"RunAs" basic (and intermediate) topics
In this posting:
- What is RunAs?
- How to use RunAs from the GUI (even if you can’t see it)
- Using RunAs from the command line
- When RunAs won’t work
- Useful RunAs shortcuts and related tips for the non-admin
Did you know that millions of people run as non-administrator every day? It’s true! What do they do when they come to a point where something requires administrator privileges? Simple: they call their helpdesk. And if they ask really nice, a sysadmin makes a note to stop by sometime within the next month. When he arrives, he logs in as administrator and performs some magical administrative tweak that renders the user’s computer unbootable. “Oops!” Of course, that’s not really true. The sysadmin can now log in remotely to render the user’s computer unbootable, without even leaving his desk! (I’m sure there’s research going on somewhere about how remote administration is contributing to increased sysadmin obesity.)
If you are your own helpdesk (i.e., you administer your own machine), how do you run something with admin privileges? Fast User Switching is the best option (see previous blog entry), but it isn’t available in Windows XP if your computer is joined to a domain. You can log out, shutting down all your apps, and log back in as administrator. Sometimes that will be necessary (I needed to do that when installing the beta of Microsoft Office 2003), but most of the time logoff is more disruption than necessary. At these times, the Secondary Logon service is your friend, typically exposed through RunAs.
The Secondary Logon service was first introduced in Windows 2000, and is in Windows XP and Server 2003. When you start a new process through RunAs, you provide credentials for the account you want the process to run under – for example, the local Administrator account. Assuming the credentials are valid, the Secondary Logon service then causes several things to happen:
- creates a new logon session for the specified account, with a new token;
- ensures that the new process’ token is granted appropriate access to the current window station and desktop (the specifics change somewhat for XP SP2, but aren’t important here);
- creates a new job in which the new process and any child processes it starts will run, to ensure that the processes are terminated when the shell’s logon session ends (correcting a problem with the NT4 Resource Kit’s SU utility).
Is this description too nerdy? The net is that it lets you run programs as a different user on the same desktop with your other running programs. The new process and (generally) any programs it starts will run under this new account.
The “How to develop code as a non-admin” item in Keith Brown’s upcoming book, A .NET Developer's Guide to Windows Security, covers some of the same ground I’m covering here. We cover the details differently and offer different tips, though, so you should read us both!
RunAs GUI, in Windows XP and Server 2003:
In Windows Explorer or the Start menu, right-click on any Application (.exe) or Microsoft Common Console Document (.msc) file or shortcut, and choose “Run As…” from the context menu. In the “Run As” dialog, choose the 2nd radio button (“the following user”) enter the user name and password for the account, and click OK. (I’ll discuss the first radio button and the “protect my computer and data…” option in a future post.)
I said “any”, but that’s not quite true. If the shortcut is a “special Microsoft Windows Installer link”, you’ll need to hold down the Shift key while right-clicking to get Run As on the menu. (Don’t ask me why. It’s better than in Windows 2000, where you never saw Run As on the right-click menu unless you pressed Shift.) On my Start menu, these “special” shortcuts include Adobe Reader 6.0, MSN and Windows Messenger, and MapPoint 2004.
The “hold down Shift” trick is also needed to get Run As on the context menu for most Control Panel shortcuts – specifically those that link to a .cpl file. RunAs doesn’t work for all Control Panel items, though. Some of them, such as Folder Options, Fonts, Network Connections, and Scheduled Tasks, actually run within Windows Explorer, which by default doesn’t play well with Run As. More on that in a future post.
There’s also a little problem with the Power Options applet. According to Keith Brown’s analysis (no longer online? I can’t find it) , when you click OK or Apply, it writes both per-machine and per-user settings. If you are a normal User, it quietly fails when writing the per-machine settings and never writes the per-user settings. (As of XP SP2 RC1, this is “fixed” in that it at least tells you that it failed to save the settings.) If you use RunAs to run it as the local administrator, the per-user settings it writes are those of the administrator account, not your user account. Sadly, to change your own power settings, you need to be an admin. (This is addressed by my MakeMeAdmin script, which I’ll describe in an upcoming post. Stay tuned!)
You can avoid the right-click context menu and make “Run as…” the default action for a particular .exe or .msc shortcut by opening its Properties dialog, clicking Advanced, and checking “Run with different credentials”. When you invoke the shortcut, you’ll get the RunAs dialog, and the shortcut’s target will run under the account you specify.
RunAs from the command line:
RUNAS.EXE is a console (a.k.a., “text mode”) application that prompts for alternate account credentials and starts a new process under that account. Console applications are often started from a cmd.exe command prompt, but they can also be started from the Start/Run dialog or from an Explorer shortcut.
RUNAS.EXE offers more flexibility than the GUI, including the ability to authenticate with a smart card, to use the account only for network authentication but continue to use your current account locally, and to control which profile and environment to use. Type “RUNAS” without parameters at a command prompt to see its command line options. Look up “runas” in Windows XP Help and Support for more info and examples.
When RunAs won’t work:
A common source of frustration and confusion is to start an application with RunAs, only to find that it is continuing to run in your original logon session. (First, how do you tell? My favorite tool here is Process Explorer from SysInternals. Add “User name” to the displayed columns. Starting with v8.30, ProcExp no longer requires admin privs – thanks, Mark! Also look for my PrivBar utility in another upcoming post.)
The problem is that when started, many applications – such as MS Word and Windows Explorer – look on the current desktop for an already running instance of itself. If found, the new process will send a message to the previous instance to handle the request and then exit. That previous instance will often be running under the account you originally logged on with, not that of your alternate credentials. A similar effect occurs when a new app is not started directly by the parent app, but is instead started through the shell, via ShellExecute[Ex] or through DDE. The new process then inherits the security context of the shell, and not of your alternate account. The cmd.exe start command will do this in certain circumstances.
I promise to discuss how to get Windows Explorer to play nicer with RunAs in a future post. In the meantime, Keith Brown’s “How to develop code as a non-admin” describes how you can use Internet Explorer to achieve some of the same results (search the item for “But I hate the command prompt!”).
Some tips and tricks:
I really like Keith’s recommendation to change the background bitmap for your admin IE, but there’s an easier way to do it: the TweakUI Power Toy. Run it as admin and navigate to Internet Explorer \ Toolbar Background. And here’s a bitmap I like to use.
Many people like to keep a cmd.exe shell running as local admin. To reduce the possibility of mistakes, I strongly advise making it obviously different from your normal command shells. The easiest, one-time setup is to click on the admin shell’s system menu, choose “Defaults” and change the colors. This is a per-user setting, so all future console windows running as local admin will appear in the colors you choose.
Another way is to specify distinguishing characteristics in the cmd.exe command line. For example:
cmd.exe /k cd c:\ && color fc && title ***** Admin console *****
The /k option says to run the commands that follow, and not exit after running them. (FYI, /c runs the commands and then exits.) The commands that are executed change the current directory to the root of C: (somewhat safer than being in the system32 folder), the color command changes the console’s color to light red on bright white (run “color /? ” to see other choices), and the title command changes the window title to something distinctive. I keep a shortcut in my Quick Launch bar that invokes runas with that command line.
Yet another way, suggested by MS employee John Lambert (NT), is to associate a custom icon with the shortcut. The icon will appear in the Alt-Tab window, the taskbar, and of course the upper-left corner of the cmd window itself. Note that this works only with a cmd.exe target, and you need to use the GUI RunAs option, not the runas.exe console app. Here is an icon you can use.
The admin command shell is a popular way to start apps with elevated privileges. You don’t have to be a total nerd to enjoy its power, though. Examples:
Windows Installer Packages (.msi files) don’t offer a RunAs context menu option. You might be able to get away with hacking the registry to add that option, or you can just run the .msi file directly on the command line of your admin shell.
In general, the command shell recognizes file associations, so you can invoke a data file on the command line and it will start the associated application.
You can start Control Panel applets from the command line just by typing the name of the .cpl file. Some examples:
Start “Date and Time Properties”:
C:\>timedate.cpl
Start “Add or Remove Programs”:
C:\>appwiz.cpl
Start “System Properties”:
C:\>sysdm.cpl
To start Internet Explorer from the command shell, you can type the full path ("C:\Program Files\Internet Explorer\iexplore.exe" – rather a PITA even with command completion). I just keep an ie.cmd file in a folder in my path (posted here as a .txt – just rename it to .cmd). It starts IE, and takes an optional URL parameter. E.g.,
C:\>ie blogs.msdn.com
That will have to do for now. Please continue to post comments, and I’ll try to get everything addressed.
Comments
Anonymous
June 22, 2004
The comment has been removedAnonymous
June 23, 2004
Frank - was this ASP.NET? And the window you're looking for IE?Anonymous
June 23, 2004
Aaron Margosis pointed out to me today his weblog which contains some good references and information about running as a limited user on Windows. He had an interesting comment on my different credentials post I did almost a year ago in which he uses a shortcut directly to a cmd window with runas instead of using the explorer view. His suggestion is to do: C:WINDOWSsystem32runas.exe /u:Administrator "%windir%System32cmd.exe /k cd c: && color fc && title ***** Admin console *****" Makes total sense if you want to use an admin shell. Personally I prefer having the UI available through the explorer view... which has its own limits. This way I don't have to try to remember where the CPL paths are, or what they are called. I just click 'My Computer' and then 'Control Panel' and have at 'er. To each his own. Aaron has some good pointers on his blog about different ways of approaching this. Consider checking it out....Anonymous
July 05, 2004
The comment has been removedAnonymous
July 05, 2004
The comment has been removedAnonymous
July 05, 2004
The comment has been removedAnonymous
July 06, 2004
well I want non-admins run certain applications as admins (otherwise they don't work) - but it keeps forgetting that I set them to run as admin. Once I set the run as admin and then reboot, the setting is lost and normal users can't use it.Anonymous
July 07, 2004
ch - RunAs-admin is not a permanent setting. You can specify on a shortcut that it should run with different credentials, but the user will be prompted for the admin credentials each time the shortcut is invoked.Anonymous
July 08, 2004
The comment has been removedAnonymous
July 09, 2004
The comment has been removedAnonymous
July 09, 2004
How to get Windows Explorer to work with RunAs (and why you might want to).Anonymous
July 10, 2004
Jeff Sontag - Sorry, no, it's not configurable and it doesn't remember previously used names. It lists only usernames explicitly listed in the BUILTINAdministrators group, as well as Client Authentication certificates in the current user's Personal cert store, including smart cards. (You can run certmgr.msc to see your certs).Anonymous
July 14, 2004
The comment has been removedAnonymous
July 15, 2004
The comment has been removedAnonymous
July 24, 2004
A toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is runningAnonymous
September 09, 2004
What does it mean toAnonymous
October 22, 2004
IE SecurityAnonymous
October 25, 2004
Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions...Anonymous
February 15, 2005
The idea that the principle of least privilege requires that a user or process be given no more privilege than necessary to perform a job makes a lot of sense in this hostile digital divide we live in. Least privilege has become a passion of mine, and its reflected in everything that I design now adays. Which is why Carina works so well in the face of hostile and malicious code. In today’s show I talk about the security principle of least privilege, how we use it to protect our customer’s information... and how you can use it to protect your desktops. For more information about least privilege please check out some of these links: nonadmin.editme.com - This is a community web site (wiki) for Windows users who want to learn how to run without Administrator privileges, and why they should do this. "RunAs" basic (and intermediate) topics - Aaron Margosis' introduction on how to use the runas command in Windows Secure Coding Practices: Running with Least Privileges in Windows - An older article I wrote for CodeProject on how to develop using least privilege on Windows Developing Software in Visual Studio .NET with Non-Administrative Privileges - Lars Bergstrom's great article that explains how to productively develop software while logged on with non-administrative privileges. Using a Least-Privileged User Account - A small article on TechNet discussing LUA, and how it will affect LongHorn. After listening to customer feedback, we are going to try a new format with this podcast. We will keep these single topic recordings short (somewhere around 5 minutes) so that people with busy schedules can still get a chance to listen to it. We will leave longer shows for more in depth interviews etc. Please let me know if you like the new format. Think strategically. Protect your information. Enjoy! MP3: Scorpion Vault: Understanding Least Privilege (4:59s / ~4.7mb)...Anonymous
April 18, 2005
Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.Anonymous
May 14, 2005
Sorry, I meant "This is really UN-related..." in the previous post.Anonymous
May 14, 2005
This is really related to runas and privileges, but is a question about cmd.exe and shells, in case someone knows.
Can I find out if my console app. was started from an open cmd.exe console window, or from Start->Run?
I have a Perl script which prints output that the user wants to read.
If started from Start->Run, the window will close immediately. If I put a "press key" prompt in my app, it's annoying in the other case, when the cmd window is staying open anyway and pressing a key would not be needed.
Can I somehow differentiate how the app was called, and prompt for a keypress only if needed?Anonymous
June 10, 2005
Get your friends and family, all those folks that come to you for computer help once their machines have...Anonymous
June 19, 2005
I am attempting to follow the shining LUA path, but the following is frustrating me:
====================================
RUNAS ERROR: Unable to run - cmd.exe
5: Access is denied.
====================================
Could this be because the account I am attempting to runAs has a null pwd? Any other thoughts? Where would I find out what access is being denied to whom?Anonymous
June 19, 2005
Interesting, when I (as local admin) runAs a nonpriv account I get
RunAs ERROR: 1327: account policy restriction: nonblank password, ...
This is something we developers (unfortunately) try to do all the time: develop as local admin, runAs another less priv'ed account, and see what breaks.Anonymous
June 19, 2005
Aha! I made the following discoveries:
-- when I removed my former Admin Account from Administrators, it had all kind of other rights (act as part of the OS, run as a Service, etc.). Just removing from Admins and adding to Users didn't remove these policy-granted rights.
-- Having removed these "extra" privs, I still cannot runAs. Now, I get the same message as when I attempt to run as a nonpriv from a priv account:
"RUNAS ERROR: Unable to run - cmd.exe
1327: Logon failure: user account restriction. Possible reasons are blank passw
ords not allowed, logon hour restrictions, or a policy restriction has been enfo
rced."
-- Gave the local admin a password, guess what happened? It worked, of course.
So where do I go to adjust this ppolicy restriction? and, what process or app caused this policy restriction to be made? (Not ruling out Yours Truly, I have the attention span of a Gnat!).Anonymous
June 19, 2005
http://tinyurl.com/6u739 has info on the use of blank passwords as a Local Sec Policy enforcement. But why should this clobber RunAS?Anonymous
June 19, 2005
Alex --
As you found in that URL
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdp_log_tyry.asp
local accounts with blank passwords can be used to log on only at the console logon screen, not through any other manner. If you have a computer in a secure location (e.g., a home computer) where you can trust everyone who has physical access, this is very convenient. RUNAS was specifically and deliberately disallowed with blank passwords. The reason is because if it were allowed and a LUA user accidentally downloaded some malware, RUNAS would offer an easy elevation of privilege for the malware to run code as an admin. There is a security option that will allow blank password for all other logon types, but I would strongly advise against changing it.Anonymous
July 10, 2005
Aaron:
I have discovered that if the user that is "becoming" admin doesn't have read-only rights to the USER.DAT in the Admin's documents and settings folder, the RUNAS will fail. I have also discovered that MAKEMEADMIN will fail for the same reason.
Also, I have seen the MAKEMEADMIN batch file fail in "mid-stream" so that the user was made member of Administrators and then not "demoted" after running the program. Any one else reported this?
AlexAnonymous
August 07, 2005
Hi
HELP HELP HELP
When I launch Explorer as Admin (RunAs)
Explorer won't refresh things automatically. For example, if I create a new file, it might not show up in my admin Explorer window. I know pressing [F5] would solve this problem.
Isn't there a possibility to let (admin)-Explorer refresh automatically???
Thank you for your helpAnonymous
August 08, 2005
Alex Mondale - 1. Under what (normal) circumstances would the admin not have full control over its own NTUSER.DAT file? 2. The error handling in MAKEMEADMIN should always remove the user from the admins group, unless you close the console window prematurely.
Jodah - I know of no fix for that particular annoyance. Just F5 after every operation.Anonymous
August 29, 2005
Just curious, but do you know of any method to change the default user name when you Run As another user?Anonymous
August 30, 2005
The comment has been removedAnonymous
September 29, 2005
The comment has been removedAnonymous
October 14, 2005
The comment has been removedAnonymous
December 12, 2005
The comment has been removedAnonymous
December 13, 2005
The comment has been removedAnonymous
December 13, 2005
Daveib - several things:
1. It might just be a typo, but you need a space between TestUser and /savecred.
2. The console doesn't echo any characters when you type a password at the RunAs prompt.
3. Are you invoking runas.exe from the Run dialog or from a command shell (cmd.exe)? If the former, runas.exe is probably telling you what the error is, but the console window is closing before you can see it. Try running it within a command shell instead of from the Run dialog.
HTHAnonymous
January 23, 2006
The comment has been removedAnonymous
January 23, 2006
JB/kcnpeppa --
The issue you raised was covered in an earlier comment: http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx#183263
HTHAnonymous
January 31, 2006
The comment has been removedAnonymous
January 31, 2006
RJT - the best way to grant users the ability to do things like "ipconfig /release" is simply to add them to the "Network Configuration Operators" local group. Members of this group can manage a small set of network configuration features, such as the "ipconfig" operations. Note that it does not grant the ability to configure the firewall.Anonymous
February 07, 2006
The comment has been removedAnonymous
February 15, 2006
The comment has been removedAnonymous
February 15, 2006
Kaplaa:
1) Search MSDN for SLDF_RUNAS_USER
2) The RunAs dialog doesn't offer as many options as the RunAs.exe console app. How about something like a shortcut to:
runas.exe /env /u:targetuser targetprogram.exe
?Anonymous
February 16, 2006
I am using Vbscript/VBA to create a new shortcut for a database. It appears IShellLinkDataList is not accessible this way -- it is not in the shell createshortcut action nor is it exposed by the WMI interface. Using runas.exe forces me to hardcode the alternate user, which is too kludgy. Currently I advise the users to manually set it in the advanced tab of the shortcut I create using the Shell object. Thanks.Anonymous
February 16, 2006
Kaplaa - as far as I can tell, that setting is not exposed to any of the scripting interfaces. C++/COM appears to be required.Anonymous
February 22, 2006
Hi to all, I just used the RunAs command using these parameters: %windir%system32runas.exe /profile /netonly /user:regieaadministrator "C:CPSSmallExeCPS.exe" (it's a system that we used in the office and I am logged as a standard user) to run a program as administrator. I was able to do the usual things that we used to do without the RunAs but when I check for the network printer, it is not listed in the printer setup of the program. Running the program as a limited user doesn't give me the right to access some modules so I tested to run it as administrator with the RunAs command. Any idea why?Anonymous
February 22, 2006
Regina - try using MakeMeAdmin instead (see http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx). If your standard user account is a domain account, the local admin account you're using with runas will not have any authenticated access to network resources, nor to printers configured under your standard user account. Also, if you use "/netonly" in the runas command, you're not running with admin privileges locally - you are merely authenticating as the built-in local admin when making remote requests - which won't be of value since your local accounts are not recognized on remote systems.Anonymous
March 08, 2006
In today’s Webcast we first started off with a continuation from last week.  Last week we explored...Anonymous
March 21, 2006
The comment has been removedAnonymous
March 21, 2006
Ganesh: RunAs accepts passwords only from the keyboard. It was designed this way to help people avoid the unsafe practice of putting passwords in script files.Anonymous
March 26, 2006
Is there a away to supply password automatically? I want to make a batch file using "runas" that runs without asking for a password. I tried :
echo mypassword >pass.txt
runas /noprofile /env user:domainadministraor cmd <pass.txt
I get an access denied error.
Any ideas?
thanks in advance,
RajeshAnonymous
March 27, 2006
Rajesh - RunAs accepts passwords only from the keyboard. It was designed this way to help people avoid the unsafe practice of putting passwords in script files.
(I need to put this in the post itself...)Anonymous
March 27, 2006
A systematic approach for working around LUA bugs that avoids unnecessary exposure - "the rest of the story"Anonymous
April 03, 2006
The comment has been removedAnonymous
April 16, 2006
I used a slipstreamed version of windows 2000 and changed the "Administrator" user to "admin" (if I do this post install, the folder becomes "Administrator" instead of the shorter version, which is why I didn't opt to do that). Anyway, the RunAs GUI keeps defaulting to "Administrator" which is extremely annoying. Is there anyway to change this behavior (besides renaming the "admin" user to "Administrator" of course)?Anonymous
April 16, 2006
asdf - As far as I know, "Administrator" (or localized equivalent) is hardcoded in Windows 2000. In Windows XP it defaults to the actual name of the builtin admin account (the account with the SID ending with -500).Anonymous
May 13, 2006
sometimes we need to let our limited user accounts run as admin accounts only for SPECIFIC applications. of course, mark detailed well the procedure on how to do this. It seems you have to give your limited user the admin name and pw for him/her to enter into the run as dialog. but what if you dont want to give your limited user the the admin password? the limited user could then just log on to the admin acct.
how can i specify that information securely in a desktop shortcut in a way that the user cannot dig out? Does anyone here have a teenage child?-you know what i mean.
i found this little utility called 'encrypted runas' from wingnut software. Mark, what do yo think of it?Anonymous
May 14, 2006
Stefan -
Already answered. See Fixing LUA Bugs, Parts I & II:
http://blogs.msdn.com/aaron_margosis/archive/2006/02/16/533077.aspx
http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx
Utilities such as the one you mentioned are dealt with after item #5. Not highly recommended.Anonymous
May 24, 2006
How would I trouble shoot windows crashing when trying to use the runas command.Anonymous
May 24, 2006
mookie -- I don't know. What do you mean by "windows crashing"? Blue screen? Explorer has an access violation? Monitor falls off the back of the desk? The windows in your house falling out of their frames and smashing on the floor?Anonymous
May 27, 2006
The comment has been removedAnonymous
May 27, 2006
The comment has been removedAnonymous
June 03, 2006
PingBack from http://red.caek.org/?p=10Anonymous
June 05, 2006
The comment has been removedAnonymous
June 14, 2006
The comment has been removedAnonymous
June 14, 2006
Sachin, the answers to your questions are in this follow-up post about RunAs and Explorer: http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx
The full Table Of Contents for all my non-admin blog posts is here: http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspxAnonymous
June 14, 2006
Never mind, just read your next post on the same thing and got it to work under explorer by checking the "Run in separate process" flag.Anonymous
June 19, 2006
Hey,
I'm running a Java program (wrapped in an EXE) that can be launched through two shortcuts on my desktop. The first has target:
C:vbmaxmaxpw.exe
The second has a target:
%windir%system32runas.exe /user:services /savecred C:vbmaxmaxpw.exe
The EXE being launched runs a batch file that is launched using the command:
C:WINDOWSsystem32runas.exe /user:services /savecred C:vbmaxregquery.bat
This batch file needs to be launched on startup of my program to get a registry key value, otherwise my program throws an error and terminates. The first shortcut works everytime for launching the batch file, but I need to launch my program as services. The second shortcut does not always work (i.e. launch the batch file and get the result), only if I've previously logged into the services account.
Any ideas? It appears to me that unless I've previously logged in as services, my batch file when launched will not be able to run as services for some reason.
Any help would be MUCH appreciated.
MikeAnonymous
August 01, 2006
PingBack from http://red.caek.org/?p=11Anonymous
August 22, 2006
I've a case where a program generates an access violation when run with the user as 'administrator' but not when run as 'kathy'( for example). Even if 'kathy' and 'administrator' both have administrator privilages.
Where should I look? Sounds like a profile issue -- I'm guessing that "Administrator" installed the program, and that the app was designed/implemented with the implicit assumption that the account that installed the app would be the account that uses the app. Contact the vendor. -- AaronAnonymous
August 31, 2006
Great information. We are looking to lock down our users here but at the same time minimize their pain. Setting up the Admin CMD windows will help out a lot.Anonymous
September 01, 2006
The comment has been removedAnonymous
September 13, 2006
What do you think about sudo for windows...? Without referencing the security implications of any specific implementation of SUDO-like functionality for Windows, I wrote a bit about the issues around automatic elevation implementations in Option #5 in Fixing LUA Bugs, Part II. On the whole, I would consider it something to be avoided if possible. -- AaronAnonymous
September 22, 2006
Hi Aaron
Is there a specific security reason that the enviroment variable %APPDATA% is not defined under a RunAs shell ?
Just experienced some programs ( well UltraEdit to be precise) using that enviroment variable to locate its 'Application Data' Folder and that obviously can give some problems when you start up a RunAs shell.
HenrikAnonymous
October 04, 2006
I want to know by editing which registry key, I will be able to reset my admin password to blank. Thanks & waiting for the reply -- kunalAnonymous
October 09, 2006
The comment has been removedAnonymous
October 17, 2006
I love this article -- I've been dealing with all of these issues for over a year. My solution was to refine an in-house admin console to include a "launch pad." I run the admin console as an admin and then anything it launches inherits the privileges. The launch pad has "favorite" folders [network unc and local] which are opened via Internet Explorer. They can also be opened with CMD.EXE (it automatically maps Z: and runs CMD there). It also has "favorite" applications, including Internet Explorer, Word, etc, to get around the problem of doing a "RunAs" on a shortcut per se. It also has "favorite" connections, URI controlled FTP, telnet, etc, connections, which honestly don't need to be run under a different context, but it's just flippin' easy to have everything I need in one place. This is all customizable. It's an in-house app, of course, and is powerful beyond compare. It has replaced EMCO Network Management, DameWare utilities, and SMS, all of which we've tried and disliked. What do you guys think it's worth? :)Anonymous
October 22, 2006
To run an .msi as admin do a 'Runas' on the 'Command Prompt' under Accessories, and run the .msi from the command prompt.Anonymous
October 24, 2006
The comment has been removedAnonymous
October 25, 2006
Clarification 'YourAdminAccount' in the above registry file example must be replaced with the name of your Admin account e.g.: @="%SystemRoot%\system32\runas.exe /user:%COMPUTERNAME%\SuperMe "%L"" HenrikAnonymous
October 25, 2006
Oh boy %SystemRoot% does not expand so one has to hard code @="C:\Windows\system32\runas.exe /user:%COMPUTERNAME%\SuperMe "%L"" and I just discovered that it only works on files registered as executable (of course stupid). I might better find some other way to spare me from all those mouse clicks when I want to run as admin. Sorry for the clutter Henrik Did you try creating an "Expandable String Value" (REG_EXPAND_SZ) instead of just a "String Value" (REG_SZ)? -- AaronAnonymous
October 26, 2006
Yeh the REG_EXPAND_SZ type had slipped my mind that was oc the problem. :) Anyway - I thought that I wouldn't post it because the raw REG_EXPAND_SZ in a .reg file looks ugly but here it is: ( also changed the '*' to 'exefile' to only show for exe and lnk files)
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareClassesexefileshellRun as Admin...command] @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25, 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00, 6e,00,61,00,73,00,2e,00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72, 00,3a,00,25,00,43,00,4f,00,4d,00,50,00,55,00,54,00,45,00,52,00,4e,00,41,00, 4d,00,45,00,25,00,5c,00,53,00,75,00,70,00,65,00,72,00,4d,00,65,00,20,00,22, 00,25,00,4c,00,22,00,00,00
Do you know if it's possible to use a human readable notation for REG_EXPAND_SZ in .reg files ? - e.g: @=ascii(2):%SystemRoot%\system32\runas.exe /user:%COMPUTERNAME%\SuperMe "%L" Henrik
Anonymous
October 26, 2006
And now you cannot change 'SuperMe' to the your Admin Account name but has to manually go to the reg path [HKEY_CURRENT_USERSoftwareClassesexefileshellRun as Admin...command] and do the changes, ( unless you've got a "Absolute hex-pitch" http://en.wikipedia.org/wiki/Absolute_pitch ;) ) HenrikAnonymous
November 17, 2006
The comment has been removedAnonymous
November 17, 2006
With Vista, is it possible to perform a runas.exe /user:<specific user domainaccount> through the GUI like can be done with the CLI? I only have "run as administrator" in my menu option and i cannot specific different accounts, it just always opens up the programs without asking me who i want to run it as. Is this feature gone or am I missing something? Thanks, EwicAnonymous
December 12, 2006
I have the same question as Ewic. A bit frustrating when I can't run admin tools as a specific user.Anonymous
December 20, 2006
Same question as above. I used the runas command to run selected apps and consoles as my domain admin account. When trying to open up command prompt with privileges to run some vbscripts. It returns back, "Cscript error: Loading your settings failed. (Access is denied.)"Anonymous
December 20, 2006
I guess the workaround is to change the local GPO to prompt for credentials instead of prompt for consent. Found it over at Josh's windowsconnected site, http://windowsconnected.com/blogs/joshs_blog/archive/2006/12/01/windows-vista-tip-run-as-administrator.aspx.Anonymous
December 27, 2006
After installing a required application for some client's, when they try to Right Click and select "RunAs" on an advertised shortcut, for example in the AdminToolPak, the GUI dialogbox that allows alternative credentials to be entered does not appear. If the application causing the issue is removed, "RunAs" functions properly again. Is there a registry key that controls the GUI interface for RunAs? William, it sounds to me like the required application is installing a shell extension of some kind that is modifying the shortcut menu and hijacking the effects of the RunAs verb, causing it to do nothing. Possible? -- Aaron More info: a colleague informs me that a common cause of the behavior you're seeing is a badly implemented context menu extension that implements ::InvokeCommand() without testing the verb that it was called with. HTH -- AaronAnonymous
January 04, 2007
The comment has been removedAnonymous
January 05, 2007
IE is definitely the most insecure gateway to a PC. So I was thinking: why not run it in a guest account...Anonymous
January 10, 2007
im confused about something simple the only reason to use RunAs or MakeMeAdmin, is for convenience over the Fast User Switching? mike -- Generally, Fast User Switching (FUS) is preferable. However, on Windows XP, FUS is not available when the computer is joined to a domain. (That limitation has been removed in Windows Vista.) MakeMeAdmin can still be useful if you need to temporarily elevate your regular account. HTH -- AaronAnonymous
January 16, 2007
Interesting reading. Is there a way to programmitically display the RUNAS GUI to install a setup.exe. I could simulate the front end but that seems excessive. Juls, if you try to start any program called setup.exe or install.exe from Explorer or the Run dialog, it will automatically display a RunAs prompt. Does this help? -- AaronAnonymous
January 24, 2007
The comment has been removedAnonymous
January 24, 2007
Sorry...My english is not very well.. Do you know how parameters are accepted by timedeate.cpl? Is possible running with runas? TKS... Domingos: I don't know of a way. timedate.cpl actually becomes an argument to rundll32.exe (as do all .cpl files). What exactly are you trying to do with it? -- AaronAnonymous
January 30, 2007
Whats the point of having a commad that cannot be used programaticaly, in fact why does windows even bother with tere commad shell at all, it like the guys at MS said those UNIX guys always seem to messing around at with "some kind of text window???" lets have one too it will make it look like we know what we're doin! Coder: I assume your point is about runas.exe not taking a password as a parameter. Runas.exe is not a command -- it's a utility program. It is designed specifically for interactive use, with a goal of not encouraging the unsafe practice of embedding passwords in plain-text script files. The underlying APIs (e.g., CreateProcessWithLogonW) can be used programmatically. And wrt the command shell, nothing in the UNIX world (that I'm aware of) can match what Windows PowerShell does. Download it and try it out. -- Aaron ____ / |/ n/ =|] || ~{8-B )------|)_ u ____|_____| ____|Anonymous
January 31, 2007
The comment has been removedAnonymous
January 31, 2007
The comment has been removedAnonymous
January 31, 2007
I have groups of users that need to be given admin access to their workstation just to be able to update software on their PC as needed. In the 'good old' unix days - I could just set the sticky bit on the program - and the privilege would follow the application. Is there a Windows equivalent to 'trusted' applicaiton.Anonymous
February 02, 2007
The comment has been removedAnonymous
February 07, 2007
The comment has been removedAnonymous
February 15, 2007
The comment has been removedAnonymous
February 22, 2007
The comment has been removedAnonymous
March 09, 2007
The comment has been removedAnonymous
March 23, 2007
The comment has been removedAnonymous
March 27, 2007
I am having a problem when I use Run As to start an application, with opens the app, but does not include any local/network printers. Is there a solution to this problem?Anonymous
March 27, 2007
It happens in both 2000 and XP, this used to work about one month ago.Anonymous
April 02, 2007
The comment has been removedAnonymous
April 02, 2007
The comment has been removedAnonymous
April 03, 2007
The comment has been removedAnonymous
April 09, 2007
The comment has been removedAnonymous
April 09, 2007
The comment has been removedAnonymous
May 13, 2007
You can activate UAC UI through VB-Script and then start your batch file with elevated rights: http://newyear2006.wordpress.com/2007/02/04/datum-unter-vista-per-vbscript-setzen-mit-uac-unterstutzung/Anonymous
May 16, 2007
I am currently building applications on Longhorn and need to run as a different service account. At the command prompt, I've entered '>runas /user:domainserviceaccount cmd'. I enter in the password when prompted. and then get this error: RUNAS ERROR: Unable to run - cmd 1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced. The password is correct so I'm at a loss as to what to do next. Rose Rose: Is the service account granted the ability to log on interactively? -- AaronAnonymous
June 28, 2007
How do you get the runas to authenticate on the domain along with the local computer? I am trying to run an install which requires access to network shares. Without domain authentication, I cannot make this happen! @Maria: MakeMeAdmin. HTH -- AaronAnonymous
June 28, 2007
The comment has been removedAnonymous
June 28, 2007
PingBack from http://www.rachner.us/blog/?p=6Anonymous
June 30, 2007
Great post! I've read through much of this and haven't seen anything that addresses my issue. I'm trying to connect to another network via VPN and use resources there (https: and sharepoint websites in particular). My local PC is not known to the domains I reach through the VPN, so I can't log onto my local PC with a remote Windows account. I start the VPN client, enter my remote credentials and I get in. But once there, I can not get remote websites to honor my remote credentials. I've tried starting IE via runas with the remote credentials, but it doesn't make any difference. IE just hangs, showing "opening page ..." on the bottom left. Any ideas? ThanksAnonymous
September 13, 2007
There is a tool "admintoolslauncher" which centralizes most of the adminstrative tasks under one application. One single log-in with administrative rights and you can launch all tools from one pool. It is limited to all windwos os before Vista. It can be found in this blog: http://www.stackenbloggen.de/PermaLink,guid,3406fa39-d95e-4ee3-bd64-7f55870b26ff.aspxAnonymous
September 21, 2007
The comment has been removedAnonymous
September 21, 2007
Yes Aaron, all those things are true, but after encrypting the file to a .vbe, The password is no longer exposed. As far as losing focus shorten the time, and be aware it could happen. [Aaron Margosis] But it will be decrypted in the user's context, and then be available to the user in the clear. (Perhaps not as easy for most users to get to, but it's still there for them.)Anonymous
November 02, 2007
I use Runas allot, with various usernames, and domains. There is a limit on the number of domainusernames that can be stored in the list. How do i flush the domainusername cache?Anonymous
November 11, 2007
The comment has been removedAnonymous
January 15, 2008
All this effort to try an impersonate a tool that linux has always had and just works. Why don´t you all start making the switch to linux. Eventually you will all be much happier people.Anonymous
February 13, 2008
Hi friends, I have one problem, my system is on network and I can access internet if I run firefox or IE as different user. I do that with “runas”, It runs fine for couple of minutes but after that it starts running as login user… please help Thanks LahensAnonymous
February 26, 2008
I improved Hendrik's work on a RunAs Shell Explorer extension by adding an option for MSI files and making the dialog pause if you enter the password incorrectly. Note: You need to change the user to match your user. Thanks for this page Aaron! Windows Registry Editor Version 5.00 ; %SystemRoot%system32cmd.exe /C "%SystemRoot%system32runas.exe /user:PCPOOLadm_oezbek "%L" | pause" [HKEY_LOCAL_MACHINESOFTWAREClasseslnkfileshellRun as Admin...command] @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25, 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,00, 64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,43,00,20,00,22,00,25,00,53,00,79, 00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00, 73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,61,00,73,00,2e, 00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,00,3a,00,50,00,43,00, 50,00,4f,00,4f,00,4c,00,5c,00,61,00,64,00,6d,00,5f,00,6f,00,65,00,7a,00,62, 00,65,00,6b,00,20,00,22,00,25,00,4c,00,22,00,20,00,7c,00,7c,00,20,00,70,00, 61,00,75,00,73,00,65,00,22,00,00,00 ; %SystemRoot%system32cmd.exe /C "%SystemRoot%system32runas.exe /user:PCPOOLadm_oezbek "%L" | pause" [HKEY_LOCAL_MACHINESOFTWAREClassesexefileshellRun as Admin...command] @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25, 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,00, 64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,43,00,20,00,22,00,25,00,53,00,79, 00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00, 73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,61,00,73,00,2e, 00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,00,3a,00,50,00,43,00, 50,00,4f,00,4f,00,4c,00,5c,00,61,00,64,00,6d,00,5f,00,6f,00,65,00,7a,00,62, 00,65,00,6b,00,20,00,22,00,25,00,4c,00,22,00,20,00,7c,00,7c,00,20,00,70,00, 61,00,75,00,73,00,65,00,22,00,00,00 ; %SystemRoot%system32cmd.exe /C "%SystemRoot%system32runas.exe /user:PCPOOLadm_oezbek "%SystemRoot%system32msiexec.exe /i "%L"" | pause" [HKEY_LOCAL_MACHINESOFTWAREClassesMsi.PackageshellRun as Admin...command] @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25, 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,00,6d,00, 64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,43,00,20,00,22,00,25,00,53,00,79, 00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00, 73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,61,00,73,00,2e, 00,65,00,78,00,65,00,20,00,2f,00,75,00,73,00,65,00,72,00,3a,00,50,00,43,00, 50,00,4f,00,4f,00,4c,00,5c,00,61,00,64,00,6d,00,5f,00,6f,00,65,00,7a,00,62, 00,65,00,6b,00,20,00,22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00, 6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32, 00,5c,00,6d,00,73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00, 20,00,2f,00,69,00,20,00,5c,00,22,00,25,00,4c,00,5c,00,22,00,22,00,20,00,7c, 00,20,00,70,00,61,00,75,00,73,00,65,00,22,00,00,00Anonymous
March 08, 2008
For all who search a runas solution on vista. runasspc on robotronic.de/runasspcEn.html can use it on vista like runas on xp. [Aaron Margosis] ... or see Sysinternals' new ShellRunAs utility: http://technet.microsoft.com/en-us/sysinternals/cc300361.aspxAnonymous
March 17, 2008
The comment has been removedAnonymous
May 16, 2008
Hi, I'm trying to start a bat file from the network. I'm getting an error saying: Enter the password for ATUUSER4Administrator: Attempting to start C:BatchMAKEME~1.CMD " as user "ATUUSER4Administrator" ... RUNAS ERROR: Unable to run - C:BatchMAKEME~1.CMD " 5: Access is denied. Any ideas what could be wrong? XP Pro Sp2 [Aaron Margosis] Did you modify MakeMeAdmin.cmd to have it try to run something else other than CMD.EXE? You say you're trying to start a bat file from the network, but you're indicating MakeMeAdmin.cmd on the C: drive. Where does the network come into play? Also: is ATUUSER4 the name of the computer, or is it a user name? Do both the non-admin user and the administrator have permissions to read the files in the C:Batch folder?Anonymous
August 12, 2008
How to run Control Panel as Administrator in Windows XP: runas.exe /u:Administrator "explorer /separate,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}::{21EC2020-3AEA-1069-A2DD-08002B30309D}"Anonymous
October 22, 2008
The comment has been removedAnonymous
November 02, 2008
use the utility in the above link to run explorer with different user account in ur machineAnonymous
November 02, 2008
use the utility in the below link to run explorer with different user account in ur machine http://simplytoknow.blogspot.com/2008/11/run-windows-explorer-as-another-user.htmlAnonymous
December 22, 2008
Very useful information. Thanks a lotAnonymous
March 05, 2009
******** Temp Solution ********
Thank you for above discussion and brief summariztion to run id/pwd in cmd:
- cmd "runas" CANNOT do this
- need VB or C
- need install 3-party software Luckily found PsTools v2.44 By Mark Russinovich (thanks!!) and tested whole day - pretty good and easy to use!!
- Accept ID/Pwd in script. No more keyboard.
- No need install in other client PC(s)
- Suitable to W2K, XP, 2003
- Slient to users. Run at backend. http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx Happy Sharing and enjoy. :) Karl [Aaron Margosis] Yes, but remember that if you put this in a script, in order for your users to run it, they need to be able to read the script. Putting admin passwords in plain text script files is generally considered not so great from a security perspective.
Anonymous
March 08, 2009
Please, post the ie.cmd lines here on blog also. Old link is not working.Anonymous
March 26, 2009
The comment has been removedAnonymous
April 01, 2009
As with post #631638 above, I am also having trouble running the ncpa.cpl network applet as Administrator. I have the "Launch folder windows in a separate process" flag set for both the target Administrator account as well as my Limited User account, but it still won't work. The ncpa.cpl is the only applet that won't run as Admin... everything else works fine. Any ideas?Anonymous
August 10, 2009
Wow, I posted that 4 months ago and still no answer... does anyone actually read these?Anonymous
August 19, 2009
The comment has been removedAnonymous
September 13, 2009
The tips are non-sense since they don't work with IE 7 and older.Anonymous
March 24, 2010
The comment has been removedAnonymous
August 08, 2010
The tool admintoolslauncher has moved to wurstkoffer.wordpress.com/.../admintoolslauncher.Anonymous
July 27, 2011
Links to the file are not working. Thanks, KevinAnonymous
September 04, 2011
The comment has been removed