Using a program to store credentials is going to be bad no matter how you look at it. If the user is capable of getting any part of the stored credentials, then they're capable of decrypting the password, (HINT: they will be able to access them or else the program wouldn't work), unless the program uses some tokenization. Even in the event that it does tokenization, it's possible to execute other commands as the administrative user if they "pass the hash" as they say in the security field, (tokens are not encrypted/decrypted as far as I can tell, so they were separated on purpose; and even if they are/were, a user can decrypt them).
Your best bet since you don't want to give that person admin access will be to grant them specific access to the files and folders that the program is trying to use. More detail is needed about the program or files/folders that are being accessed before a good recommendation can be given. If you grant them access using the Security
tab in a folder's properties box, then they might be able to run the program without admin privileges. If not, then the program was not made very well. Alternatively, you could use a virtual machine or have another desktop that the user can remote into so that they can have access to just that and not the system they're working on.
If you'd like to see what files and folders a user is using on Windows, you can use the tool Process Monitor
. This tool will list an insane amount of information that all processes are doing on the machine, (you can filter the data). Files, folders, threads, networking, registry, and profiling events are all monitored by the tool. It's from SysInternals and part of the Sysinternals Suite located here on TechNet. I have no connection to them, but I've used their tools for numerous years.
run as different user
, that policy is set to the default which means it wouldn't show up.runas
fromcmd
. I didn't say that they changed something, I just said that it doesn't work for me because nothing happens after entering the command and it doesn't fire any error.