Differences between RunAsRob, RunAsAdmin, RunAsService and RunAsSpc:
a part of RunAsRob
a part of RunasRob
the classic tool
Contains RunAsAdmin, RunAsService and
can control allowed applications by an encrypted file, which can send anyone to use it.
Allowed application controlled by registry settings.
Need no encrypted file.
Several applications can be configure at one go.
Support of wildcard *
Compatible with group policy.
The application is running as service automatic after you turn on the computer and before any user is logged in.
Interaction between user and program isn't possible.
Allowed applications and credentials controlled by an encrypted file or clear text.
Run application under user account from encrypted file. This can be an administrator or any other user account.
Requires no installation procedure.
Run application under system account with highest privileges and without the popup of an UAC dialog.
Suitable for installations, updates and patches.
Disadvantage: A service is not a complete account. Its missing a user profile and an own HKU registry path.
The only possible login option. Not editable
Launch application with administrator permissions under the own fully account of the limited user with his own profile and enviroment.
Suitable for running programs who need user properties like office.
Application use logon credentials from encrypted file for remote connections.
To create an encrypted file.
Open the configuration window of RunAsRob for encrypted files by doubleclick to runasrob.exe or call it with option /configure
>> runasrob.exe /configure <<
To run a encrypted file over runasrob.exe use the option /cryptfile
>> runasrob.exe /cryptfile: “c:\path\yourcryptfile.xus”<<
or drag and drop the encrypted file over runasrob.exe.
For a call withhout status messages use the switch /quiet
>> runasrob.exe /install /quiet <<
>> runasrob.exe /cryptfile: “c:\path\yourcryptfile.xus”
To set folders, its applications can be launch with
administrator rights or allow only a specific application.
Install runasrob with option /allowedpath, followed by the
allowed folders or applications. Semicolon separated to allow
more than one folder or application.
>> runasrob.exe /install /allowedpath:c:\program
To run applications from this allowed folder
drag and drop the application.exe over runasrob.exe
or use the following call >> runasrob.exe
This can be done by command line, batch file, shorcut or any
An advanced optional switch are /assystem or /asadmin.
/assystem -> The allowed application is running under
service account with elevated admin rights.
/asadmin -> After the user enter his credentials he
will be member of the local administrator group for this
application which is running under his own account.
>> runasrob.exe /install /allowedpath:"\\server\share1\setup.exe;\\server\share2\;C:\windows\system32\regedt32.exe /asadmin;C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /assystem"
To configure an application or script to start it permanently
as service use the option /servicemode: followed by the
>> runasrob.exe /install
You can combine the arguments of RunasRob like the following
>> runasrob.exe /install /quiet /servicemode:"c:\system\monitoring.exe" /allowedpath:"\\server\share\folder2\;c:\windows\system32\regedt32.exe /asadmin" <<
Create encrypted files by command line are possible with
RunAsSpc.exe. This files are also readable with RunAsRob.exe
Detail guidance 2:
Edit the Registry Key of RunasRob:
Here you configure the values AllowedPath, ServiceMode, LogonFlag
directly or over central group policy in a domain.
Changes will take effect after restart of service RunasRob
Warning, serious problems might occur if you change the registry
The restriction of the free version for private use is the
start-up window with the license information,
which appears at random intervals, even if you set the switch /quiet.
Arguments to the launching program at runtime are not possible.
Environment variables can use like >> %windir%\system32\regedt32.exe\CompMgmtLauncher.exe <<
Wildcards can set as authorized path. Example: >> *\updates\flashplayerversion*.exe <<.
Running on Server 2008, Server 2012, Vista, Windows 7, Windows 8, Windows 10, 64 and 32 Bit
Authorize only a specific user or group to run a an application.
This can be achieved over folder permissions to the program file, encrypted file or the folder.
Program arguments. Passing arguments to my application are not working, because quotation marks or complex arguments are not accepted in RunasRob.
Workaround this problem by a one line batch file with your complete applicaton call include all arguments.
Run this one line batch file over RunasRob.
Most errors are system errors which are returned from runasrob to user.
This system error codes are explained by Microsoft on
For any suggestions, errors, questions, specific requirements or adjustments please contact: firstname.lastname@example.org