6

We have a Windows Server 2008 machine running Terminal Services. When users login, a custom program is launched and resides in the system tray that gives them some customized hotkeys for our company.

When we need to update this program, we have to close all copies of the program from all sessions before the new version will actually take effect (more info here). I can end the process for all sessions easily with Taskkill, but I want to know if there's an easy way to restart the process for all sessions afterwards.

I do have access to the administrator account, but I do not have access to any other user passwords.

Is it possible to start a program from command line for another logged in user?

Community
  • 1
Rachel
  • 630
  • 4
  • 12
  • 22
  • Not sure if the "runas" command is of any use to you? – Phil Mar 28 '13 at 16:43
  • Since the users are not at console I don't think this will work unless you have every users pw. – tony roth Mar 28 '13 at 16:50
  • 1
    You could always write a program that is loaded by the users when they login. The program checks if your custom program is running once a minute, if it isn't, then you re-launch it. – Zoredache Mar 28 '13 at 16:59
  • 2
    Better yet, the program itself could check to see if it has been updated, and relaunch itself. – Michael Hampton Mar 28 '13 at 18:18
  • @Zoredache If we updated the program a lot, I would definitely investigate this route further, but it really only gets updated every few weeks/months when we add or edit a hotkey, so I'm not sure if that is really needed in my case. I was hoping for some easy Windows command that I wasn't aware of, but that doesn't appear to be the case. – Rachel Mar 28 '13 at 18:19

3 Answers3

4

No. Windows does not offer the type of user impersonation capability you're asking about here. There's no sudo equivalent, or even approximation in Windows.

I can't find the document or article at the moment, but not allowing sudo-style user impersonation functionality in Windows was a deliberate design decision way back in the earliest days of the NT kernel, and as a result, we're very much stick with it. (There aren't even any clever workarounds or hacks to circumvent it as there usually are - this one's just far too deeply rooted to get around.)

In the Windows world, in order to perform [practically] any action as a user (whether it's running a program, authenticating against AD or anything else), you require an access token, which is used to identify and authenticate the user's access/privileges. This access token is only created when the user's account name and password are supplied (at login, for RunAs, and so on).

The potentially important caveat (for your purposes) is that an existing access token can be duplicated into an impersonation token, which can be passed on to the ImpersonateLoggedOnUser function, which can be used to impersonate the security context of a logged-on user.

Seeing as how you're one of those developer/programmers who might know how to work with the arcane magiks of .NET, this may be useful to you in writing a small application to achieve what you want to do.

However, to be precisely clear, there is no command you can run or process to follow to impersonate a Windows user, short of coding one up (or finding one someone else coded up), and even then, it's limited to users whose access tokens are available (logged on users).

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
2

If the users are logged on, you can use something like owexec to launch processes as them. It doesn't require their password. We use it for something very similar to what you describe, except for the Terminal Services part.

You may need to add some scripting to gather all active sessions, then target them each, individually, with the -u option.

jscott
  • 24,204
  • 8
  • 77
  • 99
-1

If you are talking about a local software and not a RemoteApp, then I guess the most usefull in your case would be using PsExec:

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

For some more examples an usage, you can go to http://windowsitpro.com/systems-management/psexec

Nissy A.W.
  • 132
  • 1
  • 8
  • 1
    Thanks, I'm looking into that now. Do you know if this will work to launch a process in another user's session without knowing their password? – Rachel Mar 28 '13 at 16:51
  • If the user you are using locally doesn't have privileges in the destination machine you can use this switch: -u remote\administrator -p adminpass and you should be fine with it – Nissy A.W. Mar 28 '13 at 16:58
  • Won't that run the process under the Administrator's session on the server? I am looking to run the process under a User's session, where I don't know the user's password. For example, if I login as Administrator and want to start notepad on UserA's session but do not know UserA's password, can I start Notepad in UserA's session with this? – Rachel Mar 28 '13 at 17:10
  • 1
    @Rachel Nope, there's no `sudo` equivalent in Windows. Windows is very much either know a user's password, or GTFO as it relates to running things as that account. – HopelessN00b Mar 28 '13 at 17:13
  • 1
    We really do prefer that answers contain content not pointers to content. Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – user9517 Mar 28 '13 at 18:10