"RunAs" basic (and intermediate) topics

re: “RunAs” basic (and intermediate) topics

Frank de Groot — Wed, 23 Jun 2004 12:06:00 GMT

I've been doing this since I saw Keith's article and it generally works well for me.

The only trouble I had was when running a code from VS.NET with VS.NET running as admin. A debug run works ok, but running without debugging started the process but doesn't show the window (and you can't kill it either because it's running as admin).

I suppose the program was sent to the wrong desktop.

re: “RunAs” basic (and intermediate) topics

Aaron Margosis — Wed, 23 Jun 2004 16:26:00 GMT

Frank - was this ASP.NET? And the window you're looking for IE?

Running with Least Privilege on Windows

Dana Epp's ramblings at the Sanctuary — Wed, 23 Jun 2004 19:22:00 GMT

Aaron Margosis pointed out to me today his weblog which contains some good references and information about running as a limited user on Windows. He had an interesting comment on my different credentials post I did almost a year ago in which he uses a shortcut directly to a cmd window with runas instead of using the explorer view. His suggestion is to do: C:\WINDOWS\system32\runas.exe /u:Administrator "%windir%\System32\cmd.exe /k cd c:\ && color fc && title ***** Admin console *****" Makes total sense if you want to use an admin shell. Personally I prefer having the UI available through the explorer view... which has its own limits. This way I don't have to try to remember where the CPL paths are, or what they are called. I just click 'My Computer' and then 'Control Panel' and have at 'er. To each his own. Aaron has some good pointers on his blog about different ways of approaching this. Consider checking it out....

re: “RunAs” basic (and intermediate) topics

Richard Cass — Mon, 05 Jul 2004 17:38:00 GMT

I have tried to follow Aaron's advice about running in Standard User mode, but continually hit the snag that folders don't exist (they do).
e.g. Run As cmd.exe produces error C:\WINDOWS\system32\cmd.exe The directory name is invalid.
This happens with others (windows update). I am running WXP SP1 on a domain.

What step have I missed?

re: “RunAs” basic (and intermediate) topics

Aaron Margosis — Tue, 06 Jul 2004 08:21:00 GMT

Richard Cass - can you provide more details about how you're getting to that error message? I've never seen that in this context.
Thanks.

re: “RunAs” basic (and intermediate) topics

Richard Cass — Tue, 06 Jul 2004 12:05:00 GMT

My XP Pro SP1 machine is on a domain. Normally I have my user account as part of the Domain Admins as well as a Local Administrator of my PC. No problems there.
I wanted to test whether my users could run as a Standard User (currently they are also in the Local Admins group - most of them are software engineers and compiling & installing seems to require admin rights).
So I removed myself from these admin groups (ie Users group), logged off/on and tried to test for restrictions. As an example I tried to use Run As on the Command Prompt icon, logged in as the domain admin and then had the error message given in my first feedback.
I also tried Windows Update (as a Standard User) and the web page titled Administrators only came up, indicating to use the Run as option. Doing that then gave me the error: C:\WINDOWS\system32\wupdmgr.exe. The directory name is invalid.
I was also getting the usual restriction messages (cannot change some of the network settings etc), but I expected that.

doesn't work

ch. — Tue, 06 Jul 2004 18:27:00 GMT

well I want non-admins run certain applications as admins (otherwise they don't work) - but it keeps forgetting that I set them to run as admin. Once I set the run as admin and then reboot, the setting is lost and normal users can't use it.

RunAs with Explorer

Aaron Margosis's WebLog — Wed, 07 Jul 2004 20:34:00 GMT

re: “RunAs” basic (and intermediate) topics

Aaron Margosis — Wed, 07 Jul 2004 20:44:00 GMT

ch - RunAs-admin is not a permanent setting. You *can* specify on a shortcut that it should run with different credentials, but the user will be prompted for the admin credentials each time the shortcut is invoked.

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Thu, 08 Jul 2004 19:22:00 GMT

Richard Cass - I've asked around and everyone seems stumped by the symptoms you've described. One colleague suggested the possibility that the DA account does not have the "bypass traverse checking" privilege. Could you check that? Also, make sure that Domain Admins is a member of the local Administrators group.

re: "RunAs" basic (and intermediate) topics

Jeff Sontag — Sat, 10 Jul 2004 03:54:00 GMT

I like using a shortcut configured to offer the option of using alternate credentials.
I noticed that the local administrator account was offered as the default username in the "the following user" section. I added my domain account (the one that is a memeber of Domain Admins) to the local machine's Administrators group ("Domain Admins" was already in this group) and now I can pick my domain admin account from the drop-down list in the "the following user" section. I hoped that it would remember it even if I then removed my DA account from the local machine's administrator's group, but no good. Do you know a way to make the "the following user" drop-down list remember just domain\username entries, and not the password, without adding the accounts to the local machine's admins or users group?

RunAs with Explorer

Aaron Margosis's WebLog — Sat, 10 Jul 2004 07:54:00 GMT

How to get Windows Explorer to work with RunAs (and why you might want to).

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Sun, 11 Jul 2004 06:36:00 GMT

Jeff Sontag - Sorry, no, it's not configurable and it doesn't remember previously used names. It lists only usernames explicitly listed in the BUILTIN\Administrators group, as well as Client Authentication certificates in the current user's Personal cert store, including smart cards. (You can run certmgr.msc to see your certs).

The directory name is invalid

Chad Pankratz — Wed, 14 Jul 2004 22:16:00 GMT

A possible explanation for the "The directory name is invalid" error: Many shortcuts in the Start Menu have "Start in" set to "%HOMEDRIVE%%HOMEPATH%". If this maps to a network drive on your domain, then if you attempt to Run As a user that cannot see the drive, you will receive the error.

re: "RunAs" basic (and intermediate) topics

Richard Cass — Thu, 15 Jul 2004 18:37:00 GMT

Aaron: Sorry I haven't been back before (RSS is great for the initial Post but not for Comments), but setting the DA permission to have the "bypass traverse checking" privilege did not do anything.

However,
Chad: That was it! Removing the default "Start in" sorted the problem.

Many thanks guys.

PrivBar -- An IE/Explorer toolbar to show current privilege level

Aaron Margosis' WebLog — Sun, 25 Jul 2004 06:40:00 GMT

A toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is running

Running restricted -- What does the

Aaron Margosis' WebLog — Fri, 10 Sep 2004 07:10:00 GMT

What does it mean to

IE Security

Digging .NET — Sat, 23 Oct 2004 14:11:00 GMT

IE Security

PrivBar - An IE/Explorer toolbar to show current privilege level

Lockergnome's IT Professionals — Mon, 25 Oct 2004 21:53:00 GMT

Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions...

RunAs with Explorer

The stuff I see and read about — Fri, 29 Oct 2004 23:54:00 GMT

Understanding Least Privilege

Scorpion Software Corporate Weblog — Tue, 15 Feb 2005 18:54:00 GMT

The idea that the principle of least privilege requires that a user or process be given no more privilege than necessary to perform a job makes a lot of sense in this hostile digital divide we live in. Least privilege has become a passion of mine, and its reflected in everything that I design now adays. Which is why Carina works so well in the face of hostile and malicious code. In today’s show I talk about the security principle of least privilege, how we use it to protect our customer’s information... and how you can use it to protect your desktops. For more information about least privilege please check out some of these links: nonadmin.editme.com - This is a community web site (wiki) for Windows users who want to learn how to run without Administrator privileges, and why they should do this. "RunAs" basic (and intermediate) topics - Aaron Margosis' introduction on how to use the runas command in Windows Secure Coding Practices: Running with Least Privileges in Windows - An older article I wrote for CodeProject on how to develop using least privilege on Windows Developing Software in Visual Studio .NET with Non-Administrative Privileges - Lars Bergstrom's great article that explains how to productively develop software while logged on with non-administrative privileges. Using a Least-Privileged User Account - A small article on TechNet discussing LUA, and how it will affect LongHorn. After listening to customer feedback, we are going to try a new format with this podcast. We will keep these single topic recordings short (somewhere around 5 minutes) so that people with busy schedules can still get a chance to listen to it. We will leave longer shows for more in depth interviews etc. Please let me know if you like the new format. Think strategically. Protect your information. Enjoy! MP3: Scorpion Vault: Understanding Least Privilege (4:59s / ~4.7mb)...

Table of contents, Aaron Margosis' non-admin blog

Aaron Margosis' WebLog — Tue, 19 Apr 2005 03:22:38 GMT

Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

How was cmd.exe started

rduke15 at gmail.com — Sun, 15 May 2005 12:51:52 GMT

This is really related to runas and privileges, but is a question about cmd.exe and shells, in case someone knows.

Can I find out if my console app. was started from an open cmd.exe console window, or from Start->Run?

I have a Perl script which prints output that the user wants to read.

If started from Start->Run, the window will close immediately. If I put a "press key" prompt in my app, it's annoying in the other case, when the cmd window is staying open anyway and pressing a key would not be needed.

Can I somehow differentiate how the app was called, and prompt for a keypress only if needed?

re: How was cmd.exe started

rduke15 at gmail.com — Sun, 15 May 2005 12:47:46 GMT

Sorry, I meant "This is really UN-related..." in the previous post.

Spread the LUA joy

tonyso — Fri, 10 Jun 2005 19:12:41 GMT

Get your friends and family, all those folks that come to you for computer help once their machines have...

re: "RunAs" basic (and intermediate) topics

Alex Mondale — Sun, 19 Jun 2005 19:01:46 GMT

I am attempting to follow the shining LUA path, but the following is frustrating me:
====================================
RUNAS ERROR: Unable to run - cmd.exe
5: Access is denied.
====================================
Could this be because the account I am attempting to runAs has a null pwd? Any other thoughts? Where would I find out what access is being denied to whom?

re: "RunAs" basic (and intermediate) topics

Alex Mondale — Sun, 19 Jun 2005 19:22:43 GMT

Interesting, when I (as local admin) runAs a nonpriv account I get

RunAs ERROR: 1327: account policy restriction: nonblank password, ...

This is something we developers (unfortunately) try to do all the time: develop as local admin, runAs another less priv'ed account, and see what breaks.

re: "RunAs" basic (and intermediate) topics

Alex Mondale — Sun, 19 Jun 2005 19:37:57 GMT

Aha! I made the following discoveries:
-- when I removed my former Admin Account from Administrators, it had all kind of other rights (act as part of the OS, run as a Service, etc.). Just removing from Admins and adding to Users didn't remove these policy-granted rights.
-- Having removed these "extra" privs, I still cannot runAs. Now, I get the same message as when I attempt to run as a nonpriv from a priv account:

"RUNAS ERROR: Unable to run - cmd.exe
1327: Logon failure: user account restriction. Possible reasons are blank passw
ords not allowed, logon hour restrictions, or a policy restriction has been enfo
rced."

-- Gave the local admin a password, guess what happened? It worked, of course.

So where do I go to adjust this ppolicy restriction? and, what process or app caused this policy restriction to be made? (Not ruling out Yours Truly, I have the attention span of a Gnat!).

re: "RunAs" basic (and intermediate) topics

Alex Mondale — Sun, 19 Jun 2005 19:46:51 GMT

http://tinyurl.com/6u739 has info on the use of blank passwords as a Local Sec Policy enforcement. But why should this clobber RunAS?

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Mon, 20 Jun 2005 06:16:40 GMT

Alex --
As you found in that URL
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdp_log_tyry.asp
local accounts with blank passwords can be used to log on only at the console logon screen, not through any other manner. If you have a computer in a secure location (e.g., a home computer) where you can trust everyone who has physical access, this is very convenient. RUNAS was specifically and deliberately disallowed with blank passwords. The reason is because if it were allowed and a LUA user accidentally downloaded some malware, RUNAS would offer an easy elevation of privilege for the malware to run code as an admin. There is a security option that will allow blank password for all other logon types, but I would strongly advise against changing it.

re: "RunAs" basic (and intermediate) topics

Alex Mondale — Sun, 10 Jul 2005 23:42:19 GMT

Aaron:
I have discovered that if the user that is "becoming" admin doesn't have read-only rights to the USER.DAT in the Admin's documents and settings folder, the RUNAS will fail. I have also discovered that MAKEMEADMIN will fail for the same reason.

Also, I have seen the MAKEMEADMIN batch file fail in "mid-stream" so that the user was made member of Administrators and then not "demoted" after running the program. Any one else reported this?

Alex

re: "RunAs" basic (and intermediate) topics

jodah — Mon, 08 Aug 2005 12:33:42 GMT

Hi
HELP HELP HELP
When I launch Explorer as Admin (RunAs)
Explorer won't refresh things automatically. For example, if I create a new file, it might not show up in my admin Explorer window. I know pressing [F5] would solve this problem.
Isn't there a possibility to let (admin)-Explorer refresh automatically???

Thank you for your help

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Tue, 09 Aug 2005 05:59:07 GMT

Alex Mondale - 1. Under what (normal) circumstances would the admin not have full control over its own NTUSER.DAT file? 2. The error handling in MAKEMEADMIN should always remove the user from the admins group, unless you close the console window prematurely.

Jodah - I know of no fix for that particular annoyance. Just F5 after every operation.

re: "RunAs" basic (and intermediate) topics

Jason Mayer — Mon, 29 Aug 2005 22:23:57 GMT

Just curious, but do you know of any method to change the default user name when you Run As another user?

re: "RunAs" basic (and intermediate) topics

Jason Mayer — Tue, 30 Aug 2005 20:40:50 GMT

I found the answer on another web site. Make a shortcut that runs the command line version of the run as program and use the switches to change the default login.

An example would be:
C:\WINNT\system32\runas.exe /profile /user:somedomain\jmayer sol.exe

re: "RunAs" basic (and intermediate) topics

Derrell Rivers — Thu, 29 Sep 2005 21:32:07 GMT

Hello,

In your tips and tricks you mentioned the following, "Windows Installer Packages (.msi files) don’t offer a RunAs context menu option. You might be able to get away with hacking the registry to add that option, or you can just run the .msi file directly on the command line of your admin shell."
Where I work, our developers started using .msi files which doesn't allow desktop support to use Runas option for installs.
What steps are needed to set a group policy for our entire environment permitting Runas on .msi?

Starting IE from cmd.exe

HairyMonster — Fri, 14 Oct 2005 15:17:11 GMT

Instead of having ie.cmd or any other .cmd file for starting a registered application, simply type "start iexplore" from the command prompt. If you can use the Start/Run menu item to run the app, this will work from the command-line.

re: "RunAs" basic (and intermediate) topics

Perro_Flaco — Tue, 13 Dec 2005 13:07:04 GMT

Hi everybody!

I hope someone can help me with this, because I'm getting really angry.

I'm trying to execute the following command:

"runas /user:user_name cmd.exe"

When I hit return, it asks me for my password, and here is where the
problem begin. I get this error:

"Error 1326. Logon failure: unknown user name or bad password."

I've tried with different combination of user_name and password with
the same result. I'm sure about the user_name and password. I also have
tried this:

"runas /user:mymachine\user_name cmd.exe"

But the problem remains.

I've been looking for a solution in the google, but without any
success. Please, if anybody knows how to fix this, let me know!

Thank you very much for your help!

re: "RunAs" basic (and intermediate) topics

Daveib — Tue, 13 Dec 2005 17:55:37 GMT

When I use Runas with the following full command line
%windir%\system32\runas.exe /profile /user:OFFICE\TestUser/savecred "C:\Program Files\Internet Explorer\iexplore.exe"
it comes up with what looks like a command prompt, asking for a password, but the keyboard does not work. I am unable to type in the password, so the command line window closes without anything happening.
Any ideas?

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Wed, 14 Dec 2005 06:26:51 GMT

Daveib - several things:
1. It might just be a typo, but you need a space between TestUser and /savecred.
2. The console doesn't echo any characters when you type a password at the RunAs prompt.
3. Are you invoking runas.exe from the Run dialog or from a command shell (cmd.exe)? If the former, runas.exe is probably telling you what the error is, but the console window is closing before you can see it. Try running it within a command shell instead of from the Run dialog.
HTH

re: "RunAs" basic (and intermediate) topics

kcnpeppa — Mon, 23 Jan 2006 19:08:18 GMT

Good article. I pretty much always use runas and have finally gotten the hang of the workarounds. However, the few times it does not work is frustrating. Currently, start menu shortcuts give a "directory name is invalid" error for cmd.exe. Navigating to the file or running from the run menu works fine. Mysterious ..... but not surprising.

Perro - if this is a local account that should work but I've seen times where it just won't. Use the GUI. Navigate to the file and right click. If it's a valid username and the password has not expired, you should be ok.

JB

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Tue, 24 Jan 2006 08:35:17 GMT

JB/kcnpeppa --
The issue you raised was covered in an earlier comment: http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx#183263

HTH

re: "RunAs" basic (and intermediate) topics

RJT — Tue, 31 Jan 2006 18:28:06 GMT

To provide access to local items requiring Administrator priveleges in our network environment, we created a Service Account with the appropriate authority. Then, we wrote a Visual Basic application where Windows EXE programs are launched via the "RUN AS" using the Service Account within the VB program. The problem we have is with command line (CMD) programs. We have yet to determine a programmatic method to launch the CMD including the credentials required to RUN AS as either VB lines or external BAT files. We need this to allow users access to items like "IPConfig /release"

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Tue, 31 Jan 2006 19:43:20 GMT

RJT - the best way to grant users the ability to do things like "ipconfig /release" is simply to add them to the "Network Configuration Operators" local group. Members of this group can manage a small set of network configuration features, such as the "ipconfig" operations. Note that it does not grant the ability to configure the firewall.

re: "RunAs" basic (and intermediate) topics

jimmer — Tue, 07 Feb 2006 21:41:14 GMT

RJT,

Below is a vb script I wrote years ago to flush dns using ipconfig. You could easily modify it to ipconfig /release ipconfig /renew. Look out for line wraps in this post.

On Error Resume Next

strComputer = "ITLWWS02"

Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8

vBatPath = "C:\temp\"
vBatFile = "flushdns.bat"
vLocBatFile = vBatPath & vBatFile
vRemBatFile = "\\" & strComputer & "\c$\temp\"
set fs = CreateObject("Scripting.FileSystemObject")

if fs.FileExists(vLocBatFile) Then
fs.DeleteFile(vLocBatFile)
End If

if fs.FileExists(vRemBatFile) Then
fs.DeleteFile(vRemBatFile)
End If

set vOutPutFile = fs.CreateTextFile(vLocBatFile, True)
vOutputFile.writeLine "ipconfig /flushdns"
vOutputFile.writeLine "echo flushdns Completed"
vOutputFile.writeLine "echo flushdns Completed > c:\temp\flushdns.log"

fs.CopyFile vLocBatFile, vRemBatFile

CmdLine = vLocBatFile
Path = "c:\test"

set objwbemLocator = CreateObject("WbemScripting.SWbemLocator")
set objwbemServices = objwbemLocator.ConnectServer(strComputer, "", "", "", "", "", 0, null)

set Process = objwbemServices.Get ("Win32_Process", 0, null)
Process.Create CmdLine, Path, , ProcessID

wscript.echo "Complete"

re: "RunAs" basic (and intermediate) topics

Kaplaa — Thu, 16 Feb 2006 00:06:59 GMT

Seems to me that 1) there is no good way to make a shortcut programatically with runas selected and 2) there is no way to set a runas shortcut to user the calling user's environment, such as the /env command from the command line. Am I missing something?

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Thu, 16 Feb 2006 05:31:03 GMT

Kaplaa:
1) Search MSDN for SLDF_RUNAS_USER
2) The RunAs dialog doesn't offer as many options as the RunAs.exe console app. How about something like a shortcut to:
runas.exe /env /u:targetuser targetprogram.exe
?

re: "RunAs" basic (and intermediate) topics

Kaplaa — Thu, 16 Feb 2006 17:41:44 GMT

I am using Vbscript/VBA to create a new shortcut for a database. It appears IShellLinkDataList is not accessible this way -- it is not in the shell createshortcut action nor is it exposed by the WMI interface. Using runas.exe forces me to hardcode the alternate user, which is too kludgy. Currently I advise the users to manually set it in the advanced tab of the shortcut I create using the Shell object. Thanks.

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Fri, 17 Feb 2006 00:34:06 GMT

Kaplaa - as far as I can tell, that setting is not exposed to any of the scripting interfaces. C++/COM appears to be required.

re: "RunAs" basic (and intermediate) topics

Regina — Thu, 23 Feb 2006 09:39:26 GMT

Hi to all, I just used the RunAs command using these parameters: %windir%\system32\runas.exe /profile /netonly /user:regiea\administrator "C:\CPS\SmallExe\CPS.exe" (it's a system that we used in the office and I am logged as a standard user) to run a program as administrator. I was able to do the usual things that we used to do without the RunAs but when I check for the network printer, it is not listed in the printer setup of the program. Running the program as a limited user doesn't give me the right to access some modules so I tested to run it as administrator with the RunAs command. Any idea why?

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Thu, 23 Feb 2006 09:47:58 GMT

Regina - try using MakeMeAdmin instead (see http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx). If your standard user account is a domain account, the local admin account you're using with runas will not have any authenticated access to network resources, nor to printers configured under your standard user account. Also, if you use "/netonly" in the runas command, you're not running with admin privileges locally - you are merely authenticating as the built-in local admin when making remote requests - which won't be of value since your local accounts are not recognized on remote systems.

WebCast's Notes: Least Privilege and New System.Security Features

Dan Sellers's WebLog — Thu, 09 Mar 2006 03:32:12 GMT

In today’s Webcast we first started off with a continuation from last week. &nbsp;Last week we explored...

re: "RunAs" basic (and intermediate) topics

Ganesh — Tue, 21 Mar 2006 17:43:34 GMT

How to provide password for Runas remote shutdowm command in the text file.
This remote shutdowm will be triggered from an application with user account having appropriate remote shutdown privilege. But when I ran that in the command line, it is asking for password. I want to provide the password in the runas command itself.
Any help please?

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Tue, 21 Mar 2006 17:48:24 GMT

Ganesh: RunAs accepts passwords only from the keyboard. It was designed this way to help people avoid the unsafe practice of putting passwords in script files.

re: "RunAs" basic (and intermediate) topics

Rajesh — Mon, 27 Mar 2006 11:25:25 GMT

Is there a away to supply password automatically? I want to make a batch file using "runas" that runs without asking for a password. I tried :

echo mypassword >pass.txt
runas /noprofile /env user:domain\administraor cmd <pass.txt

I get an access denied error.

Any ideas?

thanks in advance,
Rajesh

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Mon, 27 Mar 2006 16:29:04 GMT

Rajesh - RunAs accepts passwords only from the keyboard. It was designed this way to help people avoid the unsafe practice of putting passwords in script files.
(I need to put this in the post itself...)

Fixing "LUA Bugs", Part II

Aaron Margosis' WebLog — Mon, 27 Mar 2006 19:34:30 GMT

A systematic approach for working around LUA bugs that avoids unnecessary exposure - "the rest of the story"

All about Foo » Permissions

All about Foo » Permissions — Mon, 03 Apr 2006 16:06:59 GMT

PingBack from http://foo.aylott.co.uk/?p=10

re: "RunAs" basic (and intermediate) topics

asdf — Mon, 17 Apr 2006 05:29:18 GMT

I used a slipstreamed version of windows 2000 and changed the "Administrator" user to "admin" (if I do this post install, the folder becomes "Administrator" instead of the shorter version, which is why I didn't opt to do that). Anyway, the RunAs GUI keeps defaulting to "Administrator" which is extremely annoying. Is there anyway to change this behavior (besides renaming the "admin" user to "Administrator" of course)?

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Mon, 17 Apr 2006 05:35:10 GMT

asdf - As far as I know, "Administrator" (or localized equivalent) is hardcoded in Windows 2000. In Windows XP it defaults to the actual name of the builtin admin account (the account with the SID ending with -500).

runas vs. encrypted runas

Stefan — Sun, 14 May 2006 12:58:55 GMT

sometimes we need to let our limited user accounts run as admin accounts only for SPECIFIC applications. of course, mark detailed well the procedure on how to do this. It seems you have to give your limited user the admin name and pw for him/her to enter into the run as dialog. but what if you dont want to give your limited user the the admin password? the limited user could then just log on to the admin acct.

how can i specify that information securely in a desktop shortcut in a way that the user cannot dig out? Does anyone here have a teenage child?-you know what i mean.

i found this little utility called 'encrypted runas' from wingnut software. Mark, what do yo think of it?

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Sun, 14 May 2006 19:09:00 GMT

Stefan -
Already answered. See Fixing LUA Bugs, Parts I & II:
http://blogs.msdn.com/aaron_margosis/archive/2006/02/16/533077.aspx
http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx

Utilities such as the one you mentioned are dealt with after item #5. Not highly recommended.

re: "RunAs" basic (and intermediate) topics

mookie — Wed, 24 May 2006 23:50:10 GMT

How would I trouble shoot windows crashing when trying to use the runas command.

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Thu, 25 May 2006 00:06:44 GMT

mookie -- I don't know. What do you mean by "windows crashing"? Blue screen? Explorer has an access violation? Monitor falls off the back of the desk? The windows in your house falling out of their frames and smashing on the floor?

re: "RunAs" basic (and intermediate) topics

Adam Curtis — Sat, 27 May 2006 19:08:25 GMT

There's another tidbit with windows.

Microsoft ended remote concurrent logons with SP2. I have a fix for that so I can have users logged on remotely without kicking me (the admin) off of my login. Also I have had problems with fast user switching. For some reason my admin can have any password length. But my other users have to default to 13 chars.

Try this, Setup a limited account. Make a password over 13 chars. Login to the user. It lets you good. Now switch user, to admin without logging off your new account. Set your screen saver time to 1 min. Make sure it goes to welcome screen on return of user. Now try to logon. For some reason it only lets me type 13 chars into the password box now. Or it just won't logon.

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Sun, 28 May 2006 05:21:00 GMT

Adam Curtis - Sorry, but I get absolutely no repro. First of all, XP never supported concurrent remote desktops - you could have one logon per user, and only one would ever run "connected" at a time, either at the console or via Remote Desktop. If another user connected via RD, other sessions were disconnected. If you connected via RD with an account that was already logged on, you connected to the session already running - you never got two separate interactive logon sessions for the same user.

I tried the password scenario you described, and that didn't repro at all. The text box in which you enter the password might look the same if you type characters after the available space has been filled, but you still need to type the full >13 character password in order to log on.

Windows Security » Running as a Limited User, Part 2

Windows Security » Running as a Limited User, Part 2 — Sun, 04 Jun 2006 09:58:23 GMT

PingBack from http://red.caek.org/?p=10

The Directory Name is invalid.

Jolly181 — Tue, 06 Jun 2006 09:45:11 GMT

Hi Folks....

I may have missed it in the context but... Iwant to be able to allow end users who do not have the Admin privilages required to be able to get WIndows Updates using the wupdmgr.exe, but I cannot seem to get it right where I can setup the shortcut to start when I double-click on it...??

I have changed the START IN box to reflect %WINDIR% -- Nod Good

I have pressed SHIFT and then selected RUN AS option and selected "teh Following user" with user name admin and entered the admin's password and clicked OK -- No Good

What amI doing wrong..???

How can I get this to work.????

Regards

Julius

re: "RunAs" basic (and intermediate) topics

Sachin — Thu, 15 Jun 2006 03:26:55 GMT

Aoron,

Thanks a lot for this insightful post and I keep referring back to it every now and then :). Just for the records I've been running my Win XP under a non-admin a/c for past one year and "till date" there wasn't any issue that I couldn't deal with using RunAs.
Now the problem is that ncpa.cpl (it's the control applet for network connections) doesn't want to run at all with RunAs, all it does is open the explorer (and that is being run under the current logged-on user priveleges). There were two ways I tried it out:
1) Opened a admin cmd shell using RunAs first, then typed in ncpa.cpl at the prompt: it opens a explorer window running under logged-on user a/c.
2) Specified ncpa.cpl as the parameter to the RunAs, something like:
C:\WINDOWS\system32>runas /user:xxx "RunDLL32 shell32.dll,Control_RunDLL ncpa.cpl "
Produces the same results as in 1.

The funny thing is running ncpa.cpl from a normal command shell (i.e. cmd shell running under logged-on user) opens the network connections applet just fine (obviously the stuff like Repairing Wireless Network etc. commands are disabled).
I also tried the above two steps for another control applet: timedate.cpl and it worked as expected.

Is there something I am missing, I really need to get ncpa.cpl working due to my flaky wireless connexn :(.

Thanks!

re: "RunAs" basic (and intermediate) topics

Aaron Margosis — Thu, 15 Jun 2006 03:50:07 GMT

Sachin, the answers to your questions are in this follow-up post about RunAs and Explorer: http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx

The full Table Of Contents for all my non-admin blog posts is here: http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

re: "RunAs" basic (and intermediate) topics

Sachin — Thu, 15 Jun 2006 03:51:05 GMT

Never mind, just read your next post on the same thing and got it to work under explorer by checking the "Run in separate process" flag.

re: "RunAs" basic (and intermediate) topics

Mike Freake — Mon, 19 Jun 2006 21:47:46 GMT

Hey,

I'm running a Java program (wrapped in an EXE) that can be launched through two shortcuts on my desktop. The first has target:
C:\vbmax\maxpw.exe

The second has a target:
%windir%\system32\runas.exe /user:services /savecred C:\vbmax\maxpw.exe

The EXE being launched runs a batch file that is launched using the command:
C:\WINDOWS\system32\runas.exe /user:services /savecred C:\vbmax\regquery.bat

This batch file needs to be launched on startup of my program to get a registry key value, otherwise my program throws an error and terminates. The first shortcut works everytime for launching the batch file, but I need to launch my program as services. The second shortcut does not always work (i.e. launch the batch file and get the result), only if I've previously logged into the services account.

Any ideas? It appears to me that unless I've previously logged in as services, my batch file when launched will not be able to run as services for some reason.

Any help would be MUCH appreciated.

Mike

Windows Security » Running as a Limited User, Part 2

Windows Security » Running as a Limited User, Part 2 — Wed, 02 Aug 2006 10:35:14 GMT

PingBack from http://red.caek.org/?p=11

re: "RunAs" basic (and intermediate) topics

Jbee — Tue, 22 Aug 2006 16:34:41 GMT

I've a case where a program generates an access violation when run with the user as 'administrator' but not when run as 'kathy'( for example). Even if 'kathy' and 'administrator' both have administrator privilages.

Where should I look?

Sounds like a profile issue -- I'm guessing that "Administrator" installed the program, and that the app was designed/implemented with the implicit assumption that the account that installed the app would be the account that uses the app. Contact the vendor.

-- Aaron

re: "RunAs" basic (and intermediate) topics

Joe Smokie — Fri, 01 Sep 2006 00:18:37 GMT

Great information. We are looking to lock down our users here but at the same time minimize their pain. Setting up the Admin CMD windows will help out a lot.

re: "RunAs" basic (and intermediate) topics

Leandro Oliveira — Sat, 02 Sep 2006 02:39:04 GMT

Hello,

I´m trying to execute the command interpreter as a domain user.

My machine isn´t joined on a doimain.

I always receive a same message when the following command is executed:

runas /user:MYDOMAIN\MYUSER_ON_THIS_DOMAIN cmd
Attempting to start cmd as user "MYDOMAIN\MYUSER_ON_THIS_DOMAIN" ...
RUNAS ERROR: Unable to run - cmd
1326: Logon failure: unknown user name or bad password.

I was pretty shure that I typed the rigth password.

What am I doing wrong?

[ ]s

The reason you're running into this problem is because your non-domain computer doesn't know anything about the domain you're trying to authenticate against. I.e., it doesn't know how to authenticate anything against the MYDOMAIN domain. Because it's not in the domain or in any trusting domain, it can't know with any degree of assurance what server can authenticate that user.

HTH

-- Aaron

re: "RunAs" basic (and intermediate) topics

Eric — Thu, 14 Sep 2006 00:24:00 GMT

What do you think about sudo for windows...?

Without referencing the security implications of any specific implementation of SUDO-like functionality for Windows, I wrote a bit about the issues around automatic elevation implementations in Option #5 in Fixing LUA Bugs, Part II. On the whole, I would consider it something to be avoided if possible.

-- Aaron

re: "RunAs" basic (and intermediate) topics

Henrik Jensen — Sat, 23 Sep 2006 10:19:13 GMT

Hi Aaron

Is there a specific security reason that the enviroment variable %APPDATA% is not defined under a RunAs shell ?

Just experienced some programs ( well UltraEdit to be precise) using that enviroment variable to locate its 'Application Data' Folder and that obviously can give some problems when you start up a RunAs shell.

Henrik

reseting the admin password using registry keys

Kunal Sharma — Wed, 04 Oct 2006 16:24:37 GMT

I want to know by editing which registry key, I will be able to reset my admin password to blank.

Thanks & waiting for the reply

-- kunal

re: "RunAs" on Windows Vista

Nelson Ruest — Tue, 10 Oct 2006 00:31:57 GMT

Hi Aaron,

My partner and I have been running as normal users in XP for over three years with very few issues. We make extensive use of the command-line Runas command and built .cmd files to create shortcuts to our most common administrative tools. We also rely on the /savecred switch which makes life so much easier when running as a standard user. We are also beta testing Vista as we have several books and white papers to write on it (you'll be seeing the first chapter of our Definitive Guide to Vista Migration coming out very soon from Realtime Publishers).

We have a few bones to pick with UAC and Runas in Vista. The first is that none of our .cmd Runas commands work in Vista anymore. They all come up with error 740: "the process requires elevation". So basically, there is no longer any way to create command files to easily launch administrative processes. It works in the UI, of course, but we find that that is also a problem. As you know the first job of any hacker is to find out the name of a high privileged account. Well, it will be a no-brainer in Vista because all anyone has to do is select Run as Administrator to view a complete list of all activated administrative accounts on the system. Then all they need is to figure out the password. Not sure this is very good for corporate organizations. At lesat in XP, the Run As GUI is hidden and users need to hold down the Shift key as they right-click a shortcut.

We think Vista needs a new switch for the Runas command so that you can create .cmd files to launch your most common administrative tools. UAC is great, but when you need to manage systems, it won't take long for system administrators to just turn it off if they have to use the GUI and type in their passwords each time they want elevated privileges.

Just our opinion,

Nelson Ruest

Nelson, thanks for posting.

Re /savecred -- see my post Fixing LUA Bugs, Part II (item #5, last resort) for my opinion re the use of /savecred.

RunAs.exe on Vista is no longer the same animal it was on XP. Now, nothing runs elevated unless the user specifically goes through a confirmation step that is a lot hardier than what we had on XP.

The names of accounts with admin privileges has never been secret, and protection of those names has never offered significant defense. (E.g., from a non-admin command prompt, run "NET LOCALGROUP ADMINISTRATORS" on an English-language system.) On systems with password-based logons (rather than smartcards, for example), strong passwords are absolutely required. "All they need is to figure out the password" should be somewhere in the range from very difficult to infeasible. (Search for Steve Riley and Jesper Johansson articles on password security.)

One way to avoid going through the UAC prompt without giving up the security that UAC provides is to launch a command shell as admin (one UAC prompt) and then run admin apps from that command shell.

Hope this helps - and sorry for the delayed response.

-- Aaron

re: "RunAs" basic (and intermediate) topics

Andrew Jones — Tue, 17 Oct 2006 19:02:10 GMT

I love this article -- I've been dealing with all of these issues for over a year. My solution was to refine an in-house admin console to include a "launch pad." I run the admin console as an admin and then anything it launches inherits the privileges.

The launch pad has "favorite" folders [network unc and local] which are opened via Internet Explorer. They can also be opened with CMD.EXE (it automatically maps Z: and runs CMD there).

It also has "favorite" applications, including Internet Explorer, Word, etc, to get around the problem of doing a "RunAs" on a shortcut per se.

It also has "favorite" connections, URI controlled FTP, telnet, etc, connections, which honestly don't need to be run under a different context, but it's just flippin' easy to have everything I need in one place.

This is all customizable.

It's an in-house app, of course, and is powerful beyond compare. It has replaced EMCO Network Management, DameWare utilities, and SMS, all of which we've tried and disliked.

What do you guys think it's worth? :)

re: "RunAs" basic (and intermediate) topics

Krangath — Mon, 23 Oct 2006 05:12:08 GMT

To run an .msi as admin do a 'Runas' on the 'Command Prompt' under Accessories, and run the .msi from the command prompt.

re: "RunAs" basic (and intermediate) topics

Henrik — Wed, 25 Oct 2006 13:43:51 GMT

Hi Aaron

In Xp, I have made a registry entry on the file type '*' to give a "Run as Admin..." right click menu item in Explorer on all files. This calls the runas console as usual with the account you specify.

Doing this, instead of using the GUI "Run as..." spares me some mouse clicks and selecting the right account in the "User name" Drop down edit box ( very annoying, as someone else also has commented on earlier, because, in my case the default Administrator is listed first). Further more I get the bonus that all registered and unregistered file extension gets a faster Run As path. (The GUI RunAs only seems to work on certain extensions)

The .reg file looks like this and does only change the '*' right click menu for the current user.

-----------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\*\shell\Run as Admin...\command]

@="%SystemRoot%\\system32\\runas.exe /user:%COMPUTERNAME%\\YourAdminAccount \"%L\""

-----------------------------------------------

Now I just wondered if you can see any security implications with this approach ?

Henrik

re: "RunAs" basic (and intermediate) topics

Henrik — Wed, 25 Oct 2006 16:40:41 GMT

Clarification

'YourAdminAccount' in the above registry file example must be replaced with the name of your Admin account e.g.:

@="%SystemRoot%\\system32\\runas.exe /user:%COMPUTERNAME%\\SuperMe \"%L\""

Henrik

re: "RunAs" basic (and intermediate) topics

Henrik — Wed, 25 Oct 2006 22:05:45 GMT

Oh boy

%SystemRoot% does not expand so one has to hard code

@="C:\\Windows\\system32\\runas.exe /user:%COMPUTERNAME%\\SuperMe \"%L\""

and I just discovered that it only works on files registered as executable (of course stupid).

I might better find some other way to spare me from all those mouse clicks when I want to run as admin.

Sorry for the clutter

Henrik

Did you try creating an "Expandable String Value" (REG_EXPAND_SZ) instead of just a "String Value" (REG_SZ)?

-- Aaron

re: "RunAs" basic (and intermediate) topics

Henrik — Fri, 27 Oct 2006 05:33:02 GMT

Yeh the REG_EXPAND_SZ type had slipped my mind that was oc the problem. :)

Anyway - I thought that I wouldn't post it because the raw REG_EXPAND_SZ in a .reg file looks ugly but here it is: ( also changed the '*' to 'exefile' to only show for exe and lnk files)

---------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\Run as Admin...\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,\

6e,00,61,00,73,00,2e,00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,\

00,3a,00,25,00,43,00,4f,00,4d,00,50,00,55,00,54,00,45,00,52,00,4e,00,41,00,\

4d,00,45,00,25,00,5c,00,53,00,75,00,70,00,65,00,72,00,4d,00,65,00,20,00,22,\

00,25,00,4c,00,22,00,00,00

---------------------------------------------------

Do you know if it's possible to use a human readable notation for REG_EXPAND_SZ in .reg files ? - e.g:

@=ascii(2):%SystemRoot%\\system32\\runas.exe /user:%COMPUTERNAME%\\SuperMe "%L"

Henrik

re: "RunAs" basic (and intermediate) topics

Henrik — Fri, 27 Oct 2006 05:58:26 GMT

And now you cannot change 'SuperMe' to the your Admin Account name but has to manually go to the reg path

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\Run as Admin...\command]

and do the changes, ( unless you've got a "Absolute hex-pitch" http://en.wikipedia.org/wiki/Absolute_pitch ;) )

Henrik

re: "RunAs" basic (and intermediate) topics

LUA Works — Fri, 17 Nov 2006 20:32:41 GMT

Why the heck would you even bother with LUA if you try to run with blank admin passwords?!

Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password. By default, an account with a blank password can be used only for logging on at the console. It cannot be used for network access, and it cannot be used with RunAs. The user experience of just clicking on your name to log on can’t be beat for simplicity. If you can trust everyone who has physical access to the computer not to log on as someone else or abuse the admin account, this is a great way to go. If not, you can always enable passwords.

-- Aaron

re: "RunAs" basic (and intermediate) topics

Ewic — Fri, 17 Nov 2006 23:26:32 GMT

With Vista, is it possible to perform a runas.exe /user:<specific user domain\account> through the GUI like can be done with the CLI?

I only have "run as administrator" in my menu option and i cannot specific different accounts, it just always opens up the programs without asking me who i want to run it as.

Is this feature gone or am I missing something?

Thanks,

Ewic

re: "RunAs" basic (and intermediate) topics

Brian — Tue, 12 Dec 2006 19:42:41 GMT

I have the same question as Ewic. A bit frustrating when I can't run admin tools as a specific user.

re: "RunAs" basic (and intermediate) topics

cannedsoda — Wed, 20 Dec 2006 23:13:36 GMT

Same question as above. I used the runas command to run selected apps and consoles as my domain admin account. When trying to open up command prompt with privileges to run some vbscripts. It returns back,

"Cscript error: Loading your settings failed. (Access is denied.)"

re: "RunAs" basic (and intermediate) topics

cannedsoda — Wed, 20 Dec 2006 23:31:45 GMT

I guess the workaround is to change the local GPO to prompt for credentials instead of prompt for consent. Found it over at Josh's windowsconnected site, http://windowsconnected.com/blogs/joshs_blog/archive/2006/12/01/windows-vista-tip-run-as-administrator.aspx.

re: "RunAs" basic (and intermediate) topics

William — Thu, 28 Dec 2006 00:34:53 GMT

After installing a required application for some client's, when they try to Right Click and select "RunAs" on an advertised shortcut, for example in the AdminToolPak, the GUI dialogbox that allows alternative credentials to be entered does not appear. If the application causing the issue is removed, "RunAs" functions properly again.

Is there a registry key that controls the GUI interface for RunAs?

William, it sounds to me like the required application is installing a shell extension of some kind that is modifying the shortcut menu and hijacking the effects of the RunAs verb, causing it to do nothing. Possible?

-- Aaron

More info: a colleague informs me that a common cause of the behavior you're seeing is a badly implemented context menu extension that implements ::InvokeCommand() without testing the verb that it was called with.

HTH

-- Aaron

re: "RunAs" basic (and intermediate) topics

Dmitry — Thu, 04 Jan 2007 17:52:27 GMT

Hello All,

Is it possible to start runas and type password for user automaticaly on Windows Vista?

I'm use command line:

runas.exe /user:i_am some_program.exe

<ENTER>

Than password input has required.

How to input password automatically via parameters or type it by another program?

Thank you

Dmitry, RunAs accepts passwords only from the keyboard. It was designed this way to help people avoid the unsafe practice of putting passwords in script files.

-- Aaron

IE Security

Gridding .NET — Fri, 05 Jan 2007 16:38:47 GMT

IE is definitely the most insecure gateway to a PC. So I was thinking: why not run it in a guest account...

re: "RunAs" basic (and intermediate) topics

mike — Thu, 11 Jan 2007 10:50:56 GMT

im confused about something simple

the only reason to use RunAs or MakeMeAdmin, is for convenience over the Fast User Switching?

mike -- Generally, Fast User Switching (FUS) is preferable. However, on Windows XP, FUS is not available when the computer is joined to a domain. (That limitation has been removed in Windows Vista.) MakeMeAdmin can still be useful if you need to temporarily elevate your regular account.

HTH

-- Aaron

re: "RunAs" basic (and intermediate) topics

Juls — Wed, 17 Jan 2007 04:27:23 GMT

Interesting reading. Is there a way to programmitically display the RUNAS GUI to install a setup.exe. I could simulate the front end but that seems excessive.

Juls, if you try to start any program called setup.exe or install.exe from Explorer or the Run dialog, it will automatically display a RunAs prompt.

Does this help?

-- Aaron

re: "RunAs" basic (and intermediate) topics

Domingos Zamberlan — Thu, 25 Jan 2007 00:20:09 GMT

I need to run the timedate.cpl passing parameters in the line command. It's possible?

re: "RunAs" basic (and intermediate) topics

Domingos Zamberlan — Thu, 25 Jan 2007 00:22:45 GMT

Sorry...My english is not very well.. Do you know how parameters are accepted by timedeate.cpl? Is possible running with runas? TKS...

Domingos: I don't know of a way. timedate.cpl actually becomes an argument to rundll32.exe (as do all .cpl files). What exactly are you trying to do with it?

-- Aaron

re: "RunAs" basic (and intermediate) topics

Coder — Wed, 31 Jan 2007 01:31:57 GMT

Whats the point of having a commad that cannot be used programaticaly, in fact why does windows even bother with tere commad shell at all, it like the guys at MS said those UNIX guys always seem to messing around at with "some kind of text window???" lets have one too it will make it look like we know what we're doin!

Coder: I assume your point is about runas.exe not taking a password as a parameter. Runas.exe is not a command -- it's a utility program. It is designed specifically for interactive use, with a goal of not encouraging the unsafe practice of embedding passwords in plain-text script files. The underlying APIs (e.g., CreateProcessWithLogonW) can be used programmatically. And wrt the command shell, nothing in the UNIX world (that I'm aware of) can match what Windows PowerShell does. Download it and try it out.

-- Aaron

____

/ ___|______/

_n__/ =|] |_____|

~{8-B )------|)____

u \ ____|_____|

\____| \

re: "RunAs" basic (and intermediate) topics

Coder — Wed, 31 Jan 2007 16:47:14 GMT

Im not accessing it from a script im a accessing it from java's runtime.exec with other exe i can run them and read from their stdOut and write to their stdIn, only RunAS doesn't use stdIn like most command line apps, so i cannot pass in the password to it. The password is not stored in plain text anywhere so there is no chance of it being read. Besides I'M THE ADMINISTRATOR so if i want to write the password i ten foot high letters on the outside of the building then thats my look-out surley.

Well, RunAs is not the right tool for you, then. That's not what it was designed for.

Where does the password come from, then? Is it embedded in your Java source?

-- Aaron

re: "RunAs" basic (and intermediate) topics

Coder — Wed, 31 Jan 2007 19:20:17 GMT

Its ok i fixed the problem apparently i needed to install Solaris, not windows. As windows isn't very good at this type of interaction with none ms products.

Where does the password come from, then? Is it embedded in your Java source?

- Over secure connection.

Ha. Very cute. So if you're writing custom code anyway, you want to use CreateProcessWithLogonW as I mentioned before, not RunAs.exe. If you really need a command line utility, you can use PsExec, as deXter recently mentioned here.

-- Aaron

re: "RunAs" basic (and intermediate) topics

dyanni@alltel.net — Wed, 31 Jan 2007 23:33:40 GMT

I have groups of users that need to be given admin access to their workstation just to be able to update software on their PC as needed.

In the 'good old' unix days - I could just set the sticky bit on the program - and the privilege would follow the application.

Is there a Windows equivalent to 'trusted' applicaiton.

re: "RunAs" basic (and intermediate) topics

Iggs — Sat, 03 Feb 2007 04:23:36 GMT

I'm not a scripting guy, I'm a sysadmin. I would love to use this script for making administative changes on users'. By default Domain Admins are members of local Administrators group, but I never sure what is local administrator's password is. I tried making changes to the script to prompt me for username and password of an account with admin rights, which is a domain admin account and it works, however for some reason it does it twice. I used SET /P for that, just for the reference, I would like to know how to populate _Admin_ variable with something I want.

Thank you in advance.

Iggs: the only change you should need is to change the set _Admin_ line to
set _Admin_=MYDOMAIN\MyAdminAccount
where MYDOMAIN and MyAdminAccount are replaced with your domain and your domain admin account. Is that not working? When you say, "it does it twice", what do you mean -- it does what twice? Note that with MakeMeAdmin, you get prompted for two passwords: first the admin account password, then the password of the user you're temporarily elevating.

HTH

-- Aaron

re: "RunAs" basic (and intermediate) topics

Roger Sarlouis — Thu, 08 Feb 2007 06:34:33 GMT

I just installed Vista on my computer.

I went to winzip to download the latest version.

I downloaded it to a ( Updates ) folder that I created within the new windows explorer. On the top left section I Clicked on the Organize drop down and created the new folder.

I can download winzip110.exe without issue.

Every time I trywinzip110 in order to install winzip I get the following error:

Directory name is invalid.

Thanks

re: "RunAs" basic (and intermediate) topics

Firefox — Thu, 15 Feb 2007 18:41:01 GMT

"Its ok i fixed the problem apparently i needed to install Solaris, not windows. As windows isn't very good at this type of interaction with none ms products."

Windows isn't too hot at interaction WITH ms products either!

I have the problem whyby I am using runas from the command prompt in Vista and it goes away to call the app/program, I am then prompted with a password box (as expected) I type this in, then....................NOTHING, yep nothing actually happens.

I also got round the run as administrator option to be able to run explorer as my own admin account, all appears to function correctly with explorer opening, it's only after trying to access something I realise it hasn't actually raised my credentials at all! HELP

Setting color for all CMD shells based on admin/elevation status

Aaron Margosis' WebLog — Fri, 23 Feb 2007 08:55:45 GMT

How to automatically set the color and title of *all* CMD shells based on admin/elevation status with a one-time, one-line configuration change to your system.

re: "RunAs" on Windows Vista

Marvin — Sat, 10 Mar 2007 13:27:33 GMT

Problems in vista with runas and similar tools like cpau, runasprofessional, emco runas...

The tools can pipe a password to run applications with anohter useraccount. Now the tools have got problems to run applications with an activated uac on vista. I only know the tool runasspc from robotronic who can work together with uac on vista.

The only way i found to use the other tools is to deaktviate uac or use the built-in administrator account.

Any other solution?

On Vista, RunAs.exe will let you run an app as another user, but not elevated -- you cannot get something running elevated without going through the UAC elevation UI. That is a good thing.

-- Aaron

RunAs" on Vista with password

Marvin — Sat, 24 Mar 2007 08:39:50 GMT

you can not pipe a password in runas like cpau.

On vista cpau is not working.

Now i use the tool runasspc.

Thanks

re: "RunAs" basic (and intermediate) topics

Aikidojoe — Tue, 27 Mar 2007 18:08:42 GMT

I am having a problem when I use Run As to start an application, with opens the app, but does not include any local/network printers. Is there a solution to this problem?

re: "RunAs" basic (and intermediate) topics

Aikidojoe — Tue, 27 Mar 2007 18:49:26 GMT

It happens in both 2000 and XP, this used to work about one month ago.

re: "RunAs" basic (and intermediate) topics

John Tonks — Mon, 02 Apr 2007 15:27:56 GMT

Hi all, I have read through most of this to apologies if this is a repeat.

I was having problems using the RUNAS command from a XP/SP1 worksation, logged on as a normal users account. I was trying to run a command box as a admin user from another domain, based on windows 2000.

First I Mapped a network drive to the \\windows2000server\c$ as (Z:\) in the other domain & selected the connect using a different user name, input my admin name and password so <otherdomain\admin><password> in the relevant box’s. Then brought up a command box, switched to z:\ then typed <runas /user:otherdomain\admin "cmd"> but got 1326: Logon failure. So tried <runas /netonly /user:otherdomain\admin "cmd"> but got 3: The system cannot find the path specified. So it was authenticating at some level? So it got me thinking where is it checking for the user credentials…

RESOLUTION: On my local workstation I added in the <otherdomain\admin> account into the local administrators group (rebooted). Then typed runas /netonly /user:otherdomain\admin "cmd">. SUCCESS! A new cmd box appeared with cmd(running as otherdmain\admin) in the top box. I then loaded my excel spreadsheet with all my lovely macros in it from via the command prompt, and all functioned as it it was being run by an administrator in the other domain, except on this domain on a standard users workstation.

So I think what that equates to is that runas wont work unless the user name your “running as” has the relevant permissions on the local machine your running it from

re: "RunAs" basic (and intermediate) topics

John Tonks — Mon, 02 Apr 2007 15:33:49 GMT

So yes no need to map network drives or what have you just sort the permissions out and run a cmd box and type runas /netonly /user:otherdomain\admin "cmd"

@John Tonks: For runas.exe (without /netonly) the account you specify after the /u option must be able to log on to the local machine. You mentioned that this was an account from another domain -- that could be a problem. When you specify /netonly, the program runs as the same account on the local system, but whenever it uses SSPI to authenticate to a remote system, it does so using the account credentials you specified. The account is not authenticated locally, only when you attempt remote access.

HTH

-- Aaron

re: "RunAs" via VBA in MS ACCESS 2003

André — Wed, 04 Apr 2007 14:02:18 GMT

How can I execute applications with RUNAS in MS ACCESS 2003 VBA?

-------------------

I want to execute applications via a database. The user must login, and when logged-in, the user can execute applications.

For the moment I use de SHELL command in VBA.

Works very nice but when I need to us RUNAS it is not working.

SHELL ("RUNAS x") does not work because it is closing each time the CMD window. When I place the string RUNAS x after starting CMD manually, it works fine.

Regards, André

re: "RunAs" basic (and intermediate) topics

Paul — Tue, 10 Apr 2007 05:41:22 GMT

Password sending and runas. The short answer is that with out a real bodge you can not use runas. A defferent exe that I found runas102.exe http://www.anbsoftware.co.uk/netadmin/runas/

Will let you pass the password

copy it to your %windir$%

open us a cmd prompt and type runas102.exe /?

Works a treat

Paul: Looks highly risky to me -- it doesn't even pretend to protect the password, so you're going to keep it in a plain text file? Bad idea.

BTW, what is a "bodge"?

-- Aaron

re: "RunAs" basic (and intermediate) topics

Paul — Tue, 10 Apr 2007 06:22:44 GMT

Hi Aaron:

Yes in plain txt it is risky.

This is the runas102.exe that will let people pass a password.

From there once you have the context of using runas102.exe you can move it in to a VBS (encoded) script. As a strong suggestion, do not use domain admin credentials.

Is a vbs encoded script decyptable, Yes found the tool on good old google.

They wanted to use runas with a password from the comand line, with runas102.exe you can.

Obviously in each case security would need to be looked at.

On a funnier note you can only use the application in the context of the user you are running as. If you runas a local power or admin user, from the application you will not be able to directly save to the network.

"bodge"= Australian for some times work sometimes does not.

http://en.wikipedia.org/wiki/Bodge

Cheers

Paul

Paul: Encoding is not the same as encryption. And even then: anything that can be automatically decrypted by authorized software running as the user can be decrypted by malware running as the user.

-- Aaron

re: "RunAs" basic (and intermediate) topics

MikeH — Mon, 14 May 2007 10:36:24 GMT

You can activate UAC UI through VB-Script and then start your batch file with elevated rights: http://newyear2006.wordpress.com/2007/02/04/datum-unter-vista-per-vbscript-setzen-mit-uac-unterstutzung/

RunAs on Longhorn

Rose — Wed, 16 May 2007 21:14:54 GMT

I am currently building applications on Longhorn and need to run as a different service account. At the command prompt, I've entered '>runas /user:domain\serviceaccount cmd'.

I enter in the password when prompted. and then get this error:

RUNAS ERROR: Unable to run - cmd

1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

The password is correct so I'm at a loss as to what to do next.

Rose

Rose: Is the service account granted the ability to log on interactively?

-- Aaron

re: "RunAs" basic (and intermediate) topics

Maria — Thu, 28 Jun 2007 22:12:57 GMT

How do you get the runas to authenticate on the domain along with the local computer? I am trying to run an install which requires access to network shares. Without domain authentication, I cannot make this happen!

@Maria:

MakeMeAdmin.

HTH

-- Aaron

And so this is Vista…

Aaron Margosis' "Non-Admin" WebLog — Thu, 28 Jun 2007 22:23:30 GMT

What becomes of all my earlier non-admin tips, tricks and recommendations vis-à-vis RunAs, MakeMeAdmin, PrivBar and their interactions with IE and Explorer? The short answer is that Vista changes just about everything with respect to running with least

Job: Security » Blog Archive » Introducing Alcatraz: Convenient Least-Privilege for Windows XP and Vista

Fri, 29 Jun 2007 12:34:51 GMT

PingBack from http://www.rachner.us/blog/?p=6

re: "RunAs" basic (and intermediate) topics - VPN issue

Hank — Sun, 01 Jul 2007 06:15:06 GMT

Great post!

I've read through much of this and haven't seen anything that addresses my issue.

I'm trying to connect to another network via VPN and use resources there (https: and sharepoint websites in particular). My local PC is not known to the domains I reach through the VPN, so I can't log onto my local PC with a remote Windows account. I start the VPN client, enter my remote credentials and I get in. But once there, I can not get remote websites to honor my remote credentials. I've tried starting IE via runas with the remote credentials, but it doesn't make any difference. IE just hangs, showing "opening page ..." on the bottom left. Any ideas? Thanks

re: "RunAs" basic (and intermediate) topics

David Shawn — Fri, 14 Sep 2007 00:14:44 GMT

There is a tool "admintoolslauncher" which centralizes most of the adminstrative tasks under one application. One single log-in with administrative rights and you can launch all tools from one pool. It is limited to all windwos os before Vista. It can be found in this blog: http://www.stackenbloggen.de/PermaLink,guid,3406fa39-d95e-4ee3-bd64-7f55870b26ff.aspx

re: "RunAs" basic (and intermediate) topics

Tom Newby — Fri, 21 Sep 2007 20:04:41 GMT

I needed to cause a domain replication to happen from a script:

Here is how I did it....

Set WshShell = CreateObject("WScript.Shell")

WshShell.run "runas /user:domain\username /noprofile ""repadmin /syncall ldap.domain.com"""

Wscript.sleep 2000

WshShell.SendKeys "password{ENTER}"

[Aaron Margosis] Risks:

Malicious person or software gets your script -- password exposed.
Try to run this on someone else's system (e.g., via startup/logon script) -- password easily exposed
Assumes that the "runas" window gets focus and keeps focus for at least two seconds. (See previous bullet -- if I switch to Notepad, the password will be entered into Notepad.)

If you're launching it interactively (i.e., you're present at the time) you're a lot safer just entering the password at the console.

re: "RunAs" basic (and intermediate) topics

Tom Newby — Fri, 21 Sep 2007 20:45:29 GMT

Yes Aaron, all those things are true, but after encrypting the file to a .vbe, The password is no longer exposed. As far as losing focus shorten the time, and be aware it could happen.

[Aaron Margosis] But it will be decrypted in the user's context, and then be available to the user in the clear. (Perhaps not as easy for most users to get to, but it's still there for them.)

re: "RunAs" basic (and intermediate) topics

Redearl — Sat, 03 Nov 2007 06:16:02 GMT

I use Runas allot, with various usernames, and domains.

There is a limit on the number of domain\usernames that can be stored in the list.

How do i flush the domain\username cache?

"RunAs" and Windows Defender - can't make it work

Frank Denman — Mon, 12 Nov 2007 02:40:07 GMT

On an XP SP2 box, logged in as LUA, when I try to launch the Windows Defender ui using runas administrator, I get the error:

"Application failed to initialize. 0x80070005. Access is denied."

Any thoughts for a work-around?

Thanks!

Frank

re: "RunAs" basic (and intermediate) topics

Happy user — Wed, 16 Jan 2008 10:46:38 GMT

All this effort to try an impersonate a tool that linux has always had and just works. Why don´t you all start making the switch to linux. Eventually you will all be much happier people.

re: "RunAs" basic (and intermediate) topics

Lahens — Thu, 14 Feb 2008 08:53:21 GMT

Hi friends,

I have one problem, my system is on network and I can access internet if I run firefox or IE as different user. I do that with “runas”,

It runs fine for couple of minutes but after that it starts running as login user… please help

Thanks

Lahens

RunAs Shell Explorer Extensions...

Christopher Oezbek — Tue, 26 Feb 2008 18:03:16 GMT

I improved Hendrik's work on a RunAs Shell Explorer extension by adding an option for MSI files and making the dialog pause if you enter the password incorrectly.

Note: You need to change the user to match your user.

Thanks for this page Aaron!

Windows Registry Editor Version 5.00

; %SystemRoot%\system32\cmd.exe /C "%SystemRoot%\system32\runas.exe /user:PCPOOL\adm_oezbek "%L" | pause"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\Run as Admin...\command]

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,00,\

64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,43,00,20,00,22,00,25,00,53,00,79,\

00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,\

73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,61,00,73,00,2e,\

00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,00,3a,00,50,00,43,00,\

50,00,4f,00,4f,00,4c,00,5c,00,61,00,64,00,6d,00,5f,00,6f,00,65,00,7a,00,62,\

00,65,00,6b,00,20,00,22,00,25,00,4c,00,22,00,20,00,7c,00,7c,00,20,00,70,00,\

61,00,75,00,73,00,65,00,22,00,00,00

; %SystemRoot%\system32\cmd.exe /C "%SystemRoot%\system32\runas.exe /user:PCPOOL\adm_oezbek "%L" | pause"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Run as Admin...\command]