Syntax of runas to run application as administrator and an alternative

Runas and other possibilities to run an executable file, a batch file or any other script as administrator with elevated rights from a standard user account.


Command runas, syntax and parameter

runas /user:UserName program [ [/noprofile | /profile] [/env] [/savecred | /netonly] ]

runas /smartcard [/user:UserName] program [ [/noprofile | /profile] [/env] [/savecred] ]

runas /trustlevel:TrustLevel program

Examples:

Runas parameters can use in command line or set in a shortcut, batch file or any other script.
>> runas /user:administrator "c:\windows\system32\cmd.exe" <<
>> runas /user:administrator "c:\path\myprogram.exe parameter" <<
Runas command

Then you will asked to enter the password of the user account administrator, before cmd can launch with that credentials
Runas password


Problem of runas and solution

Unfortunately it isn't working if you pass the password in the first command directly like
>> runas /user:administrator /password:password "c:\windows\system32\cmd.exe" <<
You can only use the argument /savecred to store this login information with password in credential manager of computer for the next call
>> runas /user:localhost\username /savecred "c:\windows\system32\cmd.exe" <<
But this is a security problem. The stored credentials allows user to run any program with that credentials,
not just the original command, because account and password from credential manager can use by the limited user.
That's why you also have to authorize additional the specific application, which is allowed to start with administrator rights.

Pass the password in Runas is possible with Runasspc.
>> runasspc.exe /user:"administrator" /password:"password" /program:"c:\windows\system32\cmd.exe"<<
or you save the parameters of the application, administrator and his password in an encrypted file.
>> runasspc.exe /cryptfile:"AnyApplicationWithCredentials.spc"<<

RunAsSpc is a small, easy to use and portable utility you find on https://robotronic.de/runasspcEn.html
It has nearly the same syntax and arguments than runas.
Additional this tool can save the login information including the authorized program in an encrypted file to avoid, that a user can call every application with administrator rights
Runasspc is portable, so you can use one configured encrypted file on other computers directly, without installation procedure.
By that way you can distribute Runasspc.exe with one or more encrypted files to your users by provide it on a network share, usb memory stick or any other place
from where limited user can start the specific program with administrator rights.


Alternative runas with password utilities

There are a lot of runas password tools. You find a list with properties and comparison on https://runas.eu
Almost all can configure to run as administrator with password, via method run as different user.

Just one tool goes another way and put the user account itself temporary into local group of administrators, only for the authorized application.
RunAsRob https://runasrob.com
The advantage of this method is that the user start program as administrator with its own profile and setting.
Printers, shares, NTFS rights, registry settings remain unchanged for the user, during the authorized program is running with administrator privileges.
Because of that approach, Runasrob don't need an encrypted file with stored administrator credentials.
The authorized programs are written in registry. If a user want to run an application as administrator, then RunAsRob look in the registry, if it is an allowed directory.
This solution makes it possible to authorize a program path with wildcards
or you authorize complete folders with its contents, you want to allow to run as administrator.
You can configure a program, setup file, batch file or any other script.
RunAsRob has additional the option login as system you can set for each application separate.
Run under system account is a powerful option because a system account has more rights on a local machine than an administrator account. You get access to backup folders, profile folders and a lot of system directories.
By run as system you can bypass the UAC dialog, because a system account don't know the UAC.
Run under system account is useful for a process like monitoring, driver installation, copy job, install an update, other software installation procedure, backup and other things you do not need a user profile and setting from a default account.

Runasrob is a little powerful tool for a small and a big environment. It works well and harmonic together with system policies, active directory organizational unit and NTFS rights. You can authorize specific computers / computer groups and users / user groups to run a specific application as administrator from network or local machine to delegate tasks.

RunAsRob Screenshot
RunAsRob RunAsAdmin Screenshot


Different useful links


Date: 2021-09-03
Data protection
Imprint

2021-09-03 Oliver Hessing