DigeratiPrime

[How-to] Run app with admin rights while a Limited User

21 posts in this topic

WARNING:

we had a little challenge below to see how secure this method is. LLXX proved it is insecure by 'recovering' the admin password from the compiled exe. + ty prp8683.

This guide will show how to launch an application with Administrative rights under a limited user account.

This is very useful for people who want to use Limited User accounts but have some apps/games that do not work native in this environment.

All you need is AutoIT (free) and the following code.

Create a txt file and put this (make changes as necessary) inside:

; Set the RunAs parameters to use local adminstrator account
; Run program as admin
; Reset user's permissions

RunAsSet("username", "computername", "password")
RunWait("C:\Program Files\Path\To.exe")
RunAsSet()

rename this file runas.au3

Now were just going to compile this as an exe so others cannot get the administrator password.

  • Run Aut2Exe
  • For Source choose the au3 file you just created.
  • For Destiniation choose a name for the exe to be created.
  • (Optional) Choose an Icon for the exe.
  • Uncheck decompilation
  • Finish by hitting Convert to create the exe!

Aut2Exe.png

Easy Right!? :)

  1. The Secondary Logon service must be running!
  2. You can always manually run/(un)install programs while a Limited User by right clicking on a file and selecting runas.
  3. The administrator account needs to have a password for this to work.
  4. If you are going to place this AutoIT exe in the same folder as the program you want to runas, for the path line in the script you can put just the name of the exe.
  5. You can extract the icon from any file using XN Resource Editor (free/standalone).

[TWEAK] Hide the Administrator Account on the XP Logon Screen.

You can logon as Administrator by switching to the classic logon by hitting Ctrl+Alt+Del twice at the xp logon screen.

Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]"Administrator"=dword:00000000

Edited by DigeratiPrime
0

Share this post


Link to post
Share on other sites
This guide will show how to launch an application with Administrative rights under a limited user account.

[*]Uncheck decompilation

Don't use this anywhere you really need security; it's still possible to retrieve or modify the script data (including the credentials for the admin account) by running the resulting EXE thru a debugger and watching as the data is decrypted.

Hopefully MS will someday add real SUID support to Windows, and this will become a non-issue.

--

Phil

0

Share this post


Link to post
Share on other sites

very informative prp8683. debugging/decompiling did cross my mind but im not familiar enough with it.

so for the record even if the exe was further encrypted using another program, you could still look for the decryption of the password?

0

Share this post


Link to post
Share on other sites

Any text in the script will appear directly in the resulting file, this is not a very secure method at all.

With an uncompressed EXE, I could probably open it in Notepad and locate the password along with the computername and username.

If it was compressed, I can still unpack it.

0

Share this post


Link to post
Share on other sites

A better option would be to figure out what NTFS/registry permissions the application requires and set them appropriately. :)

0

Share this post


Link to post
Share on other sites

Interesting idea, I sure hope Vista addresses this issue better.

Edited by travisowens
0

Share this post


Link to post
Share on other sites

i dont know, I still believe this is safe. Nothing will give you absolute security.

Here is a test. I will attatch a compiled exe made from the following script:

; Set the RunAs parameters to use local adminstrator account

; Run registry editor as admin

; Reset user's permissions

RunAsSet("x", "x", "x")

RunWait("x")

RunAsSet()

if this is so easy to reverse, please 'reveal' the true values where the 'x' are.

I have not done anything else to the exe its made using the defaults in Aut2Exe.

RunAs.zip

0

Share this post


Link to post
Share on other sites

here's a faster way to run apps with the admin rights under the limit user account.. Just hold the Shift key and right click on the app and go to Run As and it'll open up a dialog so u can type in the admin name and password of the admin account.

0

Share this post


Link to post
Share on other sites
very informative prp8683. debugging/decompiling did cross my mind but im not familiar enough with it.

so for the record even if the exe was further encrypted using another program, you could still look for the decryption of the password?

The exe must be decrypted before it is executed, and if it stores the user/pass in encrypted form, it must decrypt those before passing them to the API functions that log the user on to do whatever the script does. Connecting a debugger to the process during this procedure will reveal the userid/password.

0

Share this post


Link to post
Share on other sites
i dont know, I still believe this is safe. Nothing will give you absolute security.

Here is a test. I will attatch a compiled exe made from the following script:

; Set the RunAs parameters to use local adminstrator account

; Run registry editor as admin

; Reset user's permissions

RunAsSet("x", "x", "x")

RunWait("x")

RunAsSet()

if this is so easy to reverse, please 'reveal' the true values where the 'x' are.

I have not done anything else to the exe its made using the defaults in Aut2Exe.

I accept your challenge... :D

RunAsSet("administrator", "cpu", "msfn")"
RunWait("ImgBurn.exe")

...and here are the entire contents of the script :thumbup

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: D:\Program Files\AutoIT3\RunAs.au3>
; ----------------------------------------------------------------------------

; Set the RunAs parameters to use local adminstrator account
; Run registry editor as admin
; Reset user's permissions

RunAsSet("administrator", "cpu", "msfn")
RunWait("ImgBurn.exe")
RunAsSet()

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: D:\Program Files\AutoIT3\RunAs.au3>
; ----------------------------------------------------------------------------

Do you believe it's safe now? :)

Edited by LLXX
0

Share this post


Link to post
Share on other sites
here's a faster way to run apps with the admin rights under the limit user account.. Just hold the Shift key and right click on the app and go to Run As and it'll open up a dialog so u can type in the admin name and password of the admin account.

True, but there are situations where:

1. A user must run a particular program which requires administrative rights

2. That user is not trusted to have administrative rights

Altering permissions to allow the application to run in the restricted user's context may work, depending on your security needs. (The application may require access you would not otherwise grant the user; e.g. an application which must load a device driver, and you don't want the user fiddling around with devices otherwise; in this case, granting the permissions required to run the program gives the user more access than you want. On the other hand, if the app simply stores user preferences in a global location and you don't care about the user changing system-wide preferences for that app, changing the permissions is probably OK.)

The Run-As method you mention is useful for admins to use non-priviliged accounts and quickly gain priviliges to perform specific functions, but it requires that the user know an administrative password, thus defeating item 2 above.

What is needed here is some mechanism that allows an admin to say that 'user x is allowed to run program y with the priviliges of user z, without knowing user z's password'. *nix systems do this with the sudo program, but Windows doesn't provide that functionality. Perhaps Vista will provide this, but I'm not holding my breath.

0

Share this post


Link to post
Share on other sites

i dont know, I still believe this is safe. Nothing will give you absolute security.

Here is a test. I will attatch a compiled exe made from the following script:

; Set the RunAs parameters to use local adminstrator account

; Run registry editor as admin

; Reset user's permissions

RunAsSet("x", "x", "x")

RunWait("x")

RunAsSet()

if this is so easy to reverse, please 'reveal' the true values where the 'x' are.

I have not done anything else to the exe its made using the defaults in Aut2Exe.

I accept your challenge... :D

RunAsSet("administrator", "cpu", "msfn")"
RunWait("ImgBurn.exe")

...and here are the entire contents of the script :thumbup

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: D:\Program Files\AutoIT3\RunAs.au3>
; ----------------------------------------------------------------------------

; Set the RunAs parameters to use local adminstrator account
; Run registry editor as admin
; Reset user's permissions

RunAsSet("administrator", "cpu", "msfn")
RunWait("ImgBurn.exe")
RunAsSet()

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: D:\Program Files\AutoIT3\RunAs.au3>
; ----------------------------------------------------------------------------

Do you believe it's safe now? :)

So, Is he right or not? :D

0

Share this post


Link to post
Share on other sites

I'll let him decide, seeing as how I recovered his entire script, complete with comments and formatting, inside the compiled EXE ;)

0

Share this post


Link to post
Share on other sites

If you need to install some stuff, you might alternatively do it in a startum/shutdown script implemented by group policies. I recommend shutdown, because the program will be ready for use next time the computer starts up.

There will be no rights problems, because these scripts run as SYSTEM. (Logon/logoff scripts run as user!)

0

Share this post


Link to post
Share on other sites

awesome job LLXX, sorry i forgot to check the thread the other day.

I'll put a warning in the top post. :)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.