 AM by Henrik

Clarification

'YourAdminAccount' in the above registry file example must be replaced with the name of your Admin account e.g.:

@="%SystemRoot%\\system32\\runas.exe /user:%COMPUTERNAME%\\SuperMe \"%L\""

Henrik

# re: "RunAs" basic (and intermediate) topics

Wednesd