Is there any way to run an application as another currently logged user without needing its password?

Question

I'd like to use 'psexec' over a lan to run a command as another user that is logged on the system at the same time.

In other words: I want to use 'psexec' with the built-in Administrator account credential to run a program in Bob's desktop. This program needs to believe it was launched by Bob using his credentials. Since I'm using the Administrator account I'd like to bypass the need of Bob's password to do this (with 'runas', maybe).

Edit 1

Clarifications:

I've already got access to the system, since I own the Administrator account.

I don't feel like having an agent/service/exe running at all time in the background.

This is an home setup.

I was thinking of something like this: http://reboot.pro/files/file/237-runassystem-and-runfromtoken/ but applied to any other user.

I want to be able to launch a program such as a game or a mail client that saves files in per-user paths.** So running as Administrator would not be effective since the program would load Administrator's data profile and not Bob's (who is logged on).

My ultimate goal is to be able to launch the 'whoami' command and have it say that I'm the logged user.

Update

I've been able to get a 'cmd.exe' as SYSTEM, and then get one instance as my account(password protected) with it using RunFromToken. I'm going to test this further.

Answer 1

No. This would completely bypass the point of individual security.

I will add though that if you have access to a deployment system such as SCCM, you can have a package run only when the user is logged on and it will then run in the user's context. You can also run the package as part of a logon script which would also be run in the user's context.

Answer 2

All of these answers correct as far as impersonating a user over the network. However, you can impersonate a local user without the need of a password, under certain conditions:

1. You must be a member of the local administrators group.
2. You may only impersonate another user that is currently logged in to the system
3. User impersonation is limited to the local system. You cannot impersonate a user on a remote system, without first being logged in to the remote system as a member of the local administrators group.

This is permitted because of how Windows delegates the PRIVILEGE to impersonate locally logged in users to SYSTEM and Local Administrators. You may find information about this PRIVILEGE under local group policy > Local Policies > User Rights Assignments > Impersonate a client after authentication.

One tool I know that allows you to do this is Process Hacker 2. Run the tool as a administrator, and find a process that is running as the user you wish to impersonate. Right Click on it, select Misc > Run as this user..., you then type the binary path you want to run as that user, for example cmd. CMD would then open as that user without prompting for that user's password.

Answer 3

You can't do that and for bloody good reasons.

It would be the Holy Grail for any virus if this where possible.
There is always a number of processes running under several admin-accounts on a Windows computer (Like LocalSystem and NetworkSystem accounts just to name 2.)
If your request would be possible to achieve any arbitrary process could insert new processes into those accounts: There is no way in hell you would ever be able to protect your system from viruses. (Any arbitrary process literally means what it says: That also includes viruses !)

Other issues are privacy and accountability.
If you can fake the operation as if it where executed by another user you can get at that others users data. Privacy goes out of the window.
And there is no longer any way to tell if something was actually done by that user or somebody impersonating hem/her. That's means you can't reliably trace who did what anymore. You loose accountability which is a big thing in systems that must adhere to compliance regulations, like medical systems.

So these are very good reasons to isolate the environments of accounts from each other. (There are a whole lot more, but that is beyond the scope of this question.)

Answer 4

Without an agent (like through SCCM), you cannot do this directly.

If you need to run a program as a different user during say, logon, you can place the file in the "All Users" Startup folder. Otherwise, you'll need their password or use some administrative tool.

Answer 5

As noted by other answers, you probably really do not want to do this. If it were this easy, I could, for example, force a user to load some illegal website where they'll get fired and arrested.. Not even admins should have that kind of God-like power.

If all you really want to do is find out who is currently logged in to a computer (local or remote), consider the "psloggedon" utility from MS TechNet (Formerly SysInternals): https://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

If you still really need to run a task AS the user, look in to running tasks at login.. which, of course, will still trace back to you, for security reasons, but Windows will still run the task as if you were the user in question.