none
"Runas" command /trustlevel - what is it, how can I enable additional levels?

    Question

  • Hello.

       I have a batch file which needs to be able to run some commands as an Administrator. The user running the batch file is a member of the "Administrators" local security group on the Windows 7 workstation. UAC is enabled, and seems to be running my batch file with 'basic' user permissions, giving permission denied errors even though the user running the batch is an administrator.

       To try to get around this problem, I thought it might be useful to use the 'runas' command. I don't want to use runas to run the commands as a *different* user, I want to run it as the SAME user, but with administrator privileges (from the Administrators security group membership).

        I'm not quite certain, but it looks like the /trustlevel option to the runas command *might* do what I want to do, but the problem is, /showtrustlevels is only showing the (basic user) as being enabled. So, first, am I on the right track with /trustlevel - that it should allow you to determine what level of privilege the command runs with, overriding UAC? Second, how do I enable an (Administrative user) trust level for use with runas?

    Friday, March 18, 2011 7:29 PM

Answers

  • Hi,

    As stated here http://msdn.microsoft.com/en-us/library/bb756922.aspx  "runas" can't be used to run a command line with elevated privileges .

    runas /showtrustlevels and /trustlevel seems to be, at best, a Microsoft "work in progress"...completly useless IMHO

    Extract from http://msdn.microsoft.com/en-us/library/bb756922.aspx :
    ../..
    Do Not Use Runas to Launch an Elevated Process
    The Run as… option from Windows XP and Windows Server 2003 has been replaced with Run as administrator on the context menu (available when you right-click an executable) in Windows Vista. When a standard user selects the Run as administrator option, the user is presented with a list of active administrators on the local computer. Standard users with higher privileges, such as members of the Backup Operators group, are also displayed. When an administrator selects the Run as administrator option, a User Account Control dialog box immediately prompts the user to continue before running the application.
    Users must use the runas command at the command prompt in order to run an application as another user.

    Important 
    Be aware that runas does not provide the ability to launch an application with an elevated access token, regardless of whether it is a standard user with privileges like a Backup Operator or an administrator. The runas command grants the user the ability to launch an application with different credentials. The best method to use to launch an application with a different account is to perform the action programmatically by using a service and not rely on the user to run the component as a different user. If your program programmatically uses the runas command, ensure that it is not intended to launch an elevated process.
    ../..

    Instead, use the "Elevation Powertoys" : http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx,
    (maybe a updated version here :
    http://blogs.technet.com/b/deploymentguys/archive/2009/01/21/the-elevation-powertoys-and-windows-7.aspx ?)

    "UAC confirmation" will always pop-up (if your UAC parameters don't disable it)

    Hope this help

    jean-marc haby


    • Marked as answer by Vivian Xing Tuesday, March 29, 2011 9:13 AM
    Monday, March 21, 2011 8:31 PM
  • Run As administrator will work only if you user account has administrator privileges.

     

     

     


    My MVP is for the Windows Desktop Experience, i.e. Windows XP, Vista and Windows 7 IT

    Remote Assistance is available for a fee.

    I am best with C++ and I am learning C# using Visual Studio 2010

    Developer | Windows IT | Chess | Economics | Hardcore Games | Vegan Advocate | PC Reviews

    • Marked as answer by Vivian Xing Tuesday, March 29, 2011 9:13 AM
    Saturday, March 19, 2011 11:24 PM

All replies

  • Run As administrator will work only if you user account has administrator privileges.

     

     

     


    My MVP is for the Windows Desktop Experience, i.e. Windows XP, Vista and Windows 7 IT

    Remote Assistance is available for a fee.

    I am best with C++ and I am learning C# using Visual Studio 2010

    Developer | Windows IT | Chess | Economics | Hardcore Games | Vegan Advocate | PC Reviews

    • Marked as answer by Vivian Xing Tuesday, March 29, 2011 9:13 AM
    Saturday, March 19, 2011 11:24 PM
  • Hi,

    As stated here http://msdn.microsoft.com/en-us/library/bb756922.aspx  "runas" can't be used to run a command line with elevated privileges .

    runas /showtrustlevels and /trustlevel seems to be, at best, a Microsoft "work in progress"...completly useless IMHO

    Extract from http://msdn.microsoft.com/en-us/library/bb756922.aspx :
    ../..
    Do Not Use Runas to Launch an Elevated Process
    The Run as… option from Windows XP and Windows Server 2003 has been replaced with Run as administrator on the context menu (available when you right-click an executable) in Windows Vista. When a standard user selects the Run as administrator option, the user is presented with a list of active administrators on the local computer. Standard users with higher privileges, such as members of the Backup Operators group, are also displayed. When an administrator selects the Run as administrator option, a User Account Control dialog box immediately prompts the user to continue before running the application.
    Users must use the runas command at the command prompt in order to run an application as another user.

    Important 
    Be aware that runas does not provide the ability to launch an application with an elevated access token, regardless of whether it is a standard user with privileges like a Backup Operator or an administrator. The runas command grants the user the ability to launch an application with different credentials. The best method to use to launch an application with a different account is to perform the action programmatically by using a service and not rely on the user to run the component as a different user. If your program programmatically uses the runas command, ensure that it is not intended to launch an elevated process.
    ../..

    Instead, use the "Elevation Powertoys" : http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx,
    (maybe a updated version here :
    http://blogs.technet.com/b/deploymentguys/archive/2009/01/21/the-elevation-powertoys-and-windows-7.aspx ?)

    "UAC confirmation" will always pop-up (if your UAC parameters don't disable it)

    Hope this help

    jean-marc haby


    • Marked as answer by Vivian Xing Tuesday, March 29, 2011 9:13 AM
    Monday, March 21, 2011 8:31 PM