We help IT Professionals succeed at work.

Run As command

Neal_876
Neal_876 asked
on
Is it possible to differentiate when a user use the run as command if that user used a regular user credentials or an admin credentials? I know when you use the run as command it is logged with ID 528 …..
Comment
Watch Question

Commented:
You don't say your environment (c++, batch file, etc).

Does this help: http://social.msdn.microsoft.com/Forums/en/vcgeneral/thread/3a588937-a138-4ff2-a626-f4615af5a83c

Author

Commented:
Windows server 2003/xp operating systems environment. Just need to be able to know the difference between a regular user or a user with admin rights use this command..... What event is generated in the event log for the regular user and the user with admin rights?

The link about is using a script.....

Author

Commented:
Any thoughts.......................?
Hi Neil,

What does your event log say?

Author

Commented:
Please see below......

Successful Logon:
       User Name:      abcd
       Domain:            Domain Name
       Logon ID:            (0x0,0x6F9FAF)
       Logon Type:      2
       Logon Process:      seclogon - this tells me that run as command was used
       Authentication Package:      Negotiate
       Workstation Name:      Computer name
       Logon GUID:      {5aedb061-d8a

This is event ID: 528 under the Logon/logoff Category

I would like to be able to tell if the Run As command was done using a admin or a regular user account. Is this possible?


Thank you!
This is very possible. Login GUID is equally equivalent to having a SID of the User.

This Article shows you how to convert GUID to USER assuming you want this to be for active directory?
This Article explains SID Vs GUID
This Article  tells you where they came from. Like are they remote connecting, local, etc.

If you ever need to convert SID2User then use sid2user or psgetsid.

Author

Commented:
Russell_Venable:
Thank you for the information above but it is a bit more than what I am looking for.
I just want to be able to check the event log on the server that the run as command was used and be able to tell  what privilege the logged on use used to run the Run As command whether admin or regular use privilege.
If I can find the ID that is generated that tells me which kind of account was used I can then monitor such event ID or logon process.
Please let me know your thoughts….
lol, better more than less. Yes, but if you have this information you can lookup privileges for a account, check if user is in administrators group/is a administrator. Admins are always 500 for full and 1001 for sub admins. If you check the end of a users SID you will know what I am talking about.

Author

Commented:
Is this the only way to accomplish this task? I rather not run a script, because this will be an ungoing item.
Well if you truly want to do this the long way the. You can select the 'OU', select the user and select properties and look at the objectSID and ObjectGUiD properties. That is a lot of trouble...in the long run if you ask me.

Well the only reason I suggest a script is it helps translate some of the computer lingo for you so you can track the user down a lot easier and I wanted you to understand how it works. The more you know the better you will understand how it works and how to get it done easier.

Author

Commented:
I appreciate your help but I think you may not understand what I am try to accomplish.

I just want to monitor the local event security events on a particular server namely event ID 528 with the logon process of "seclogon" AKA the Run As command.

When a user run this command on a server ID 528 is genarated in the local security  event log on the server. I would like to be able to know if the user executed the Run As command as a local user or admin user.

I also noticed that when the Run As command gets executed there is also an event ID of 576 - privilege used but this is the same ID that gets genarated when I use a regular user or a user with admin credentails.

Just want to know if there is a event ID that I am not seeing that can tell the differents between the users?
lol, I'm sorry Neal. I am trying to be very clear. I am a Security Researcher and have intimate knowledge of the Windows Operating system. You can believe me or not. The information above is given to you and can research it further, but it will end in the same way it began. It gives you exactly what you need to do to identify the user in question. The login ID of the user who's credentials(SID) are being used to login when "Runas.exe" is executed in this context. If you have the SID of the user being used for "Runas" you can run a privilege check and check there ACE for certain privileges.

Negative, you need to audit logon events and specify a special key to give more information about the privileges being used. A example of this is below.

When you get a Event ID 576 its a alert that a application/user has added special permission to there account. You know this already. One of these listed here Example This article also tells you how to audit what privileges the user is using. This might be what you are looking for specifically. A standard user should NEVER have these enabled.

SeTcbPrivilege
SeBackupPrivilege
SeDebugPrivilege
SeEnableDelegationPrivilege
SeRemoteShutdownPrivilege <-- especially not in a domain
SeAuditPrivilege
SeLoadDriverPrivilege
SeSecurityPrivilege
SeManageVolumePrivilege

...List goes on... Take a look at the differences from the output of my personal tool.
 Regular User Vs. AdministratorIt does not matter what windows you use they all work moderately the same.

Author

Commented:

I do not doubt you, I understand what you are saying but I was looking for something else if possible.
I do not have a specific user in mind, this could be any domain user; just wanted to know how to differentiate the logon process.
 
Well if you need others to join in I'd suggest you add some tags to this. I gave it my best. Good luck Neil.

Author

Commented:
Thanks  for your help!