Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Always "run as" administrator - "run as..." function of W2K

Posted on 2004-09-12
Medium Priority
Last Modified: 2008-11-22
i essentially want to know how to set up a shortcut to run a program EVERY TIME as administrator where the user DOES NOT have to input the password to authenticate the administrator...

please advise.

there's another question, in the XP section that is very similar, but with bad hyperlinks as the solution.  the question was 21009592.

Question by:fl4ian
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
  • +1

Assisted Solution

talphius earned 800 total points
ID: 12040768
Not aware of any way you can 'hard code' the password into a shortcut.  Even if this could be done, why would you want to do this?  What would prevent the user from modifying the shortcut to point to another application (any of the Admin tools for example), and then opening up and using those as admin?  Would kind of defeat the purpose of segregating roles, would it not? :)

Certainly you can setup the shortcut so that it is pre-filled with a username - see the below KB article

Format is:
runas /user:machine\admin_user command
where machine is the name of your computer, admin_user is the username of the administrative user, and command is the command you want to be run
LVL 11

Accepted Solution

Quetzal earned 800 total points
ID: 12040857
do the runas command from a command prompt once with the /savecred switch.  It will remember the credentials thereafter.

Expert Comment

ID: 12046381
yeah right.... pleas use the /savecred switch. (No offence Quetzal)

From now on any webpage/javascript/vbscript/hacker and user can call :
CreateProcess("runas.exe", "/savecred /user:administrator \"cmd /c somecommand\"", ...)

This since savecred is NOT limited to the application where it was initially used for.
So after starting (for instance) the scannerapplication as admin with the /savecred switch,
the user can press winkey+r and run anything he/she wants as admin hereby VERY EFFECTIVELY bypassing all (local) security.

I have some tools that can do the job like sanur.
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

LVL 11

Expert Comment

ID: 12050735
No offense AlfaLAN because you are right, /savecred is a huge security hole.  I never realized this nuance until now.  Thx.

I'm not sure that sanur is the answer though because you have to enter the password in plaintext.

I guess it just points up why it's not a good idea to let regular users have admin privileges, it's just not a good idea.

fl4ian, can you expand a little on what you are trying to accomplish?

Assisted Solution

AlfaLAN earned 400 total points
ID: 12059589
Thx Quetzal,

I reccommended a program like sanur.ex (or use su.exe or the latter version suss.exe available on the Resourcekit) becouse
this option is practical and for obvious reasons far better then the /savecred switch.
These tools should be used wisely together with a batchscript. And becouse everyone can read a batchscript (and thus the adminpassword) you should use a tool like battocom.exe or battoexe.exe to CONVERT the batchscript so a user cannot simply read your script (and passwords).

Another solution I personally like to use, is to write a simple vb program (compile to exe) wich opens a specified program using the impersonate functions (see: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsIdentityClassImpersonateTopic.asp for more info on these functions...).

Instead of hardcoding admin/domain/password you could also create a commandlinetool wich could read (encrypted) info from file or registry or commandline (or combinations). Keep in mind that if you let adminname & Password read out of file/registry people can use filemon.exe or regmon.exe to trace your password....
So if you would create your own kind of su (wich can run any program using a defined user) would be a very big risk.
So hardcoding is the best way since it can run only a specified program for a specified user using a nonexternal username & password.

(see also: http://www.experts-exchange.com/Operating_Systems/WinNT/Q_10221877.html)

Now there another trick that has come to my mind just now, so I haven't tried it yet...
If you would add a program to run as service, you can specify a username and password to run it as a different user...
Then define that the program does'nt start automatically but when needed.
Next create a shortcut wich invokes something like: 'net start specialprogram' and move it to the %userdir%\startmenu\programs.... of the users wich should have access to this shortcut.

Always keep in mind that every action that is done by the application wich is run as a different user, is done as that different user.
So if a user would execute (from that program) something like:
"%programfiles%\Internet Explorer\IEXPLORE.EXE -e %systemdrive%"
he would get explorerwindow with folders so also controlpanel, manage this computer, and everything as if he were admin...). Every program he runs from thereon is also ran as this other user. If he would browse the internet... you get it.
LVL 11

Expert Comment

ID: 12062885
AlfaLAN, excellent post.  I'm really glad to to have bumped into you here.  Thx for the info.

Expert Comment

ID: 12139803
Thank you! Out of own personal interest, can anybody top it off???
It's been quite quiet around this question for some time now...
& I'm eager to start using the searchfacility if U Know what I mean ;-)

Expert Comment

ID: 12148152
You could also go for Runas Professional:

Or a 'simplified' scripting solution like I mentioned using:

Author Comment

ID: 12153112
i ended up creating an additional admin account and setting that password to the same one that the user usually uses to log in.

when they run the program shortcut (with the save-as switch), they have to enter the password (which is the same as the general login).

1) i implemented this after reading the first comment.
2) i haven't been back at this site yet to do more experimentation
3) alphalan, you definitely know you're stuff, but i wonder if i need to go to such a degree when savecred is easy.  espeically with a small office (less than 8 people, none of which are tech savvy), and behind a firebox...

as a result i'm splitting/adding points.

Author Comment

ID: 12153129
apparently, i can't add more points since it's alread at 500, sorry.

Expert Comment

ID: 12178925
1) Whoow!!! Good on you! Hope putting /savecred behind a shortcut did'nt take up to much of your time...
2) If you would have read the site-rules you know you don't abandon a post for almost 2 weeks..
3) My name is ALFALAN!!!!!!!!!  And if you would have actually participated in your topic, and READ the comments you would most defenetly not ask your third question since it is already extensively awnsered.

"i ended up creating an additional admin account and setting that password to the same one that the user usually uses to log in....?!?!?!?!" Why not give the user the adminpassword instead of creating an additional security-risk????

It is also easy NOT to lock your frontdoor; You don't need those bloody key's, you don't need to get up to open the door to visitors and so on...

PS: your firebox ain't gonna blok malicious webscripts/email (just to mention some everyday risks) (GRIN :-) )....
I write them to (for intranet-support-applications) and can assure you I can modify almost anything on your computer through a vbs/js/activex (and now experimenting with flashscript to hide my source) in html. How did you think browserhijacking (for example) works ???

PS2: the most irritating part however is that you start realising what you are doing, and/or if you would simply take the effort + 15 mins of your time to test one of the other solutions, I know for shure you will stop using this solution, and start using one of mine (probably suss.exe). And in that case: Where are my earned points?

Author Comment

ID: 12217822

1) get over yourself.
2) read number 2 of my second to last comment.

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Whoever said that “a picture is worth one thousand words” observed a fact that can dramatically affect your marketing success. Most people tend to learn visually, so many publishers commonly acknowledge the effectiveness of visual learning by using…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question