17

There are a several utilities to run as a different user (eg: runas, cpau, psexec) but all of them require the password for the respective user, even if you are already running with elevated privileges.

I'd like to achieve the following:

  1. I already have an elevated prompt (Administrator)
  2. I'd like to execute a command (eg: calc.exe) as john without typing/passing their password to the launcher utility.

For example, in Unix system you could just:

root@server:~# su - john
Razvan
  • 429
  • 2
  • 6
  • 15
  • I'm stuck at a similar issue, were you able to get around it @Razvan? – Birla Sep 15 '21 at 15:23
  • It's been some time since I posted this question, so I no longer have the context for this, but if I remember correctly, what I ended up doing back then was to use a combination of scheduled jobs and CPAU with predefined jobs. So no, I was not able to figure this out. – Razvan Sep 15 '21 at 20:16

7 Answers7

6

I use this all the time. It does take entering a credential the first time it's used (and when the password changes) but that's it.

runas /user:yourusernamehere /savecred "Your Executable Here"

If you save this command as part of a bat file you can create a shortcut that will launch this with administrative rights using a target like the following.

C:\Windows\System32\cmd.exe /c "C:\yourbatfilehere.bat"
Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • 4
    Thanks for the tip, but unfortunately /savecred is not applicable in my case because 1) the user credentials may change AND 2) the commands to be executed are generated dynamically (so I'd have to type the password for each command). Also, this should run in background, without any user interaction. – Razvan Apr 26 '16 at 15:11
  • @Razvan you can wrap your commands in a script file so as long as the name is the same your comands can change easily. As to the credentials changing... you need to either pass fresh credentials our a cached copy. There isn't a third option. – Tim Brigham Apr 26 '16 at 15:16
6

In Windows, you can only do this if there is a current logon session of the user you are attempting to impersonate. This is due to the local group policy "Impersonate a client after authentication" allowing members of the Administrators group to do exactly that (Found under Local Policies > User Rights Assignments).

One tool I know that allows you to do this is Process Hacker 2. Run the tool as a local admin, and find a process that is running as the user you wish to impersonate. Right Click on it, select Misc > Run as this user..., you then type the binary path you want to run as that user, for example cmd. CMD would then open as that user without prompting for that user's password.

Rich
  • 61
  • 1
  • 1
3

Nope, not possible under Windows. You always have to enter a password at least once when running applications under a different user account. Even as an Administrator.

Prevents funny things to happen and enables clean auditing. If something happens under a user account users cannot blame administrators for doing it without their consent.

Daniel
  • 6,780
  • 5
  • 31
  • 60
  • But is this a technical limitation? I could think of that maybe some relevant user files required for establishing a new session are encrypted using the user credentials so that's why it would be impossible to get a new session without providing the respective credentials (it's just a guess). – Razvan Apr 28 '16 at 09:40
  • I don't understand your comment. It's a technical limitation in the sense that Microsoft decided to plan Windows in the way that you cannot impersonate a user account without knowing its password. The why and how does not matter. Your only option is to enter the password or accept that you cannot impersonate any account without it. – Daniel Apr 28 '16 at 10:09
  • 1
    @Daniel could you provide some reference link for your claim that this is a deliberate, strategic decision? – ivan_pozdeev Jan 06 '17 at 10:04
  • Isn't there an ACL to allow this? – RandomInsano Dec 20 '17 at 16:57
0

If you have elevated privileges, you can use the Windows Task Scheduler to run a script (or anything else) as any user without its password.

  1. Open the Task Scheduler
  2. Click on "Create Task ..."
  3. Click on "Change user or Group" and type the username
  4. Go to "Actions" tab and select your script or executable
  5. Execute the task manualy or shedule as you wish

Done

0

This is how I do it

psexec -u administrator -p password -i (Session ID) -h -d cmd /c start (command)

Session ID: is retrieved with the following command "qwinsta console" Command: is what ever you need to be ran. (understand if there is user interaction required, that user will need to click on or complete any required tasks)

Psexec can be found on https://live.sysinternals.com

Bryan
  • 1
0

This is hacky AF, but I also had a need for this, and this is what I came up with. Specifically, I want to do an IIS Reset, which requires an elevated prompt.

From a CMD prompt, I can do:

powershell "Start-Process -Verb Runas 'iisreset' -Wait"

That opens a separate Windows PowerShell (v5) window, does the IIS reset, and waits for the process to complete before proceeding (useful in a script - also works as a Pre/Post-Build event in a .csproj file, which is what I am doing).

From a PowerShell prompt, it's even easier:

Start-Process -Verb Runas 'iisreset' -Wait

As I said, hacky...but it gets the job done.
In theory this should work in Microsoft PowerShell (7.2 at the time of this writing) as well. Haven't tested that, tho, so YMMV.

Mike Loux
  • 101
  • 2
-3

If you put the .exe in their startup folder you may be able to run it as them.