Run "cmd.exe" as a given user and "as administrator" in command line

[Lea Massiot]

Run "cmd.exe" as a given user and "as administrator" in command line

Hello and thank you for reading my post.

If I'm logged in Windows as user "u1", I can execute "cmd.exe" "as administrator" by choosing

 "Start" -> "cmd.exe" and right-click "Run as administrator".

I would like to start another "cmd.exe" console as "u2" and "as administrator".
(So, "u2" is not the current logged in user).

The following command:

u1 cmd.exe> runas /user:u2 "cmd.exe"

runs "cmd.exe" as "u2" but not "as administrator".

I would like to do this in command line. Can you tell me how?

Best regards.

Nota:
u1 cmd.exe> means: I'm running "cmd.exe" as "u1".

 

[Mr Davo]

Hi Lea,

I don't believe that what you want to accomplish is possible. This is because Windows only "runs" one login at a time, unlike some true multi user operating systems, such as Linux.

If your logged in as U1, then you can only perform operations as U1, or as the Administrator. As far as running things as the Administrator is concerned, I believe in this case that you simply inherit the Administrators permission levels, thus permitting you to perform elevated activities.

If your U1 login has Administrator privileges then running as Administrator will be no different to running as U1!

Good luck

Davo

 

[logicearth]

I don't believe that what you want to accomplish is possible. This is because Windows only "runs" one login at a time, unlike some true multi user operating systems, such as Linux.

That is incorrect. Windows is a multi-user OS. Has been since Windows NT first rolled off the printing presses.

> runas [/profile | /noprofile] /user:[domainname\]username "C:\Windows\System32\cmd.exe"

If you do not need the user profile data (Regirstry, etc.) you can use the /noprofile switch. It is faster that way.

Using the above command I ran Internet Explorer with a TestUser account I created that is just a Standard User. You can see in the image below iexplorer.exe is running under a different user with different privileges.

 

[CreepinJesus]

This isn't exactly what you want, but it may help: if you do a Shift + Right-click on an item in the start menu, it will give more options. One of these options is 'Run as different user' which does what it says. I think you need the other user's credentials, however.

 

[Lea Massiot]

Thank you for your answers and for the screen capture.

Regardless of my weak understanding of what exactly is that "Run as administrator" functionality,
and given the fact that this functionality can be triggered by right-clicking on an item and then choose "Run as administrator",
I would like to know how this functionality can be triggered in command line.

As any ".exe" file can be "run as administrator" as described above,
I wonder how this can be done in command line.
For example:
- I'm logged in the OS as "u1" who is a member of the "Administrators" group (*).
- "u2" is a member of the "Administrators" group too.
- I start a command line "cmd.exe".
- I want to run (for example):
-- "mkdir",
-- "gvim",
-- "runas /user:u2 'cmd.exe'"
-- etc.
"as administrator".
In the "runas" case, I want to do just as if I was logged into the OS as "u2" and would run "cmd.exe" "as administrator".

I am also wondering why it's not enough to be part of the "Administrators" group and why do we need this extra "Run as administrator" functionality? Is it something like an extra security feature to protect resources like a "confirm you really want to do this action" in which case, maybe there is a way to bypass that behaviour...?

Thanks for your help. Best regards.


(*) Win. doc.: "Administrators have complete and unrestricted access to the computer/domain".

 

[UsernameIssues]

It would probably be best if you detail exactly what you are attempting to do - what is the end result of all of this. Then we might be able to help you get there. There probably is a way to do what you outlined above, but there probably is an easier way to achieve your end goal.

 

[arifur]

I dont think its possible from the command line as because the cmd.exe is already running as a normal user so how can it then run again as root user.

Its windows man not linux. Its very easy in linux but I dont think its possible in windows. May be there is a way who knows.

 

[jonnyhotchkiss]

How to use admin account

Thank you for your answers and for the screen capture.

Regardless of my weak understanding of what exactly is that "Run as administrator" functionality,
and given the fact that this functionality can be triggered by right-clicking on an item and then choose "Run as administrator",
I would like to know how this functionality can be triggered in command line.

As any ".exe" file can be "run as administrator" as described above,
I wonder how this can be done in command line.
For example:
- I'm logged in the OS as "u1" who is a member of the "Administrators" group (*).
- "u2" is a member of the "Administrators" group too.
- I start a command line "cmd.exe".
- I want to run (for example):
-- "mkdir",
-- "gvim",
-- "runas /user:u2 'cmd.exe'"
-- etc.
"as administrator".
In the "runas" case, I want to do just as if I was logged into the OS as "u2" and would run "cmd.exe" "as administrator".

I am also wondering why it's not enough to be part of the "Administrators" group and why do we need this extra "Run as administrator" functionality? Is it something like an extra security feature to protect resources like a "confirm you really want to do this action" in which case, maybe there is a way to bypass that behaviour...?

Thanks for your help. Best regards.


(*) Win. doc.: "Administrators have complete and unrestricted access to the computer/domain".

Hi,


I ran cmd as admin and ran


net user


this shows your user accounts. Do you have an administrator account listed?


You may need to activate it (net user administrator /active:yes)
and set a password (net user administrator *)
you can hide accounts by adding the username as DWORD (value=0) to


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList


Finally, to save a credential
runas.exe /savecred /user:administrator "defrag c:"


Hope this helps.




for shortcuts, I highly recommend SlickRun (magic words, too many keyboard shortcuts!) hotkey master, and the extremely flexible AutoHotkey.


Thanks

 

[UsernameIssues]

Greetings jonnyhotchkiss,

Maybe the OP will stop back by to read this old discussion...
...or maybe not.

I think that the OP wanted to use one batch file to do several things:
The batch file was launched with the medium integrity level of user1...
It needed to do some things that required the high integrity level (run as admin)...
Then the OP wanted the batch file to do somethings as if user2 was logged on...
And finally, to do some things as user2's high integrity level (run as admin).

The high integrity level (run as admin) is not related to the built in administrator account. That administrator account should remain disabled. The high integrity level is just elevated privileges for an app, service or operation.

There are probably better ways to do what the OP wanted done; but sadly, I don't think that we were given enough details to help.

BTW, I concur with the usefulness of AutoHotKey. I used AutoIt1 and AutoIt2 for many years and then AHK was born from AutoIt in a not so happy split among the developers. I stuck with AutoIt because I liked the syntax change in AutoIt3. AHK stayed with the syntax of AutoIt2.

 

[Lea Massiot]

Hello and thank you for contributing.

Indeed, I was quite disconnected from that thread but I'm still interested in the initial problem I submitted (for which I haven't found a solution yet).

I have to say that despite I'm not an English speaking native I think I described my problem quite clearly in my two previous posts in this very same thread.
If I'm not clear enough on a specific point you should tell me which.
In turn, I do not understand why you're talking about "SlickRun" and "AutoHotkey" since I'm interested in submitting a command in a shell "as administrator" ; I'm not interested in pressing a set of keys (keyboard shortcut) to trigger a specific action...

Now, I'm really confused about:
1) the "administrator account" you're talking about ;
2) the "Administrators" group ;
3) the "Run as administrator" functionality.

Best regards.

 

[UsernameIssues]

...I have to say that despite I'm not an English speaking native I think I described my problem quite clearly in my two previous posts in this very same thread....

Your English is great. You did describe a task that I assume is a simplified version of the real task. And you are correct, there does not seem to be a native way to impersonate another user (runas) to launch an app at the high integrity level. AutoIt scripts can request an elevation to the high integrity level... but I'm not sure that this would work while impersonating another user.

...Now, I'm really confused about:
1) the "administrator account" you're talking about ;
2) the "Administrators" group ;
3) the "Run as administrator" functionality.

Best regards.

1) The administrator account that I mentioned is described here:
http://www.sevenforums.com/tutorials/507-built-administrator-account-enable-disable.html

2 & 3) If a user is a member of the "Administrators" group...
...they can do somethings without being asked for credentials.

User1 is in the "Administrators" group.
User1 starts notepad.
Notepad runs at the medium integrity level.
(assumes default UAC settings)

User100 is not in the "Administrators" group.
User100 starts notepad.
Notepad runs at the medium integrity level.
(assumes default UAC settings)

User1 starts notepad using "Run as administrator".
User1 answers yes to the UAC prompt.
Notepad runs at the high integrity level.

User100 starts notepad using "Run as administrator".
User100 is prompted for the credentials of one of the user in the "Administrators" group.
If those credentials are correctly entered, notepad runs at the high integrity level.

User1 and user100 can do most of the same things.

 

[Lea Massiot]

Thank you for all this useful and clear information.
Best regards.

 

[jonnyhotchkiss]

Thank you for being so polite, and for returning to reciprocate your gratitude - excellent example of how 'manners cost nothing'...

I wondered if you ever achieved your objective - 'run cmd as different user' with admin rights?

 

[Pyprohly]

Sorry, but I'm absolutely certain that it's impossible (through the command prompt) to start a command prompt as another user and with elevated privileges, because there is no such command line command that allows one to start a new process as elevated using credentials other than the builtin Administrator at least, and the Runas command does not accept multiple user credentials.

The question posed by the OP cannot be achieved via the Command Prompt. What else can we try then? Let's take a look at Windows Powershell instead...

Powershell is the future scripting language and command line interface for Windows. It is much more robust than the Command Prompt which uses different parsing tools to process each unique command and Powershell is more flexable with a larger set of built-in commands and only one command parser for all of them. Anyone from Windows XP and later may use it.

The following powershell command, in theory, should start a command prompt instance running as the user "User01", while at the same time run as an elevated process:

Start-Process cmd -Credential User01 -Verb RunAs

... but in practise, this raises an exception.

It seems that the switches '-Credential' (specify a user to run as) and '-Verb' ((potentially) specify that the executable should run elevated) cannot be used together; it's as if Microsoft never wanted users to be able to start processes as other users and run the process as administrator at the same time, anyhow.

But with a dab of tricky involved, there is a well known powershell command going around that does exactly what you need, Jonnyhotchkiss and Lea Massiot, here it is (this is a slimed down version of the same command you might find elsewhere on the internet):

Start-Process powershell 'Start-Process cmd -Verb RunAs' -Credential User01

(Replacing "User01" with the user to run as (and "cmd" with the program of your choice) as needed)

It works by calling a new instance of Powershell as a specified user (User01 in this case), then it executes another Start-Process command (aka Cmdlet) inside the new Powershell instance which invokes cmd.exe with 'Run as Administrator' privileges. So it's as if that other user had typed out that second command (Start-Process cmd -Verb RunAs) into a Powershell prompt.

The above powershell command is one of the very few ways in Windows to start a new process as another user, while at the same time running it with administrative (elevated) permissions. All done in one go.


I'm sorry that the solution could not involve simple commands typed at the command prompt. If it was possible I would share, but Powershell is the only way to go here.