Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: Elevated Program Shortcut - Create for Standard User

25 Oct 2011   #99
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

How to Create an Elevated Program Shortcut Any User is able to Run in Vista, Windows 7, and Windows 8

...

My System SpecsSystem Spec
.

14 Mar 2013   #100
Magissia

7x64 ultimate / 7x64 pro / Some linux x64 distro
 
 

Hello, thanks you very much !
With the saved credentials, can the user, by a way or an other, start other .exe as admin by making the correct .lnk file ?

My System SpecsSystem Spec
.

14 Mar 2013   #101
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Hello Magissia,

You would need to create a new elevated shortcut for each one you want to allow the user to be able to run.
My System SpecsSystem Spec
18 Mar 2013   #102
Magissia

7x64 ultimate / 7x64 pro / Some linux x64 distro
 
 

Hello, also would like to know why we use the -500 admin account and not any admin account, what's so different but the fact the -500 one is built in ? Wouldn't it be a secuirty issue to enable the -500 admin account ?

How things will appear on logs if a normal user use a program with runas and the built in admin account (or an other account) ?

Should we consider that the -500 admin account should be used to make something similar to sudo on linux ? (su acces without really having it)

Edit : I just tested this with my account (not the 500 account)
I created a shortcut with the runas and all, it asked for my password, i gave it, then i copied the shortcut to a normal user desktop, but this user had command prompt screen asking for my password, how can i "share" the credential ?

Since it was a test, i entered te password myself on the user session, the program was run as admin, but then i was able to run other programs as admin without this prompt by modifying the shortcut path, leaving the first part, and just changing the program to run. It seems to be a security issue for me.
My System SpecsSystem Spec
18 Mar 2013   #103
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Magissia,

Enabling the built-in "elevated" Administrator account (-500 admin account) and creating a password for it would be no more of security risk than any other administrator account. In fact it may be more secure now that a password as been created for it when by default it doesn't have one.

This will not work with any other user account than the built-in "elevated" Administrator account.

Yes, that could be a security breach by changing the target of the shortcut. I have updated the tutorial to address and prevent this with steps 9-16.
My System SpecsSystem Spec
18 Mar 2013   #104
Magissia

7x64 ultimate / 7x64 pro / Some linux x64 distro
 
 

Hello, thanks for the update but i think the user may still be able to exploit it this way :

1. Right click on desktop
2. New
3. New shortcut
4. Write manually C:\Windows\System32\runas.exe /user:COMPUTER_NAME\ADMIN'S_NAME /savecred "Path:\To\The\.exe"

While it may sound a bit paranoid, as a chess player, i'm looking at all the possibilities the user will be able to acces if (s)he really wishes to start a program with admin rights for whatever reason and start to dig arround.

I agree on the part that denying modify rights on the shortcut will stop most people, but it may not be enough.
Regards
My System SpecsSystem Spec
18 Mar 2013   #105
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Magissia,

I don't blame you. It's best to not allow standard users to run anything elevated for just that reason.

I'm not sure about a way to prevent that workaround.
My System SpecsSystem Spec
18 Mar 2013   #106
Magissia

7x64 ultimate / 7x64 pro / Some linux x64 distro
 
 

Hello, problem is, some old (or badly written) programs need rights to write on it's own folder because it doesn't use %userprofile% to store settings, that's why i tried to find something, from the system itself if possible.

The only workaround i know is a paid software making an encrypted file that contain the runas command with the correct parameters and without /savecred, the users just need read/execute rights on the software, and the encrypted file to start the program as admin.

The file is encrypted with AES256 but i don't know more. As i don't know if it's allowed to name paid programs here, i will give it to any admin that ask for it and let the admin team decide to make a guide for this paid software, or name it in the guide for "increased" security.

"Increased" because I don't know how robust is their encryption, and have no more information than "AES256".
I don't know if they have any backdoor, if the passphrase used for encryption is unique on each machine (and if it's the case, some may be able to find it, since it must be saved somewhere to run)

I hope Microsoft will adress this issue in future release of Windows, best would be an update for our current systems too.

Even if we didn't found a "super secure" solution here, i hope it will make users reading this guide that security is important, and that they should think twice before leaving a program with elevated priviledge.

Best regards, Magissia
My System SpecsSystem Spec
09 Apr 2013   #107
Abdul

Windows Vista Home Premium 32bit SP2
 
 

Hello,

I'm just curious whether this could work on an elevated command prompt instead of a particular program on the PC. Also, can this technique work on Vista too?
My System SpecsSystem Spec
09 Apr 2013   #108
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Hello Abdul, and welcome to Seven Forums.

Yes, you can do this in Vista as well.

If you like, you could use this tutorial with an elevated command prompt shortcut instead of a program. However, if you let a standard user be able to use an elevated command prompt, they will be able to have full administrator rights and access to everything on the computer through that elevated command prompt.

Hope this helps,
Shawn
My System SpecsSystem Spec
09 Apr 2013   #109
Abdul

Windows Vista Home Premium 32bit SP2
 
 

Thanks! Just what I was looking, I'll let you know how it works out with this tutorial.

Oh and thanks for the quick reply BTW.
Abdul,
My System SpecsSystem Spec
Comment

 Elevated Program Shortcut - Create for Standard User





Tutorial Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:01 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33