Standard User start a program to Run As Administrator - Windows 8.1 and Windows 10

First, let me be very clear about this as there are multiple contexts possible:

- the logged-in user is a Standard User and not an Administrator User (who would have to do the same thing as below)
- the program to be started would be like "cmd.exe" and the general intent would be to start it with "right click / run as administrator".
- the logged-in user won't have an Administrator user password.

In researching this, I started down the path of using this in a desktop shortcut:
C:\Windows\System32\runas.exe /user:[computername]\[administratorusername] /savecred "C:\Windows\System32\cmd.exe"

(I found this interesting but wasn't able to figure out how to use the Task Scheduler for the purpose sorta described.  I've used the Task Scheduler plenty enough but this description didn't just jump out at me.)

Now, of course, this does work.  The first run of it comes up with a command prompt asking for the [administratorusername] password (which would presumably be typed in by someone setting up this computer and who *would* know the password).
Given the password, it stores a Windows credential for that [administratorusername].
The Windows credential shows the Administrator name that was used but the password is not visible.

Alternately, one might think that one could simply go into Credentials and set up a Windows credential for an Administrator User.  But this doesn't seem to correspond with the credential entry created by using runas .. above.

Doing it either way, the problem may be with this is that the same credential can now be used for just about anything.  Is that correct?  If so how?  I refer to:
http://superuser.com/questions/581548/runas-savecred-ask-for-password-if-another-user-runs-the-same-batch-file

I tried doing it both ways and found that a rather different credential was set up using /savecred.  It works thereafter without a password.
But, if I create a Windows credential with the same information, then /savecred doesn't work and asks for a password AND sets up a new credential.
This leads me to believe that the initial concern in bold italics above may not be a concern at all.

We want to have Standard User logins.
We are forced to start one of the programs "run as administrator".
We don't want to provide an Administrator login info to the user.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
A standard user CANNOT start cmd.exe without the Admin password. No way around that, so case closed on this one.

You can start an admin task in Task Scheduler. There are conditions for when to start the task, and the Administrator will have to enter admin credentials and save it. This should work. Again, a standard user cannot do this.
Fred MarshallPrincipalAuthor Commented:
A standard user CANNOT start cmd.exe without the Admin password. No way around that, so case closed on this one.
John: Well, that's the whole point of this question - since it CAN be done.  The question is how to do it safely?
And, I am interested in figuring out how to do it with the Task Scheduler but I'm more convinced that's not necessary.
JohnBusiness Consultant (Owner)Commented:
I have never seen cmd.exe opened as Admin with a standard user. If you have seen it done, please post the steps.

If one opens cmd.exe as administrator, one can open poweshell as admin and do whatever they want.

Alternately, one might think that one could simply go into Credentials and set up a Windows credential for an Administrator User.

I have not seen that done for use by standard user. If it could be done, there would be no security because any standard user could run any program.

If you need to regularly run a program on a domain-connected workstation as administrator, you can use Power Broker by Beyond Trust.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

JohnBusiness Consultant (Owner)Commented:
You can try http://www.robotronic.de/runasspcEn.html 

See:  

http://www.experts-exchange.com/questions/28715062/Run-program-with-Admin-privilege-in-domain-user.html#a41048864

It is not as secure as Power Broker.

However you do it, you do NOT want standard user wrecking their computers and that is a very real risk.
Fred MarshallPrincipalAuthor Commented:
Perhaps the structuring of my question wasn't clear.  In addition to the tools suggested, I listed two methods suggested that work within Windows:

1) Use a special shortcut icon on the desktop (or wherever).

2) Use the Task Scheduler.  I've not been able to figure out this one completely.  I do know how to use the Task Scheduler pretty well but doing this one thing leaves me wondering.
At issue with this one (for me) is that I want to launch an app with Administrator privileges.  It seems to me that this is *different* than starting the same app "as a User in the Administrator group".  
The distinction comes to mind because: If you log into the OS as an Administrator type user and then launch cmd.exe, you don't have Administrator privileges within this app.   You have to go the extra step of right-clicking and selecting "Run as Administrator" which, as I understand it, means "run this program with Administrator privileges".

So, I'd appreciate some discussion regarding #2.

As far as #1 goes, the solution seems fairly well-known.  Nonetheless, I've written a paper to describe it to people who are less technically advanced.  I've attached the first draft here.
I repeat here what I said (in bold) initially:
..the problem may be with this is that the same credential can now be used for just about anything.  Is that correct?


The idea here is NOT to create a "cmd.exe as Administrator" icon that a Standard User could launch.
cmd.exe just happens to be an easy app to use for development and testing of approaches.
The target app would be something else.

My testing so far seems to suggest this for #1:
You can set up an (apparently) appropriate credential by going to the Credential Manager / Windows Credentials.  But this won't bypass the requirement for entering the password on the first use of the shortcut.  In fact, it sets up a separate credential that's different and that has attributes that aren't "settable" by using the Credential Manager dialogs.
I have come to the belief that #1 is NOT susceptible to abusing the credential it creates.  But I remain open to suggestions to the contrary.
That's why I cited:
http://superuser.com/questions/581548/runas-savecred-ask-for-password-if-another-user-runs-the-same-batch-file
Icon-to-Run-as-Administrator.pdf
JohnBusiness Consultant (Owner)Commented:
For number 1, there is no way I know of to run cmd.exe as Admin without compromising the machine. Your link does not help me here. You would compromise credentials trying to do this. As pointed in the link, you create a security risk.

For number 2, you can use Admin Credentials (admin must enter the credentials) to make a task run as administrator. That will work, but an actual administrator must enter the password.
JohnBusiness Consultant (Owner)Commented:
This question comes up over and over again here. People believe standard users can be  admins without credentials. Basically, you cannot.

Consider Power Broker.
Fred MarshallPrincipalAuthor Commented:
John Hurst:  

I don't know which "people" you are referring to.  I certainly don't believe that "Standard Users can be admins without credentials".   So, if that's the impression you have then perhaps you should consider where that impression came from?  Perhaps I misspoke.
(What I do believe and have proven for myself, as others have done, is that a Standard User can be enabled to launch an application and that the *application instance* can have Administrator privileges).

You point out that giving Administrator privileges to cmd.exe is dangerous.  I certainly agree.  
I carefully pointed out that cmd.exe was simply an example for development and testing and NOT as an intended target for accomplishing the objective.  Obviously though, it is possible while not recommended.  Whatever security risks are involved would seem to be wrapped up in the application instance that has Administrator privileges.

You are well advised to point out the security concerns.  One must weigh the need vs. the danger in the context of any application to apply this to.

I am dealing with a situation where the choices are:

1) All user logins are for Administrators.  We want to avoid this.

2) Normal user logins are for Standard Users.  This is what we want.

  2a) Standard users could ask a supervisor to launch their main application each and every time it's being launched so that the app could be run "as Administrator" as is required for it to work, by the supervisor providing the Administrator password each time (which is not only inconvenient but also not very good for password security).

  2b) Standard users (without having an Administrator password) would have a shortcut icon that would launch the application "run as Administrator" so the application privileges would be as they must be.  The password information is hidden in the Credentials stored for this purpose.  Presumably this is where the 3rd party tools come in.
JohnBusiness Consultant (Owner)Commented:
I have not seen any third party tool break the credential manager in Windows 8 or 10. If it were that simple, all standard users would by now be administrators.
Fred MarshallPrincipalAuthor Commented:
The 3rd party tool I was referring to was Power Broker on your advice....  It appears it would accomplish the same thing in the context of (2b).  Note that (2b) is a *requirement* and not an *approach*.
JohnBusiness Consultant (Owner)Commented:
Power Broker is a professional tool based on a methodology like GPO's. I am not sure how it hooks in or if/how Microsoft may have assisted.

I thought your were referring to other tools.
Fred MarshallPrincipalAuthor Commented:
I would like to get back to the core questions here that I outlined above in ID: 41052144
1) Is there general agreement that using the described shortcut icon does/does not create a general-purpose credential that can be used to elevate the privileges of ANY application?  At the moment, based on limited testing, I believe it does not - which is in contrast to the assertion found at: http://superuser.com/questions/581548/runas-savecred-ask-for-password-if-another-user-runs-the-same-batch-file
Maybe the operating system versions treat this differently?  That could be an explanation but I don't care if Windows 8 and 10 are OK.

2) If one is going to use the Task Manager to accomplish the same objective then is my concern regarding running the app as a particular User vs. running the app with particular elevated privileges an issue? See ID:41052144 under (2) near the beginning.  I can see that doing the former is clearly possible.  I'm not sure how to do that AND the latter.  cmd.exe would be an example of the difference.
The only thing I can imagine is that:
  IF one launches an application using Task Scheduler using an Administrator user
  THEN the application also gets privileges as if "run as Administrator" were selected
  ... but how?
JohnBusiness Consultant (Owner)Commented:
Task Scheduler runs Tasks as Administrator based on condition such as Startup

You cannot use Task Scheduler to launch a regular on-demand application.

Things like Anti Virus and some other tools need admin credentials to start and Task Manager can do that.
JohnBusiness Consultant (Owner)Commented:
I think even Power Broker is having some issues with Windows 10 because of enhanced security.

http://blog.beyondtrust.com/what-beyondtrust-has-to-say-about-windows-10
Fred MarshallPrincipalAuthor Commented:
Actually, you can use Task Scheduler to launch a regular on-demand application.  That's what's being done here.  Launching a batch file is a good example.

I have backup systems running with a fair bit of debug logging involved.  They work like this:
- The task scheduler launches a .bat file on schedule.
- The .bat file launches another, generic, .bat file for logging.
- The .bat file launches the backup application profile.
- The backup program profile runs.
- When done, the backup program profile launches another .bat file for logging.
- When done, the backup program sends a brief email report.
So, I would call the original .bat file an on-demand kind of application.  It can also be run on-demand of course.
JohnBusiness Consultant (Owner)Commented:
The task scheduler launches a .bat file on schedule.

I perhaps did not express myself correctly.

The options in my task scheduler require a trigger. If you have a trigger available, then yes. Otherwise, I don't think you can start an arbitrary application whenever by "something like" "task scheduler Excel" to run Excel as Administrator.

 Windows-10-Task-Scheduler
Fred MarshallPrincipalAuthor Commented:
I now believe from further testing results that the Windows Credential that's saved for the particular Administrator account is perfectly (or not so perfectly) usable for any other shortcuts.  

That was an original concern that, for a time, seemed to not hold.  

Since it appears that it is the way things work, that *is* a security concern but not one that's as bad as running under an Administrator login.  It narrows the scope of "bad guys"  more to the local scene it seems to me.

Experiments with the Task Scheduler continue and inputs are always welcome.

Other notes:
Most  programs seem amenable to this treatment.  However, in Windows 8.1 and Windows 10, doing it with regedit or regedt32 appears to not work.  They can be opened without it.  They can be "run as Administrator" from their native icons.   I haven't tested nor know how much can be done once it's running in either mode.
JohnBusiness Consultant (Owner)Commented:
regedt32 appears to not work.  They can be opened without it.  They can be "run as Administrator" from their native icons.

A standard user cannot run regedit as Administrator. I have never seen that done in Windows 7 or above.

I do not understand your examples and conclusions.
Fred MarshallPrincipalAuthor Commented:
John Hurst:  If you use the Task Scheduler "Create Basic Task" wizard then you are forced to select one of those Triggers.  Unfortunate.....
If instead you use the Task Scheduler "Create Task" alternative, you can just skip the Trigger altogether leaving it blank.
Then you can just RUN the "scheduled" task.
That will open Excel or .... whatever.
JohnBusiness Consultant (Owner)Commented:
So you are saying you can skip a trigger, and RUN as ADMINSTRATOR so task and it WILL NOT prompt for credentials.

I tried what you said and I had to authenticate.
JohnBusiness Consultant (Owner)Commented:
I think we are going in circles here.

Can you run a program that require administrative authority without admin credentials? Please say YES or NO.

I cannot.
Fred MarshallPrincipalAuthor Commented:
John Hurst sez:
A standard user cannot run regedit as Administrator. I have never seen that done in Windows 7 or above.
 I do not understand your examples and conclusions.

Respectfully, a little vignette:  
When we first started watching the TV series "24", our daughter told us that we would need to "suspend our disbelief".  Good advice at times.  :-)

Regarding running regedit.exe, here are the results I observed today on Windows 8.1 and Windows 10 logged in as a Standard User:
  1) regedit would open without any special treatment.
  2) regedit would open from a normal shortcut icon using right click |"run as Administrator".  I was surprised.
  3) regedit would NOT open from a shortcut icon built using runas.exe ..... etc. with a Windows Credential for the Administrator already set up and working with other programs - including cmd.exe
JohnBusiness Consultant (Owner)Commented:
I would like to get back to the core questions here that I outlined above in ID: 41052144

Standard User start a program to Run As Administrator    <-- You may be able to use Power Broker, but otherwise, it cannot be done securely as Standard User
Fred MarshallPrincipalAuthor Commented:
So you are saying you can skip a trigger, and RUN as ADMINSTRATOR so task and it WILL NOT prompt for credentials.
 I tried what you said and I had to authenticate.
I am saying you can skip a trigger.  That was the issue.  Whether the scheduled task will run without prompting for credentials is subject to how it's all constructed.  AND, I've still not learned how to get through that construction.  So, I don't know.

I think we are going in circles here.
 Can you run a program that require administrative authority without admin credentials? Please say YES or NO.
 I cannot.
That's a bit of a tricky question because it mixes together what really happens.  
YES: you can run a program as a Standard User that requires "run as Administrator" to work properly without the Standard User at the controls being involved in providing the Administrator credentials.
and
NO: you can't in the broader context run that program without the credentials.  Someone having an Administrator username and password has to establish the Windows Credential for that purpose.  Using the shortcut icon method which uses runas which stores a credential on the first run.  
All that detail precedes....
Just to be picky, I'd probably not say "a program that requires administrative authority" but, rather "a program with elevated privileges" because I can't be so sure of the "the program" in a broader context.  It could have other requirements or hooks that I can't vouch for.
JohnBusiness Consultant (Owner)Commented:
I set up a Standard User in Windows 10 and yes, regedit opens. But you CANNOT change anything, so what is the point?

I am saying you can skip a trigger. .....  Whether the scheduled task will run without prompting for credentials is subject to how it's all constructed   <--- Yes of course, but if the program is constructed to require admin credentials (which is what we are talking about), then admin credentials must be supplied.

I am getting frustrate because you are not addressing questions to the conclusion. And it is at the conclusion where you need admin credentials and that is where we started.

I work with a lot of standard user system and I normally must enter admin credentials, but sometime I must even log in as administrator. I CANNOT just carry on as a standard user.

So I will say no more until you post a proof that you ran a program that requires admin credentials but ran it instead as a standard user and it did all the functions you needed.
McKnifeCommented:
Fred, by now, you yourself have even written an article about this. The article shows, you haven't yet understood the risks connected to using /savecred.
Using savecred, the user or any malware that he starts, can run anything with admin credentials - anything! So you cannot recommend savecred if security matters.
Fred MarshallPrincipalAuthor Commented:
McKnife: In the current version of the article I point out that once the Windows Credential is created using runas and /savecred then any other shortcut can use that credential.  That seems a fairly serious caveat.
It appears that you place using /savecred with a Standard User as being equally dangerous to logging in as an Administrator user.   "any malware" seems a bit thin to me.  Can you elaborate on the difference?  It seems to me that there is a difference but I'm not saying that I have a strong position on this.

John Hurst:  I am trying to address your questions as they come up.  It seems like some important information got lost in the shuffle.  Did I get it wrong?  
- It seems to me that you said that a Standard User *could not* launch a program with "run as Administrator".  
- Now I believe you're saying "otherwise, it cannot be done securely as Standard User ".  That's obviously not the same thing.  So we should be clear about this.  

I work with a lot of standard user system and I normally must enter admin credentials, but sometime I must even log in as administrator. I CANNOT just carry on as a standard user.
I don't doubt it.  Who suggested otherwise?

I assert without further proof (because the instructions are so clearly written) that a Standard User *can* launch a program with "run as Administrator" using the instructions provided.  Whether this should be done or allowed is still in discussion.  But its' clear that it can be done.

I didn't and won't assert that a Standard User can launch a program this way "securely" because that requires further definition.  What may be "secure enough" for one situation may not be "secure enough" for another and it seems it would be a bit subjective.  All I said was that the Standard User / person would not know the Administrator password in order to use the mechanism.

That the use of /savecred may be a fairly big issue is worthy of illumination as I've asked McKnife and asked in the original question.
McKnifeCommented:
"It appears that you place using /savecred with a Standard User as being equally dangerous to logging in as an Administrator user" - not that dramatic, no. But if malware was intelligent enough to test the presence of a saved credential, you are lost. It would simply need to execute another runas /savecred command.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Fred - I have nothing more to offer. So far as I know, you cannot do what you are proposing in a secure manner.  

I have unsubscribed.
Fred MarshallPrincipalAuthor Commented:
OK.  To summarize:

I originally asked:
Doing it either way, the problem may be with this is that the same credential can now be used for just about anything.  Is that correct?  If so how?  I refer to:
http://superuser.com/questions/581548/runas-savecred-ask-for-password-if-another-user-runs-the-same-batch-file
It appears that McKnife has answered this question.  And, I've confirmed it in testing as well.  The problem that "may be" is indeed a problem to be aware of.

I also asked (it appears rather poorly) for guidance on how to do this using the Task Scheduler.  No answers on that one.  I still don't know how to do it.  I guess I could launch a few more experiments.

Thanks everyone for helping wade through this!
I'm sorry I brought up cmd.exe as that wasn't the focus of this.
I'm sorry I brought up regedit as that also wasn't the focus of this.
I'm going to ask another related question directly.  Stay tuned.
McKnifeCommented:
"I also asked (it appears rather poorly) for guidance on how to do this using the Task Scheduler.  No answers on that one." - your answer:
Task scheduler cannot be used to let users interact with programs that run under different credentials. Interaction means using a graphical interface. This is just not possible because it would be insecure. What task scheduler can indeed do is let users start something as another user non-interactive (invisible in the background). That's the reason why people would only use it for scripts.
Example: Joe is a non-admin. I'd like to let Joe set 2 network profiles, one for home wifi (DHCP) and one for work (fixed IP). I will setup 2 scheduled tasks running as system account (highest possible rights) and let the task execute a batch that sets the IP (using netsh.exe). Then, I'll change the access rights (ACL) of that task so that Joe may execute it but not change it. Last step: I create a desktop shortcut to run each task. That way is secure. Doing it interactive would be insecure.
Fred MarshallPrincipalAuthor Commented:
Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 8

From novice to tech pro — start learning today.