none
Force software to always run as admin without exposing admin password

    Question

  • I have some software that only functions right if the person has administrative permissions on the machine.  I don't want to give my users the admin passwords so they can do a Run As for obvious reasons.  Is there a way to force a program to run as administrator without exposing the admin password, like it would be exposed if i made their shortcut run a script or batch file containing the admin password?

    Monday, January 17, 2011 10:52 PM

All replies

  • I have a similar problem. It's listed in a previous post. 

     

    http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/1ec55fab-6374-44a5-905d-70668c6a457f

     

     

    Monday, January 17, 2011 11:04 PM
  • Were you ever able to figure anything out?
    Tuesday, January 18, 2011 2:56 PM
  • No I have not. Hopefully I can figure something out soon though.
    Wednesday, January 19, 2011 12:45 PM
  • I have some software that only functions right if the person has administrative permissions on the machine.  I don't want to give my users the admin passwords so they can do a Run As for obvious reasons.  Is there a way to force a program to run as administrator without exposing the admin password, like it would be exposed if i made their shortcut run a script or batch file containing the admin password?

    See if this will work .....
    Create a shortcut of the program on desktop > right lick at the shortcut > Compatibility tab > at the bottom, click  " Show settings for all users " > uac prompt > put a checkmark at Run this program as an administrator " > OK

    Note : Show settings for all users  must be enabled first in order to apply " Run as the administrator option " to all users.

    If it works, do the same to other software.
    If it solves your problem, I did it. If it does not, my twin brother did it.
    Wednesday, January 19, 2011 1:04 PM
  • I attempted that solution for my problem and it did not work. When I go into the properties of the shortcut and see the compatibility tab, it states: Compatibility modes cannot be set on this program because it is part of this version of Windows. Then everything after that message is grayed out completely and the system will not allow me to click or choose any option.
    Wednesday, January 19, 2011 5:48 PM
  • Hi,

     

    Thanks for posting in Microsoft TechNet forums.

     

    Open a CMD prompt and type

     

    runas /?

     

    then hit the <Enter> key. What you are looking for is the use of the runas

     command in combination with its /user and /savecred switches. You create a

     shortcut to the application you want to run with admin credentials, but the

     shortcut invokes the application through runas instead of directly.

     

    The first time you launch the software in the end user's account using that

     shortcut you will be prompted for a password. You supply the password that

     one time. From then on the shortcut uses the stored credentials you gave it.

     

    Best Regards

    Magon Liu

    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Magon LiuModerator Tuesday, January 25, 2011 2:30 AM
    • Unmarked as answer by RJO22 Thursday, February 10, 2011 3:18 PM
    Thursday, January 20, 2011 9:45 AM
    Moderator
  • This sounds exactly like what I need.  Have a question about the /savecred switch though.  Where does it actually save the password?  does it save it encryped or in plain text in that location?
    Thursday, January 20, 2011 1:50 PM
  • Hi,

    Different Windows application has different storage path. They can be saved either in the Registry or file system, or both. Be aware that even if you know the location of the saved password, it doesn't mean that you can move it from one computer to another. many applications store the passwords in a way that prevent you from moving them to another computer or user profile. Mostly invisible to users.

    For example, for Windows Network Passwords, it is:

    [Windows Profile]\AppData\Roaming\Microsoft\Credentials\[Random ID] and [Windows Profile]\AppData\Local\Microsoft\Credentials\[Random ID]

    Regards,

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, January 21, 2011 3:27 AM
    Moderator
  • I completely understand what you stated about the runas command. I know how to use that command in the "run" window (via the windows key and letter "r"). I also understand how to make a new shortcut. But I am confused as how to create a shortcut with your "runas" solution. Where exactly in the shortcut properties are you supposed to place the /user and /savecred switches? Will this solution work for my issue with the system .exe file ( DPIScaling.exe ) problem? Here is the link to my problem: http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread1ec55fab-6374-44a5-905d-70668c6a457f
    Friday, January 21, 2011 7:59 AM
  • Ok I figured out where to input the command. I am using Windows Vista 64-bit Ultimate I used this link: http://technet.microsoft.com/en-us/library/bb490813.aspx

    In the "Type the location of the item" I used the line:

    runas /savecred /user:ComputerName\UserName %windir% \system32\DpiScaling.exe

     

    I then copied the shortcut to the standard user's desktop. When I switched over to that standard users account and logged in and double clicked the shortcut, I got prompted for my pwd via a command window. I then typed it in and nothing happened after that. I then edited a new shortcut to show as :

    runas /savecred /user:ComputerName\UserName c:\windows\system32\DpiScaling.exe

    then when I logged in as the standard user again and double clicked the new shortcut, a cmd window flashed on the screen for like a half a second, and disappeared. Then nothing happened. I then right clicked, run as administrator, input my password, then the cmd prompt for my password came up, as if the right click runas enabled me to see the actual runas command window invoked by the command in the shortcut. After inputting my password, nothing happened again. What exactly is going on? Why are the credentials not being saved? I just want to allow a standard user to open the DpiScaling.exe settings window under an admin's credentials automatically.

    Friday, January 21, 2011 9:37 AM
  • Correct me if i'm wrong, but if you use /savecred, wouldn't that allow a user to use the runas /savecred to run ANY program with those saved credentials, not just the program you setup the shortcut for?
    Thursday, February 10, 2011 3:19 PM
  •  

    I am running into a similar problem with QuickBooks.  I have users logging in to a Terminal Server and using QuickBooks.  QuickBooks needs to have administrative right to run all functions of the program correctly.  I can't give admin rights to all users over the entire server so I am following this forum and trying this Runas command.  I used what you did above and it seems to be working.  What I noticed is that you left the quotes out of the Program it is opening.  Your code should look like this...

    runas /savecred /user:ComputerName\UserName "c:\windows\system32\DpiScaling.exe"

    Once you have the shortcut created, you will need to run the shortcut from the users profile and enter the admin password. From there the user should always be opening with admin rights and not be asked for a password. 

    One problem I noticed at least with QuickBooks is that when I try and save something from the program it defaults to the administrator profile for things such as My Documents and Desktop.

     

    Hope this will help you out if you already haven't solved the problem.

     

    Though I myself have not tried this....it may also do the trick.

    http://www.robotronic.de/runasspcEn.html
    • Proposed as answer by ClarityIT Tuesday, October 11, 2011 7:56 PM
    Friday, June 10, 2011 2:13 AM
  • That's a brilliant program you've pointed to ClarityIT !   Thank you so much :)

     

    I've searched long and hard for something equivalent to the Lin*ces sudo command, but have been (very) disappointed that the MS flagship Win7/Ultimate just couldn't do it properly. It's such a common requirement for users to need elevated permission temporarily.

     

    runasSpc allows just that, and creates a strong tie between username, password and binary to be executed. It also has control over profile loading for correct directories etc


    Thanks again, I wish the guy who wrote it had a forum so I could thank him.

    Tuesday, September 20, 2011 11:39 AM
  • > One problem I noticed at least with QuickBooks is that when I try and save
    > something from the program it defaults to the administrator profile for
    > things such as My Documents and Desktop.
     
    Try the runas command with the noprofile switch. Type Runas/? for help.
    --
    ..
    --
    "ClarityIT" wrote in message news:ccf080fe-f72f-4201-a4ce-77bc321bd74f...
    >
    >
    > I am running into a similar problem with QuickBooks. I have users logging
    > in to a Terminal Server and using QuickBooks. QuickBooks needs to have
    > administrative right to run all functions of the program correctly. I
    > can't give admin rights to all users over the entire server so I am
    > following this forum and trying this Runas command. I used what you did
    > above and it seems to be working. What I noticed is that you left the
    > quotes out of the Program it is opening. Your code should look like
    > this...
    >
    > runas /savecred /user:ComputerName\UserName
    > "c:\windows\system32\DpiScaling.exe"
    >
    > Once you have the shortcut created, you will need to run the shortcut from
    > the users profile and enter the admin password. From there the user should
    > always be opening with admin rights and not be asked for a password.
    >
    > One problem I noticed at least with QuickBooks is that when I try and save
    > something from the program it defaults to the administrator profile for
    > things such as My Documents and Desktop.
    >
    >
    >
    > Hope this will help you out if you already haven't solved the problem.
    >
    >
    >
    > Though I myself have not tried this....it may also do the trick.
    >
    > http://www.robotronic.de/runasspcEn.html
    >
     
     
    Tuesday, September 20, 2011 12:26 PM
  • Also try the env switch.
     
    --
    ..
    --
    "DavidMCandy" wrote in message news:b46ce64b-6574-4d52-a390-c1f194c65be6...
    >> One problem I noticed at least with QuickBooks is that when I try and
    >> save
    >> something from the program it defaults to the administrator profile for
    >> things such as My Documents and Desktop.
    >
    > Try the runas command with the noprofile switch. Type Runas/? for help.
    > --
    > ..
    > --
    > "ClarityIT" wrote in message news:ccf080fe-f72f-4201-a4ce-77bc321bd74f...
    >>
    >>
    >> I am running into a similar problem with QuickBooks. I have users logging
    >> in to a Terminal Server and using QuickBooks. QuickBooks needs to have
    >> administrative right to run all functions of the program correctly. I
    >> can't give admin rights to all users over the entire server so I am
    >> following this forum and trying this Runas command. I used what you did
    >> above and it seems to be working. What I noticed is that you left the
    >> quotes out of the Program it is opening. Your code should look like
    >> this...
    >>
    >> runas /savecred /user:ComputerName\UserName
    >> "c:\windows\system32\DpiScaling.exe"
    >>
    >> Once you have the shortcut created, you will need to run the shortcut
    >> from
    >> the users profile and enter the admin password. From there the user
    >> should
    >> always be opening with admin rights and not be asked for a password.
    >>
    >> One problem I noticed at least with QuickBooks is that when I try and
    >> save
    >> something from the program it defaults to the administrator profile for
    >> things such as My Documents and Desktop.
    >>
    >>
    >>
    >> Hope this will help you out if you already haven't solved the problem.
    >>
    >>
    >>
    >> Though I myself have not tried this....it may also do the trick.
    >>
    >> http://www.robotronic.de/runasspcEn.html
    >>
    >
    >
     
     
    Tuesday, September 20, 2011 12:34 PM
    • Proposed as answer by anil_robo Sunday, July 14, 2013 6:17 AM
    Tuesday, October 04, 2011 5:04 PM
  • Glad that worked out for you!  I never got around to trying the program.  
    Tuesday, October 11, 2011 7:54 PM
  • Yes, I noticed as well that the Runas command would default to the Admin account for file location during a save.  The command works great if you don't have to save!!
    Tuesday, October 11, 2011 7:56 PM
  • Hi,
    didn't worked for me - Using Windows XP.

    Any Idea about how to set a specific application to always run in "elevated" mode inside a limited user session ?
    and without inserting any power user password ..

    I know a couple of software like Beyound Trust allow to set rules for that (tested and working like magic !!)
    but for some reasons... this isn't possible for now to aquire licences for that software.

    Thanks. 


    MCTS Windows Server Virtualization, Configuration
    Friday, January 20, 2012 12:12 PM
  • For those who came here to get their script elevated through UAC to Admin (so users who get confused with the right-click->"Run as administrator") willmtz got me on the right track but for slightly more succinct and robust code I found this: https://sites.google.com/site/eneerge/home/BatchGotAdmin

    Hope this helps someone.

    • Proposed as answer by Simonjb68 Friday, May 03, 2013 12:19 PM
    Thursday, May 10, 2012 3:24 PM
  • The following will allow a program that requires admin rights to run by saving the admin credentials:

    1. Create a normal Short-Cut to application.exe on the desktop.
    2. Right-click the short-cut and select Properties.
    3. In the Target box, insert the following before the path to application.exe: "runas /savecred /user:administrator ".
    4. Double-click the new short-cut, and enter the administrator password.
    Thursday, January 31, 2013 4:46 PM
  • FYI, this is not available in Windows 7 Home Edition
    Sunday, April 14, 2013 5:32 PM
  • That worked! Thank you so much!
    Sunday, July 14, 2013 6:17 AM