Windows Server run .exe file without administrator privileges

AntonioRodrigo
AntonioRodrigo used Ask the Experts™
on
Hi,

I use Windows Server 2008 R2.

Is it possible to run .exe files without having administrator privileges? So, f.e. I copy - paste .exe file on my desktop and I am not administrator - can I run that file? What should be set to do this?


Greetings, Frenky
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
UAC will prompt you for escalation of privileges.

You could try this:

whatever.exe /runas:Administrator your_pasword
It just depends on what the exe is trying to do. If it is trying to access something that requires UAC confirmation, then you can enter admin login information or disable UAC (Definitely a bad thing to do)

Author

Commented:
Here's my situation: I will have many users and all will be coming to my server via remote desktop. They will run just one .exe file, stored on their desktop (this .exe connects with MS SQL and is doing several other things). Nothing else is allowed for those users... they don't have admin password.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
Depending on the OS, the firewall may block an outgoing attempt by your exe, otherwise as long as it's not making changes to the registry, it will run without triggering UAC. You may want to remove the ADS (alternate data streams) from the file if it prompts them that this file "may be dangerous" every time, you can use "streams.exe" from microsoft/sysinternals to remove ADS streams from files IF they're prompted every time they try to run it.
-rich
Top Expert 2016

Commented:
Putting the .EXE on the desktop is bad practice, a link on the otherwise blank desktop is better.

If the program is written to follow the Microsoft programming guidelines it should not require escalation of user privileges and should run as a standard user.

If it is requesting administrative access then one must troubleshoot the reasons why.. Actually one can create a compiled script that will launch the application as an administrator with the pertinent security credentials hidden from the user using security by obscurity.

If it is an in-house program then it needs to be modified to run properly.. if it is from an outside vendor then go after the vendor to make a properly designed version.

Commented:
Have you tried it?  Like everyone has said it depends upon what it does and what you allow the user to do, and then the file system and SQL permissions come into play for the users too.  If it needs more rights to run then for some reason then that can be looked at an amended.

Author

Commented:
I've created a simple 'Hello World' program in Console, C#, Visual Studio 2010. Same thing happens as with my original program - it doesn't run. For a very brief moment I see a sand hour and that's it - nothing happens when I click the .exe.

What can possibly cause this? Is there a way where I can see log of that?

I've also created a path rule in AppLocker to 'allowed' and path to my application. Again, with no result. Exe file simply doesn't run.
Top Expert 2016

Commented:
path rule in AppLocker to 'allowed'

did you not believe that your use of applocker might be important???

Author

Commented:
I didn't know what else to do - so I've created a rule in AppLocker and hoping that this will solve it. What should I do? Disable AppLocker? Remove the rule?
Top Expert 2016

Commented:
You added another complication that is very relevant.  We have been investigating why the UAC was kicking in and it may be Applocker that is causing the problem.

I have UAC maxed out, created a console app and a forms app "Hello World", copied these files to a subdirectory in Drive C:

logged in as a standard user AND as a Guest user and was able to execute both programs without a prompt.

Ergo: I believe it is applocker that is your problem.

Author

Commented:
I've disabled app locker process (appidsvc). Before that I've deleted all the rules and enforced new rules via console. Then I disabled app locker service...

I've also disabled dep, via console. Same result... is there a way I can see log of blocked files?

Author

Commented:
I mean, is there a log which can tell me why the application is being blocked?
Top Expert 2016

Commented:
Are you copying the files from another computer on the network? if so , then you have to right click and 'unblock' the executable.

Author

Commented:
Good one, ve3ofa. Yes, I am copying files from my local computer via remote desktop shared drives.

I've read: http://dosysadminsdream.wordpress.com/2012/01/18/windows-2008-unblock-executable-button/

What is said here is logical, but I don't see 'unblock' button:

Disable button is not showed

From the article, it says that once file is unblocked, the button dissapears (in fact, it was never there because I haven't pressed it, for sure). So it should be unblocked, but I still can not run it as non-administrator. I can run the same file as administrator.

Author

Commented:
I've tried to run the program from the network drive (as administrator) - it works without problem. Then I copied the program to Administrator's desktop and run it - it worked again.

When I sign in as non-administrator, the program works neither from network drive, neither if I copy-paste it to server's disc. So it seems that only non-admins can not run .exe files. But, where should I set the rule to allow some .exe files to be run by non-admins?
Top Expert 2016
Commented:
This is a program other than the 'hello world' ones I'm guessing.. might be trying to write somewhere it doesn't have access to.. sysinternals procmon might tell you what it is trying to access that is bringing up the uac

Author

Commented:
It's hello world program, written in C#. I wrote this program just because testing what kind of programs run / doesn't run -> and figured it out that no .exe runs on my server, if I am logged in as non-admin.

I've turned off UAC and DEP.

Author

Commented:
I've even tried with the firewall turned off. The .exe's on desktop doesn't run if I am not signed in as administrator.
Top Expert 2016

Commented:
can the user run notepad or other microsoft built in software?


On the server check the applocker event log http://technet.microsoft.com/en-us/library/ee791749%28v=ws.10%29.aspx

Author

Commented:
Yes, user can run notepad or calc.
Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
Is your AV blocking, is it ZoneAlarm or another app blocking it? You can turn on event logging of processes(http://technet.microsoft.com/en-us/library/dd277403.aspx) and see if anyuthing registers in the event log. For a local policy just use "secpol.msc" on the run line and got to local policies and change the process creation tracking to success/failure.
-rich

Author

Commented:
I don't have antivirus installed. I've also turned off firewall.
Top Expert 2016

Commented:
add helloworld.exe to your applocker permitted programs and see if a user can run it.

Author

Commented:
With process monitor I was able immediately to see what was the problem. I didn't understand what 'sysinternals procmon' is, but that was the key to solve the problem. From my other post:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27738516.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial