Solved

Run Internet Explorer as an administrator from CMD

Posted on 2016-10-14
20
77 Views
Last Modified: 2016-10-20
Here's the situation. My company recently purchased Topaz ClipGems for our end users to use when having members sign documents that are accessed on a third party's website that is only compatible with Internet Explorer.  Virtually all of the ClipGems were deployed and are functioning without issue, however there are a few that aren't working. When they access the website to sign documents it says that no signature capture device was detected. After literally weeks of troubleshooting, uninstalling and reinstalling the software and copying configuration files from working computers with no luck I finally broke down and called Topaz to get their assistance. After a couple of hours we discovered that if we right click on IE and select 'Run as an Administrator' that the ClipGems worked just fine.

Unfortunately, in order to Run IE as an Administrator you either have to be an administrator on that computer, which we don't want our end users to be, or we need to be able to enter administrator credentials, which we don't want our end users to have. Let me also note that even when I try to get the ClipGem to work while signed on with my administrative credentials I still need to right click and select Run as an Administrator or I get the same error that the end users are getting and it won't work.

I'm one step away from just wiping the computers and starting them over from scratch, but before I did that I figured I'd attempt one more work around. I was attempting to write a script that the end users could run that would open IE as an administrator by using;

%systemroot%\system32\runas.exe /user:techadmin /savecred "C:\Program Files\Internet Explorer\iexplore.exe"

Unfortunately this just opens IE using the administrative credentials of techadmin, which isn't the same as using techadmin's administrative credentials to be able to right click Internet Explorer and select 'Run as an Administrator'.

It seems like there must be a way to write a script and place it on the end users' desktops that they can double click on which then uses the administrative credentials of our techadmin account to basically 'right click' on IE and select 'Run as an Administrator'.  This script would also have to save the password to techadmin so that they wouldn't have access to it. Any suggestions would be most appreciated.
0
Comment
Question by:OCCU
  • 7
  • 5
  • 3
  • +3
20 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844456
You can run IE as Administrator but you must have Admin credentials to do it. There is no other way.

However wiping out the OS and starting over won't change the authorities required so then why do that?  The need to reinstall was not clear.
0
 

Expert Comment

by:Kris Taylor
ID: 41844479
The saved cred is not an issue unless you have UAC enabled, in this case you do.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844487
UAC should always be enabled. Disabling UAC is worse than making regular users into Administrators.
0
 

Expert Comment

by:Kris Taylor
ID: 41844491
"UAC should always be enabled"
This comment is not correct, it depends on the envroment. In a domain of 1000 end users yea fair enough, but in some cases, UAC is required to be disabled.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844493
I AM correct. UAC should never be disabled. Utterly silly to do such a thing.
0
 

Author Comment

by:OCCU
ID: 41844494
Like I was saying, but maybe not very clearly, by using %systemroot%\system32\runas.exe /user:techadmin /savecred "C:\Program Files\Internet Explorer\iexplore.exe" the non administrator end user is able to open IE with the administrative credentials of the techadmin user, however this isn't the same as using the techadmin credentials to actually select to 'run IE as an administrator' If this script can use techadmin's administrative credentials to open IE why wouldn't it be able to use the administrative credentials of the techadmin user to actually 'Run Internet explorer as an administrator'?
When I sign on with my administrative credentials I still need to right click on IE and select 'Run as an Administrator' for this to work. So it isn't enough to just run IE using an account with administrative credentials, you actually have to use an account with administrative credentials to right click on IE and select Run as an administrator.

As for what would wiping the computer and starting over accomplish? That is a very good question, all I know is that 95% of the devices that I have deployed are working flawlessly. The ones that aren’t working are on virtually identical computers running identical software as the ones that are working.  Since we have upgraded to Windows 10 a few months ago we have been noticing issues like this quite often.  All I know is I have three computers that aren’t able to use this device and I need to find a way to get them up and running, but I’m really out of ideas…
0
 

Expert Comment

by:Kris Taylor
ID: 41844497
Can you run process monitor on iexplore.exe and see were it is failing?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844499
So it isn't enough to just run IE using an account with administrative credentials, you actually have to use an account with administrative credentials to right click on IE and select Run as an administrator

Even if you are the administrator of the machine you at least have to OK the action (UAC request).
If you are not the administrator, then you must enter admin credentials. You would have to enter credentials after running your script.

Since we have upgraded to Windows 10 a few months ago we have been noticing issues like this quite often.  

That is a different question and if you are having issues, yes, reinstalling from the Media Creation Link and keeping everything can be a good step.
0
 

Author Comment

by:OCCU
ID: 41844513
So when the non-administrative end user runs the script that contains the \system32\runas.exe /user:techadmin /savecred it only prompts for a password once and then everytime after that it opens IE without prompting for a password again.
But is what you're telling me is that while it is possible to have the end user run that script to open IE using techadmin's credentials with out having to enter a password, except for the first time, there's no way for the end user to be able to run a script that uses techadmin's credentials to Run IE as an Administrator?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844515
It will only run for the end user if the credentials are for a user who is a member of the administrators group
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:OCCU
ID: 41844531
Yeah, the techadmin user is a member of the administrators group which is the credential I'm using in that code. I tested that script again with a non-administrator running it and it worked just fine, prompted me once for the password for the techadmin user and that was the only time it prompted. Now if only there was a way to accomplish 'Run as Administrator' from the command line.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41844534
I will keep looking for that. I have not yet seen such a method.

It is not as easy as a single line script to turn a secured system into an unsecured system. Microsoft security is stronger than that.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41844670
Disabling UAC, and using your script are not options.
What your script doesn't do is enable the administrator token it still starts IE as a user, you would have to play with the autoelevate optins in the UAC options that are available either in gpo or in local security policy

You say it works fine on some systems but on the recalcitrant ones only runas administrator works.  So what is the difference between the ones that work and the ones that don't.  Have you tried running the software in compatibility mode (windows xp)?
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 41844680
I've tested this as working using elevate on Windows 10.

@%windir%\system32\runas.exe /user:techadmin /savecred "elevate.exe -w \"C:\Program Files\Internet Explorer\iexplore.exe\""

Open in new window


That being said, this creates many security risks.  Your techadmin password can be dumped in clear text using Mimikatz, and a user need simply modify your command line to escalate their privileges to techadmin.

For example:
runas /user:techadmin /savecred "%comspec%"

Open in new window

This would give them an administrative privileged command prompt.

Additionally, IE is now running at a High integrity level instead of Low, which means increased privileged access to your system should IE be exploited.

High - Administrative (Process can install files to the Program Files folder and write to sensitive registry areas like HKEY_LOCAL_MACHINE.)
Medium - User (Process can create and modify files in the user's Documents folder and write to user-specific areas of the registry, such as HKEY_CURRENT_USER.)
Low      - Untrusted (Process can write only to low integrity locations, such as the Temporary Internet Files\Low folder or the HKEY_CURRENT_USER\Software\LowRegistry key.)
See https://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41844893
I am joining to share some clear words:

When using runs /savecred, the credentials are not saved for one app only, but instead, the user can use administrative credentials with all apps that he chooses to start with runas. If he starts malware, malware could probe for savecred and simply elevate itself. There have been holes before that circumvent UAC and I guess there will still be some. Microsoft explicitely says, UAC is no security boundary and Microsoft will not consider it a vulnerability if UAC fails to do what it should do.

In other words: that workaround of yours is dangerous and should not be considered unless security is no important factor in your network.

The technical reason for the phenomenon (running as admin but still not elevated) is solved by what Giovanni Heward wrote. You'd need to trigger elevation either through elevate.exe or using an account that auto elevates even with UAC on - that would be the built-in (yet disabled by default) account "administrator".

The only recommended thing is to tell the software manufacturer that they didn't warn you that this program is not compatible to non-admin usage and therefore will need to provide a real fix.

One last note: there are programs that overcome such difficulties and let admins select what programs a user might start elevated and even in a secure manner. They cost quite a lot of money. I will link one: https://www.beyondtrust.com/products/powerbroker-for-windows/
0
 

Author Closing Comment

by:OCCU
ID: 41847134
Thanks for you help and recommendations
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41847256
Allow another comment on Giovanni's mimikatz fear: of course mimikatz can only be used if you are admin already, so no external attacker can exploit savecred credentials "just like this", unless he again uses /savecred to elevate AND
A UAC is off or
B UAC is indeed flawed (possible but no indication on win10, yet)

I can only repeat that using the selected solution (of which savecred was a mere proposal, but no recommendation) is dangerous. It would be by far better if you did not use savecred but instead use psexec. Steps:

1 download psexec
2 activate the built-in local administrator account with a complex password
3 create a script that goes:
psexec -u administrator -p complexPasswordhere "C:\Program Files\Internet Explorer\iexplore.exe"

Open in new window


Big advantage: Generic malware has no knowledge of that script.
You could also deploy a scheduled task that does not even openly show the password like the script would.

Still, these are workarounds to a problem that the software manufacturer has caused and should be able (and be forced to) fix by making it compatible to restricted accounts.

I would like to know what you plan to do now. I am always interested in the decision making process when it comes to security questions.
1
 
LVL 90

Expert Comment

by:John Hurst
ID: 41847344
The answer will just turn the machine into an unsecured mess. Author will be back soon "What happened to my computer?"
0
 

Author Comment

by:OCCU
ID: 41853130
Thanks for all the help and suggestions, we have decided to pull the problematic computers, wipe them and then reimage them and this appears to be resolving the issue. Thanks again!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41853315
Surprising.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

No matter the version of Windows you are using, you may have some problems with Windows Search running too slow or possibly not running at all. Before jumping into how you can solve this issue, just know there are many other viable alternative deskt…
Are you using email marketing software? If not, you're missing out on effortless marketing and the reaching of desired conversion rates through email marketing software.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now