Avatar of AntonioRodrigo
AntonioRodrigo
 asked on

Windows Server run .exe file without administrator privileges

Hi,

I use Windows Server 2008 R2.

Is it possible to run .exe files without having administrator privileges? So, f.e. I copy - paste .exe file on my desktop and I am not administrator - can I run that file? What should be set to do this?


Greetings, Frenky
Windows Server 2008Windows OSMicrosoft Legacy OSMicrosoft Server OSMicrosoft Applications

Avatar of undefined
Last Comment
AntonioRodrigo

8/22/2022 - Mon
motnahp00

UAC will prompt you for escalation of privileges.

You could try this:

whatever.exe /runas:Administrator your_pasword
OriNetworks

It just depends on what the exe is trying to do. If it is trying to access something that requires UAC confirmation, then you can enter admin login information or disable UAC (Definitely a bad thing to do)
AntonioRodrigo

ASKER
Here's my situation: I will have many users and all will be coming to my server via remote desktop. They will run just one .exe file, stored on their desktop (this .exe connects with MS SQL and is doing several other things). Nothing else is allowed for those users... they don't have admin password.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Rich Rumble

Depending on the OS, the firewall may block an outgoing attempt by your exe, otherwise as long as it's not making changes to the registry, it will run without triggering UAC. You may want to remove the ADS (alternate data streams) from the file if it prompts them that this file "may be dangerous" every time, you can use "streams.exe" from microsoft/sysinternals to remove ADS streams from files IF they're prompted every time they try to run it.
-rich
David Johnson, CD

Putting the .EXE on the desktop is bad practice, a link on the otherwise blank desktop is better.

If the program is written to follow the Microsoft programming guidelines it should not require escalation of user privileges and should run as a standard user.

If it is requesting administrative access then one must troubleshoot the reasons why.. Actually one can create a compiled script that will launch the application as an administrator with the pertinent security credentials hidden from the user using security by obscurity.

If it is an in-house program then it needs to be modified to run properly.. if it is from an outside vendor then go after the vendor to make a properly designed version.
Steve Knight

Have you tried it?  Like everyone has said it depends upon what it does and what you allow the user to do, and then the file system and SQL permissions come into play for the users too.  If it needs more rights to run then for some reason then that can be looked at an amended.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
AntonioRodrigo

ASKER
I've created a simple 'Hello World' program in Console, C#, Visual Studio 2010. Same thing happens as with my original program - it doesn't run. For a very brief moment I see a sand hour and that's it - nothing happens when I click the .exe.

What can possibly cause this? Is there a way where I can see log of that?

I've also created a path rule in AppLocker to 'allowed' and path to my application. Again, with no result. Exe file simply doesn't run.
David Johnson, CD

path rule in AppLocker to 'allowed'

did you not believe that your use of applocker might be important???
AntonioRodrigo

ASKER
I didn't know what else to do - so I've created a rule in AppLocker and hoping that this will solve it. What should I do? Disable AppLocker? Remove the rule?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
David Johnson, CD

You added another complication that is very relevant.  We have been investigating why the UAC was kicking in and it may be Applocker that is causing the problem.

I have UAC maxed out, created a console app and a forms app "Hello World", copied these files to a subdirectory in Drive C:

logged in as a standard user AND as a Guest user and was able to execute both programs without a prompt.

Ergo: I believe it is applocker that is your problem.
AntonioRodrigo

ASKER
I've disabled app locker process (appidsvc). Before that I've deleted all the rules and enforced new rules via console. Then I disabled app locker service...

I've also disabled dep, via console. Same result... is there a way I can see log of blocked files?
AntonioRodrigo

ASKER
I mean, is there a log which can tell me why the application is being blocked?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
David Johnson, CD

Are you copying the files from another computer on the network? if so , then you have to right click and 'unblock' the executable.
AntonioRodrigo

ASKER
Good one, ve3ofa. Yes, I am copying files from my local computer via remote desktop shared drives.

I've read: http://dosysadminsdream.wordpress.com/2012/01/18/windows-2008-unblock-executable-button/

What is said here is logical, but I don't see 'unblock' button:

Disable button is not showed

From the article, it says that once file is unblocked, the button dissapears (in fact, it was never there because I haven't pressed it, for sure). So it should be unblocked, but I still can not run it as non-administrator. I can run the same file as administrator.
AntonioRodrigo

ASKER
I've tried to run the program from the network drive (as administrator) - it works without problem. Then I copied the program to Administrator's desktop and run it - it worked again.

When I sign in as non-administrator, the program works neither from network drive, neither if I copy-paste it to server's disc. So it seems that only non-admins can not run .exe files. But, where should I set the rule to allow some .exe files to be run by non-admins?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
David Johnson, CD

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
AntonioRodrigo

ASKER
It's hello world program, written in C#. I wrote this program just because testing what kind of programs run / doesn't run -> and figured it out that no .exe runs on my server, if I am logged in as non-admin.

I've turned off UAC and DEP.
AntonioRodrigo

ASKER
I've even tried with the firewall turned off. The .exe's on desktop doesn't run if I am not signed in as administrator.
David Johnson, CD

can the user run notepad or other microsoft built in software?


On the server check the applocker event log http://technet.microsoft.com/en-us/library/ee791749%28v=ws.10%29.aspx
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
AntonioRodrigo

ASKER
Yes, user can run notepad or calc.
Rich Rumble

Is your AV blocking, is it ZoneAlarm or another app blocking it? You can turn on event logging of processes(http://technet.microsoft.com/en-us/library/dd277403.aspx) and see if anyuthing registers in the event log. For a local policy just use "secpol.msc" on the run line and got to local policies and change the process creation tracking to success/failure.
-rich
AntonioRodrigo

ASKER
I don't have antivirus installed. I've also turned off firewall.
Your help has saved me hundreds of hours of internet surfing.
fblack61
David Johnson, CD

add helloworld.exe to your applocker permitted programs and see if a user can run it.
AntonioRodrigo

ASKER
With process monitor I was able immediately to see what was the problem. I didn't understand what 'sysinternals procmon' is, but that was the key to solve the problem. From my other post:

https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27738516.html