Runas not working on Windows 10

Question

So, I have a client that needs to run a software with higher privileges but the user works with a limited account and I'm not willing to give him the password for several reasons.

I was looking for a way to let the program start without prompting for admin password, and I ran into runas.

This is the command that I'm using:

runas /user:Administrator /savecred "Path\To\Software.exe"

What happens is that it asks for password the first time, but nothing happens after inserting the password. The program would just not launch, no matter how many times I run the command.

Path is correct and admin account is fine, still no results.

I also checked that 2 services are running (don't remember their names but they're related to running apps with different privileges).

Do you guys have a solution to have this working?

Answer 1

If User Account Control (UAC) is enabled on your computer (I hope the answer is "yes"), "runas" command does not elevate your privileges. i.e. It runs the app, but not with administrative privileges.

However, try this Windows PowerShell command:

Start-Process "Path\To\Software.exe" -Verb "runas"

Naturally, you have to enter this command in Windows PowerShell instead of Command Prompt.

That said, this is definitely not a solution to your problem. Microsoft's policy is to either not provide or outright deny any and every means that encourages using administrative privileges. (This policy came into effect after the 2003 security fiasco.) The closest thing that Microsoft provides is an Application Compatibility Toolkit that allows you to ignore the app's manifest and run with limited privileges. This does the trick for the apps that are stupid enough not to check whether they got what they asked for in their manifests.

Of course, I do notice third-party security solutions from time to time, that enable what you want. Except, due to unpopularity, they disappear quickly.

Answer 2

We found that if the runas profile wasn't fully loaded (i.e. the runas UID hadn't fully logged onto the machine previously) it wouldn't work correctly...

CBB & LTSB 1607.

Answer 3

Using a program to store credentials is going to be bad no matter how you look at it. If the user is capable of getting any part of the stored credentials, then they're capable of decrypting the password, (HINT: they will be able to access them or else the program wouldn't work), unless the program uses some tokenization. Even in the event that it does tokenization, it's possible to execute other commands as the administrative user if they "pass the hash" as they say in the security field, (tokens are not encrypted/decrypted as far as I can tell, so they were separated on purpose; and even if they are/were, a user can decrypt them).

Your best bet since you don't want to give that person admin access will be to grant them specific access to the files and folders that the program is trying to use. More detail is needed about the program or files/folders that are being accessed before a good recommendation can be given. If you grant them access using the Security tab in a folder's properties box, then they might be able to run the program without admin privileges. If not, then the program was not made very well. Alternatively, you could use a virtual machine or have another desktop that the user can remote into so that they can have access to just that and not the system they're working on.

If you'd like to see what files and folders a user is using on Windows, you can use the tool Process Monitor. This tool will list an insane amount of information that all processes are doing on the machine, (you can filter the data). Files, folders, threads, networking, registry, and profiling events are all monitored by the tool. It's from SysInternals and part of the Sysinternals Suite located here on TechNet. I have no connection to them, but I've used their tools for numerous years.

Answer 4

The only thing I've found that seems to cause what you are describing is if the Administrator account doesn't have a password set then it won't launch that way, the account has to have a password and you have to enter it, you can't just leave it without a password and hit enter when it asks.

When I see that behaviour it does give an error about account restrictions though, it wouldn't show the error long enough for a human to read if you are running from a shortcut but would keep the error up if running from a command prompt or powershell window.

Of course also make sure that the Administrator account is enabled (it isn't by default) and that you (or your IT department if it's a company computer, not your computer) haven't added any GPO based or other restrictions to the Administrator account being able to launch things. (Since you said the account is fine I doubt that is the cause in your case but including in case other people need to know it to)