Home / server / Questions / 773038
In Process
Razvan
Asked: 2016-04-27 06:52:47 +0800 CST

Run as a different user without a password from an elevated prompt in Windows

  • 772

There are a several utilities to run as a different user (eg: runas, cpau, psexec) but all of them require the password for the respective user, even if you are already running with elevated privileges.

I'd like to achieve the following:

  1. I already have an elevated prompt (Administrator)
  2. I'd like to execute a command (eg: calc.exe) as john without typing/passing their password to the launcher utility.

For example, in Unix system you could just:

root@server:~# su - john
windows windows-7 runas impersonation

7 Answers

  1. I use this all the time. It does take entering a credential the first time it's used (and when the password changes) but that's it. 

    runas /user:yourusernamehere /savecred "Your Executable Here"

    If you save this command as part of a bat file you can create a shortcut that will launch this with administrative rights using a target like the following. 

    C:\Windows\System32\cmd.exe /c "C:\yourbatfilehere.bat"
    • 6

  2. In Windows, you can only do this if there is a current logon session of the user you are attempting to impersonate. This is due to the local group policy "Impersonate a client after authentication" allowing members of the Administrators group to do exactly that (Found under Local Policies > User Rights Assignments).

    One tool I know that allows you to do this is Process Hacker 2. Run the tool as a local admin, and find a process that is running as the user you wish to impersonate. Right Click on it, select Misc > Run as this user..., you then type the binary path you want to run as that user, for example cmd. CMD would then open as that user without prompting for that user's password.

    • 6

  3. Nope, not possible under Windows. You always have to enter a password at least once when running applications under a different user account. Even as an Administrator.

    Prevents funny things to happen and enables clean auditing. If something happens under a user account users cannot blame administrators for doing it without their consent.

    • 3

  4. If you have elevated privileges, you can use the Windows Task Scheduler to run a script (or anything else) as any user without its password.

    1. Open the Task Scheduler
    2. Click on "Create Task ..."
    3. Click on "Change user or Group" and type the username
    4. Go to "Actions" tab and select your script or executable
    5. Execute the task manualy or shedule as you wish

    Done

    • 0

  5. This is how I do it

    psexec -u administrator -p password -i (Session ID) -h -d cmd /c start (command)

    Session ID: is retrieved with the following command "qwinsta console" Command: is what ever you need to be ran. (understand if there is user interaction required, that user will need to click on or complete any required tasks)

    Psexec can be found on https://live.sysinternals.com

    • 0

  6. This is hacky AF, but I also had a need for this, and this is what I came up with. Specifically, I want to do an IIS Reset, which requires an elevated prompt.

    From a CMD prompt, I can do:

    powershell "Start-Process -Verb Runas 'iisreset' -Wait"

    That opens a separate Windows PowerShell (v5) window, does the IIS reset, and waits for the process to complete before proceeding (useful in a script - also works as a Pre/Post-Build event in a .csproj file, which is what I am doing).

    From a PowerShell prompt, it's even easier:

    Start-Process -Verb Runas 'iisreset' -Wait

    As I said, hacky...but it gets the job done.
    In theory this should work in Microsoft PowerShell (7.2 at the time of this writing) as well. Haven't tested that, tho, so YMMV.

    • 0

  7. If you put the .exe in their startup folder you may be able to run it as them.

    • -3