Run as different user and elevate

Within Windows Explorer, I can right click on an executable file and pick 'Run as administrator' which will launch the selected process with elevated privileges or I can shift-right click on the executable file and click 'Run as different user', specify the username and password which will launch the process with standard privileges using the specified user context.

How do I run as a different user AND run in an elevated context? A perfect example of this would be opening an elevated command prompt using a different user context that the currently logged in user.

Art

Posted 2013-10-18T20:08:50.130

Reputation: 1 357

I think powershell the start-process command might be able to do this. – jiggunjer – 2016-01-17T15:02:56.467

Answers

I don't think such an option exists.

As a work around you could start the command line as an admin and execute the following command to run the command line with admin privileges as the other user.

runas /netonly /user:YourUser cmd.exe

Yass

Posted 2013-10-18T20:08:50.130

Reputation: 3 276

@NewProgrammerJames This trick doesn't work with CMD directly on W2008R2 and above, but tweaking a custom app should be possible. – Vesper – 2015-07-02T07:52:03.543

This will work even if the end user isn't in the admin group? – jiggunjer – 2016-01-17T14:56:23.463

@jiggunjer No, as far as I know. – Yass – 2016-01-17T14:57:22.860

7Or you can right click the executable, then select properties>compatability and then select Privilege Level and check Run this program as an administrator. Then shift right click the executable and run as a different user. – JamesTheDev – 2013-10-18T21:02:08.190

@NewProgrammerJames Nice, thanks for the input :) – Yass – 2013-10-18T22:22:58.767

Yes, psexec absolutely does this.

The following example works cleanly on Windows 8.1; run the command prompt as Administrator, then:

// -i makes the app interactive
// -h elevates the execution context 
// Omitting the password forces a secure prompt
psexec -u DOMAIN\user -i -h "C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\devenv.exe"

Paul Smith

Posted 2013-10-18T20:08:50.130

Reputation: 271

From Mike: This works for Windows 10!

– fixer1234 – 2015-12-24T09:39:39.103

You can do it through PowerShell:

Start-Process powershell -Credential domain\differentUserName -ArgumentList '-noprofile -command &{Start-Process "TheApp.exe" -verb runas}'

Darío León

Posted 2013-10-18T20:08:50.130

Reputation: 71

I notice this is a very old question, but the given answers are not ideal and it's already been necroed. All the existing answers require typing archaic commands and knowing the exact path to your executable. An ideal option would make this possible using the same process you already use for privilege escalation.

If you have a non-Home edition of Windows (Vista thru 10) you can use the Security Policy Manager to make it prompt you to give your password whenever elevation occurs. It also gives you the option to select a completely different user and enter their password... which will cause the elevated process to run as them.

Simply open the start menu and type secpol.msc and hit enter to launch it (if it's available). You're looking for Local Policies > Security Options > User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode > Prompt for credentials. Vista has a similar option that doesn't mention "Admin Approval Mode" but it does the same thing.

I think this is a much more natural option than the other's offered here and is rather reminiscent of gksudo on *nix. But if your edition of Windows doesn't include secpol.msc you will have to do some registry hackery to enable it.

Cliff Armstrong

Posted 2013-10-18T20:08:50.130

Reputation: 1 813

I did this and it doesn't work. And it always asks for my fingerprint instead although I don't configure my fingerprint auth. – iroel – 2018-05-06T03:02:10.070

@iroel That sounds distinct like there is a configuration problem with your windows' authentication subsystems. You should consider searching SU for a solution to that problem and, if you find nothing, consider posting it as a question. All my systems are set up this way and none of them ask for a thumbprint. Depending on the account I'm authenticating as they ask for either a password or a pin number. – Cliff Armstrong – 2018-05-07T15:48:03.693

I use fingerprint for authentication. It does happens. 2 solutions that are applicable: make the user having administrative privilege (but it doesn’t make sense in this case), create another user and set the fingerprint (use finger that’s not registered for certain user) and use that finger when asked for elevated privilege. I use the last solution in this case. At least it works for me. – iroel – 2018-06-05T16:09:06.307

If you're being prompted for a fingerprint then either you have set up the user you are trying to log into to require a fingerprint or something is wrong with your installation of windows. Full stop. I use this setup on three different computers and none of them ask for fingerprints. I've set this up on dozens of computers for clients. Windows will prompt for a pin# when logging into a user with a pin# configured and a password for all other users. It uses whatever authentication method you have configured for that user. – Cliff Armstrong – 2018-06-18T20:55:40.373

I found that if I log on as the Run As account you can set the "run this program as administrator" flag on the properties / compatibility page. Then log on the secondary account and perform the shift click run as will open it as administrator.

Alan Thompson

Posted 2013-10-18T20:08:50.130

Reputation: 1

This sounded like a great option, but there was no compatibility page in the Properties of cmd.exe. – Sandra – 2019-09-03T13:28:23.803