Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

[How-to] Run app with admin rights while a Limited User

- - - - -

  • Please log in to reply
20 replies to this topic

#1
DigeratiPrime

DigeratiPrime

    MSFN Junkie

  • Patrons
  • 3,550 posts
  • OS:Windows 7 x64
  • Country: Country Flag
WARNING:
we had a little challenge below to see how secure this method is. LLXX proved it is insecure by 'recovering' the admin password from the compiled exe. + ty prp8683.

This guide will show how to launch an application with Administrative rights under a limited user account.
This is very useful for people who want to use Limited User accounts but have some apps/games that do not work native in this environment.

All you need is AutoIT (free) and the following code.

Create a txt file and put this (make changes as necessary) inside:
; Set the RunAs parameters to use local adminstrator account
; Run program as admin
; Reset user's permissions

RunAsSet("username", "computername", "password")
RunWait("C:\Program Files\Path\To.exe")
RunAsSet()
rename this file runas.au3

Now were just going to compile this as an exe so others cannot get the administrator password.
  • Run Aut2Exe
  • For Source choose the au3 file you just created.
  • For Destiniation choose a name for the exe to be created.
  • (Optional) Choose an Icon for the exe.
  • Uncheck decompilation
  • Finish by hitting Convert to create the exe!
Posted Image

Easy Right!? :)
  • The Secondary Logon service must be running!
  • You can always manually run/(un)install programs while a Limited User by right clicking on a file and selecting runas.
  • The administrator account needs to have a password for this to work.
  • If you are going to place this AutoIT exe in the same folder as the program you want to runas, for the path line in the script you can put just the name of the exe.
  • You can extract the icon from any file using XN Resource Editor (free/standalone).
[TWEAK] Hide the Administrator Account on the XP Logon Screen.
You can logon as Administrator by switching to the classic logon by hitting Ctrl+Alt+Del twice at the xp logon screen.
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]"Administrator"=dword:00000000

Edited by DigeratiPrime, 19 July 2006 - 10:14 AM.

Recommended Software: KeePass | Microsoft ICE | VisualWget | Vitamin D Video |


How to remove advertisement from MSFN

#2
prp8683

prp8683

    Newbie

  • Member
  • 10 posts

This guide will show how to launch an application with Administrative rights under a limited user account.

[*]Uncheck decompilation


Don't use this anywhere you really need security; it's still possible to retrieve or modify the script data (including the credentials for the admin account) by running the resulting EXE thru a debugger and watching as the data is decrypted.

Hopefully MS will someday add real SUID support to Windows, and this will become a non-issue.

--
Phil

#3
DigeratiPrime

DigeratiPrime

    MSFN Junkie

  • Patrons
  • 3,550 posts
  • OS:Windows 7 x64
  • Country: Country Flag
very informative prp8683. debugging/decompiling did cross my mind but im not familiar enough with it.

so for the record even if the exe was further encrypted using another program, you could still look for the decryption of the password?
Recommended Software: KeePass | Microsoft ICE | VisualWget | Vitamin D Video |

#4
LLXX

LLXX

    MSFN Junkie

  • Banned
  • PipPipPipPipPipPipPipPipPip
  • 3,399 posts
Any text in the script will appear directly in the resulting file, this is not a very secure method at all.

With an uncompressed EXE, I could probably open it in Notepad and locate the password along with the computername and username.

If it was compressed, I can still unpack it.

#5
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • OS:Windows 7 x64
  • Country: Country Flag
A better option would be to figure out what NTFS/registry permissions the application requires and set them appropriately. :)

#6
TravisO

TravisO

    Trouble Starter

  • Member
  • PipPip
  • 284 posts
Interesting idea, I sure hope Vista addresses this issue better.

Edited by travisowens, 14 February 2006 - 09:07 AM.


#7
DigeratiPrime

DigeratiPrime

    MSFN Junkie

  • Patrons
  • 3,550 posts
  • OS:Windows 7 x64
  • Country: Country Flag
i dont know, I still believe this is safe. Nothing will give you absolute security.

Here is a test. I will attatch a compiled exe made from the following script:

; Set the RunAs parameters to use local adminstrator account
; Run registry editor as admin
; Reset user's permissions

RunAsSet("x", "x", "x")
RunWait("x")
RunAsSet()


if this is so easy to reverse, please 'reveal' the true values where the 'x' are.
I have not done anything else to the exe its made using the defaults in Aut2Exe.

Attached Files


Recommended Software: KeePass | Microsoft ICE | VisualWget | Vitamin D Video |

#8
Sn4k36

Sn4k36

    Newbie

  • Member
  • 32 posts
here's a faster way to run apps with the admin rights under the limit user account.. Just hold the Shift key and right click on the app and go to Run As and it'll open up a dialog so u can type in the admin name and password of the admin account.

#9
prp8683

prp8683

    Newbie

  • Member
  • 10 posts

very informative prp8683. debugging/decompiling did cross my mind but im not familiar enough with it.

so for the record even if the exe was further encrypted using another program, you could still look for the decryption of the password?


The exe must be decrypted before it is executed, and if it stores the user/pass in encrypted form, it must decrypt those before passing them to the API functions that log the user on to do whatever the script does. Connecting a debugger to the process during this procedure will reveal the userid/password.

#10
LLXX

LLXX

    MSFN Junkie

  • Banned
  • PipPipPipPipPipPipPipPipPip
  • 3,399 posts

i dont know, I still believe this is safe. Nothing will give you absolute security.

Here is a test. I will attatch a compiled exe made from the following script:

; Set the RunAs parameters to use local adminstrator account
; Run registry editor as admin
; Reset user's permissions

RunAsSet("x", "x", "x")
RunWait("x")
RunAsSet()


if this is so easy to reverse, please 'reveal' the true values where the 'x' are.
I have not done anything else to the exe its made using the defaults in Aut2Exe.

I accept your challenge... :D
RunAsSet("administrator", "cpu", "msfn")"
RunWait("ImgBurn.exe")
...and here are the entire contents of the script :thumbup
; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: D:\Program Files\AutoIT3\RunAs.au3>
; ----------------------------------------------------------------------------

; Set the RunAs parameters to use local adminstrator account
; Run registry editor as admin
; Reset user's permissions

RunAsSet("administrator", "cpu", "msfn")
RunWait("ImgBurn.exe")
RunAsSet()

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: D:\Program Files\AutoIT3\RunAs.au3>
; ----------------------------------------------------------------------------
Do you believe it's safe now? :)

Edited by LLXX, 19 February 2006 - 04:29 AM.


#11
prp8683

prp8683

    Newbie

  • Member
  • 10 posts

here's a faster way to run apps with the admin rights under the limit user account.. Just hold the Shift key and right click on the app and go to Run As and it'll open up a dialog so u can type in the admin name and password of the admin account.


True, but there are situations where:

1. A user must run a particular program which requires administrative rights
2. That user is not trusted to have administrative rights

Altering permissions to allow the application to run in the restricted user's context may work, depending on your security needs. (The application may require access you would not otherwise grant the user; e.g. an application which must load a device driver, and you don't want the user fiddling around with devices otherwise; in this case, granting the permissions required to run the program gives the user more access than you want. On the other hand, if the app simply stores user preferences in a global location and you don't care about the user changing system-wide preferences for that app, changing the permissions is probably OK.)

The Run-As method you mention is useful for admins to use non-priviliged accounts and quickly gain priviliges to perform specific functions, but it requires that the user know an administrative password, thus defeating item 2 above.

What is needed here is some mechanism that allows an admin to say that 'user x is allowed to run program y with the priviliges of user z, without knowing user z's password'. *nix systems do this with the sudo program, but Windows doesn't provide that functionality. Perhaps Vista will provide this, but I'm not holding my breath.

#12
Gouki

Gouki

    MSFN Expert

  • Member
  • PipPipPipPipPipPip
  • 1,168 posts


i dont know, I still believe this is safe. Nothing will give you absolute security.

Here is a test. I will attatch a compiled exe made from the following script:

; Set the RunAs parameters to use local adminstrator account
; Run registry editor as admin
; Reset user's permissions

RunAsSet("x", "x", "x")
RunWait("x")
RunAsSet()


if this is so easy to reverse, please 'reveal' the true values where the 'x' are.
I have not done anything else to the exe its made using the defaults in Aut2Exe.

I accept your challenge... :D
RunAsSet("administrator", "cpu", "msfn")"
RunWait("ImgBurn.exe")
...and here are the entire contents of the script :thumbup
; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: D:\Program Files\AutoIT3\RunAs.au3>
; ----------------------------------------------------------------------------

; Set the RunAs parameters to use local adminstrator account
; Run registry editor as admin
; Reset user's permissions

RunAsSet("administrator", "cpu", "msfn")
RunWait("ImgBurn.exe")
RunAsSet()

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: D:\Program Files\AutoIT3\RunAs.au3>
; ----------------------------------------------------------------------------
Do you believe it's safe now? :)



So, Is he right or not? :D

#13
LLXX

LLXX

    MSFN Junkie

  • Banned
  • PipPipPipPipPipPipPipPipPip
  • 3,399 posts
I'll let him decide, seeing as how I recovered his entire script, complete with comments and formatting, inside the compiled EXE ;)

#14
ProClub

ProClub

    Newbie

  • Member
  • 25 posts
If you need to install some stuff, you might alternatively do it in a startum/shutdown script implemented by group policies. I recommend shutdown, because the program will be ready for use next time the computer starts up.

There will be no rights problems, because these scripts run as SYSTEM. (Logon/logoff scripts run as user!)

#15
DigeratiPrime

DigeratiPrime

    MSFN Junkie

  • Patrons
  • 3,550 posts
  • OS:Windows 7 x64
  • Country: Country Flag
awesome job LLXX, sorry i forgot to check the thread the other day.

I'll put a warning in the top post. :)
Recommended Software: KeePass | Microsoft ICE | VisualWget | Vitamin D Video |

#16
LLXX

LLXX

    MSFN Junkie

  • Banned
  • PipPipPipPipPipPipPipPipPip
  • 3,399 posts
Although this method is inherently insecure, it should be sufficient security if you're sure that all your users are a bit on the "dumb" side and don't know a thing about this :lol:

#17
DigeratiPrime

DigeratiPrime

    MSFN Junkie

  • Patrons
  • 3,550 posts
  • OS:Windows 7 x64
  • Country: Country Flag
right, it still has its uses ;)
Recommended Software: KeePass | Microsoft ICE | VisualWget | Vitamin D Video |

#18
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,250 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag

Nothing will give you absolute security.

Right - since a normal user can simply run:

at <hh:mm> /i "cmd.exe"

And get a command prompt running as the SYSTEM account in interactive mode - basically complete control of the local system without knowing ANY passwords other than his or her own.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#19
McoreD

McoreD

    Member

  • Member
  • PipPip
  • 156 posts
Hi,

Just an update for v3.

Instead of

; Set the RunAs parameters to use local adminstrator account
; Run program as admin
; Reset user's permissions

RunAsSet("Administrator", "MIKE-PC", "admin")
RunWait("C:\Applications\SIL\FieldWorks\WorldPad.exe")
RunAsSet()

You will need

RunAs("Administrator", "", "admin", 1, "C:\Applications\SIL\FieldWorks\WorldPad.exe")

Cheers,
McoreD

Edited by McoreD, 12 December 2008 - 05:11 PM.


#20
redxii

redxii

    Member

  • Member
  • PipPip
  • 286 posts

at <hh:mm> /i "cmd.exe"

That doesn't work unless you already have admin, and if you already have admin then having SYSTEM privileges is not that big a step up.

#21
Oxygen

Oxygen

    Newbie

  • Member
  • 25 posts

Hi,

Just an update for v3.

RunAs("Administrator", "", "admin", 1, "C:\Applications\SIL\FieldWorks\WorldPad.exe")

Cheers,
McoreD



many thnx :thumbup

Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN