Tip

Further alternatives to using RUNAS

In an earlier tip I wrote about the RUNAS command, which allows a user to run a program in the context of another user.

RUNAS has several limitations, not the least of which is there being no really elegant way to pass a username and password to the program without actually typing it in. This makes it almost worthless for applications that need to run in a protected context without the user knowing the password. I mentioned some possible workarounds, but since then I've discovered that a few people have come up with different solutions to the problem.

One answer is a third-party utility named

    Requires Free Membership to View

Sanur (RUNAS spelled backwards!). Sanur is a console program that pipes a password either from the command line or from a file. One technique described in the Sanur FAQ shows how a password can be obfuscated by storing the password in an alternate data stream (on an NTFS volume). This is not exactly an orthodox way to hide data, but it's not dangerous and it has the benefit of not being obvious! The program and its documentation can be found at Commandline.co.uk.

Another variant is JoeWare.Net's free CPAU (Create Process As User) utility. CPAU has provisions for reasonably secure scripting that should prevent casual tampering—a script file can be fed into the program and can also be scrambled to prevent a user from opening it and reverse-engineering the password. Those who want a fairly secure way to do RUNAS can consider this as a starting point. The program can be found at JoeWare.Net.

Programmer Jeszs de la Vega has created an interesting adjunct to RUNAS, called runserv. runserv creates a system service on a Windows 2000 / 2003 computer which can then be remotely addressed through a command-line program named RUNASv. RUNASv's command line parameters consist of a program to run, a computer name or IP address, a username in the format \\domain\user, and a password. runserv can be handy for running tasks remotely without needing to create a separate login with administrative permissions, since it works directly with existing user credentials.

The original source code for the project is available, so a knowledgeable user could add their own extensions to it. See CodeGuru to download the program and see more notes on it.


Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!


This was first published in April 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.