Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

CMD shell scripting runas

Posted on 2014-01-29
21
Medium Priority
?
478 Views
Last Modified: 2014-02-05
Below I have two statements: the first runs fine, the second gives access denied, even whn I run the script "As Administrator" Both run fine when manually inserted onto the CMD line

Any idea what I am missing? Thanks!

%windir%\system32\runas.exe /profile /env /user:domain\jdarby2 "C:\Program Files (x86)\Internet Explorer\iexplore.exe"

%windir%\system32\runas.exe /profile /env /user:domain\jdarby2 "C:\Windows\explorer.exe"
0
Comment
Question by:johndarby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
21 Comments
 
LVL 15

Expert Comment

by:David L. Hansen
ID: 39818087
This may help:
http://www.youtube.com/watch?v=OGHQzg69vsg

If not, let me know. :)
0
 
LVL 1

Author Comment

by:johndarby
ID: 39818265
Thanks; I have been running as Local Admin already, but inside the script execution access to C:\Windows is restricted.
0
 
LVL 15

Expert Comment

by:David L. Hansen
ID: 39818388
I would think that you'll need to lower the UAC setting.  Sometimes it's the only way.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:johndarby
ID: 39818401
UAC settings are set by GPO and cannot be changed without a bunch of hassle :/
0
 
LVL 1

Author Comment

by:johndarby
ID: 39818916
Update: I lowered UAC to never notify and took ownership of the \Windows directory to the LocalAdmins group; I made sure the account referred in RUNAS is a member of LocalAdmin group...still no love :(
0
 
LVL 15

Expert Comment

by:David L. Hansen
ID: 39818963
This is just running locally on your own machine (not through a remote session or virtual box or anything)?
0
 
LVL 1

Author Comment

by:johndarby
ID: 39819476
Yes; it is local...the error almost acts like UAC wants to prompt for elevated perms (run as Admin) and is unable to spawn the Message window. However, UAC has been turned off :/
0
 
LVL 15

Expert Comment

by:David L. Hansen
ID: 39821178
I've requested more experts on this.  Wish I had a quicker answer for you.

Just a thought: What if you referenced a shortcut to explorer instead of explorer.exe directly?

My guess is that Microsoft restricted this in a update because it proved to be a security hole (someone can, after all, do a lot of damage with explorer.exe while in the windows directory).
0
 
LVL 1

Author Comment

by:johndarby
ID: 39821293
Thanks sl8rz,

I think you're on the path...it may be some REG change necessary to execute in the form I have it above. I could go back to my initial need and see if any other method might be suggested:

I need to regularly open a explorer window with an alternate user with specific perms to remote directories.
0
 
LVL 15

Expert Comment

by:David L. Hansen
ID: 39821334
There's the crux of the matter isn't it...opening an explorer window in someone else's profile?  I don't think that would be intentionally block by Microsoft, if the user has admin privileges and the other profile was not admin.  However, if the other profile is admin then I'm not so sure.
0
 
LVL 1

Author Comment

by:johndarby
ID: 39821483
Both ad local admin; the "other" account is also a Domain Admin
0
 
LVL 15

Expert Comment

by:David L. Hansen
ID: 39821629
I'll try this against both admin and non-admin; it won't surprise me if it works against the non-admin account.  If it does, then we'll know that we are dealing with a security barrier designed specifically to prevent this particular action.
0
 
LVL 1

Author Comment

by:johndarby
ID: 39822360
Thank you
0
 
LVL 15

Expert Comment

by:David L. Hansen
ID: 39822930
No joy.  I think Microsoft is purposefully trying to prevent this.
0
 
LVL 1

Author Comment

by:johndarby
ID: 39823055
I will dig a bit more
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 1000 total points
ID: 39828658
it is called explorer /separate in windows XP
but windows 7, there is a lot of resistance.

this article explains how to do so, but use with cares
http://superuser.com/questions/290940/how-to-launch-windows-explorer-with-the-privileges-of-a-different-domain-user
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 39828733
If explorer is running already, you may want to kill it first for it to work as you intend from the CLI.

Might even try http://technet.microsoft.com/en-us/sysinternals/cc300361
http://social.technet.microsoft.com/Forums/windows/en-US/1798a1a7-bd2e-4e42-8e98-0bc715e7f641/unable-to-open-an-elevated-windows-explorer-window?forum=w7itprosecurity
You may want to use runas with the /NOPROFILE switch instead, you may also look at the /trustlevel switch too.
-rich
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 39828911
Try these:

1st with Local Admin to see if it works:

%windir%\system32\runas.exe /profile /env /user:local_Admin "C:\Windows\explorer.exe"

2nd with cmd.exe /k switch as below:

%windir%\system32\runas.exe /profile /env /user:domain\jdarby2 "cmd.exe /c C:\Windows\explorer.exe"

2nd command isolates two commands to be executed in its own area.

Try and let us know.
Sys.
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39829442
Hi,

Our GPOs are very locked down as well.  Even when logged in as a local admin and starting  using "run as administrator" you're going to have issues if... your scripts are on the C: drive. UAC is a bear about running scripts from C:.  Try them from the D: drive and see if that works.  Also, using the /env and /profile switches will also break things because they'll try to write the temp info to the user's profile folder temp location - which is on the C: drive.

Not promising this is your issue, but it's dinged us in the past.  We get around this by using Sysinternals psexec  to launch things like explorer with the -h switch to elevate, the -s switch to use system impersonation, and the -w switch to force the working directory to somewhere not on C:.

Good Luck,
- gurutc
0
 
LVL 1

Author Closing Comment

by:johndarby
ID: 39835791
Thank you all! The reg edit worked. :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question