ShawnAdministrator
(KiX Supporter)
2005-12-24 02:20 PM
RUNNAS - Tokenized Runas Utility

Would like to introduce a new command line tool called RUNNAS.EXE (two n's) - its available only at KORG and you can get it here:

RUNNAS - Tokenized Runas Utility

It works much like Microsoft's standard runas.exe except for a few important features:

1) You can specify a password on the command line

2) You can tokenize the command line into a file.

3) You can execute the tokenized file.

This software is at first release and should be considered as beta. Please post any comments, suggestions or bugs to this space.

Documentation:

Code:

RUNNAS 1.14

Allows a user to run specific tools and programs with different permissions
than the user's current logon provides.

Note: This version of runnas is not guaranteed to be compatible with the
previous version. Please re-tokenize your files for added security.


SYNTAX:

runnas /user:<username> command [/password:<password>] [/noprofile]
[/profile] [/env] [/netonly] [/logononly] [/wait] [/return]
[/title:<title>] [/tokenize:<tokenfile>] [/crc] [/allowargs]
[/<token>:<value>]

runnas tokenfile [/<token>:<value>] [/args:<arguments>] [/delete]


PARAMETERS:

/user <username> should be in form USER or DOMAIN\USER.
command Command line to run. See below for examples
/password The clear-text password for the user account. If not
specified, you will be prompted for the password.
/noprofile Specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/profile Specifies that the user's profile should be loaded.
This is the default.
/env To use current environment instead of the user's
/netonly Use if the credentials specified are for remote
access only.
/logononly Use if command is to be run during interactive logon only.
/wait Wait for the program to finish.
/return Return errorlevel of program. Use with /wait.
/title For console processes, this is the title displayed in the
title bar if a new console window is created.
/tokenize Tokenize command line into <tokenfile>.
/crc Calculate CRC (Cyclic Redundancy Check) of command
line executable and save it to <tokenfile>.
/allowargs Allow passing additional arguments to <tokenfile>.
tokenfile The name of a tokenized command line file.
/<token> Replace command line <token> with <value>.
/args Additional <arguments>. Valid only if tokenfile was
created with /allowargs switch.
/delete Delete tokenfile when done.


NOTE: Enter user's password when prompted.
NOTE: USER\DOMAIN is not compatible with /netonly.
NOTE: /profile is not compatible with /netonly.
NOTE: Most parameters can be shortened to 3 characters.


EXAMPLES:

> runnas /user:admin mmc
> runnas /user:admin "cmd /c dir c:\ & pause" /password:xxx

Create and execute a tokenfile:

> runnas /user:admin notepad.exe /password:xxx /tokenize:notepad.tok
> runnas notepad.tok

Pass quotes inside a quoted string (using \" metachar):

> runnas /user:admin "\"c:\program files\my app\app.exe\"" /pass:xxx

Pass arguments to a tokenfile:

> runnas /user:admin "notepad.exe" /pass:xxx /tok:notepad.tok /allowargs
> runnas notepad.tok /args:"file.txt"

Replace tokens in a tokenfile:

> runnas /user:admin "notepad.exe <p1>.<p2>" /pas:xxx /tok:notepad.tok
> runnas notepad.tok /p1:myfile /p2:txt


TERMS OF USE
------------

This software is provided "as is" and "with all faults". The author
makes no representations or warranties of any kind concerning the
quality, safety or suitabilty of the software, either express or
implied, including without limitation any implied warranties of
merchantability, or fitness for a particular purpose.




Les
(KiX Master)
2005-12-24 03:57 PM
Re: RUNNAS - Tokenized Runas Utility

Does this have anything to do with SANUR ( http://www.commandline.co.uk/sanur/ ) no longer being supported? Mind you, I don't recall SANUR obfuscating the password.

Do you do anything to check if the executable name matches the internal name in case someone tries renaming it in an attempt to elevate one's rights? Do you check its CRC?


Les
(KiX Master)
2005-12-24 04:20 PM
Re: RUNNAS - Tokenized Runas Utility

Hmmm... I should follow my own advice that I dish out.
Instead of asking, why not just try it? How hard can it be?

The answer is EASY! Sub in another proggy and it happily runs it! DOH!


ShawnAdministrator
(KiX Supporter)
2005-12-24 04:26 PM
Re: RUNNAS - Tokenized Runas Utility

This has nothing to do with sanur or even runas for that matter. Its a simple stand-alone executable with zero dependencies. Does runas check for CRC etc ?

Les
(KiX Master)
2005-12-24 04:33 PM
Re: RUNNAS - Tokenized Runas Utility

I have not played much with the MS RunAs. Does it have an option to save the commandline complete with password? What does the /SaveCred switch do?

ShawnAdministrator
(KiX Supporter)
2005-12-24 09:01 PM
Re: RUNNAS - Tokenized Runas Utility

New version 1.1 ... fixed some command line args and added the /wait switch ... that instructs runnas to wait for the program to finish, and return the errorlevel of the started program, for example:

runnas john.doe notepad /pass:xxxxxx /wait

-Shawn



NTDOCAdministrator
(KiX Master)
2005-12-24 09:32 PM
Re: RUNNAS - Tokenized Runas Utility

SWEET Shawn. I like it so far.

Have tested it on accounts with non admin privledges and the application will run but won't access areas they're not allowed to.

Have used Admin rights with different account and it runs as expected too.

As per one of Les' questions. Maybe add some code to hash/crc check that the executable has not been modified to include even a rename of the exe.

I like the idea that the tokenize overwrites the previous entry, but using a switch would it be possible to chain a couple commands?

So far it ROCKS dude.

Will test some more on Monday at work. May have to take a look at some reverse engineering some to see how easily / difficult it might be to reverse the obfuscation.

But don't think I'll get that much computing time in the next couple days.


NTDOCAdministrator
(KiX Master)
2005-12-24 09:34 PM
Re: RUNNAS - Tokenized Runas Utility

Mabye some built-in RUN ONCE code too so that the tokenized file and / or EXE can / would delete it'self with a 3 pass wipe? LOL I know that's a lot to ask.

ShawnAdministrator
(KiX Supporter)
2005-12-24 11:16 PM
Re: RUNNAS - Tokenized Runas Utility

Added the /delete switch when running a tokenized file. This will delete the token file when finished (thx NTDOC). Example:

runnas token.txt /delete


Les
(KiX Master)
2005-12-25 05:00 PM
Re: RUNNAS - Tokenized Runas Utility

food for thought...
Microsoft Elevated Privileges Application Launcher
it fingerprints the exe


Les
(KiX Master)
2005-12-26 04:29 PM
Re: RUNNAS - Tokenized Runas Utility

Shawn,
As long there remains the possibility that this utility can be misused to elevate one's rights, I will be on you like a dog on a postman's leg. There are way too many admins that will not think through all the security implications and unleash this utility with a tokenized file thinking that it is secure.

I don't mean to disparage DOC, but during an MSN chat, it became clear to me that he did not catch the drift of what I said in this thread and he is a smart person! In the interest of clarity, I will reiterate my concern.

When you create a tokenized file that will run AppA.exe with elevated rights, all the user needs to do is to replace AppA.exe with another app that has the same name, and it will run with the same elevated rights!


Les
(KiX Master)
2005-12-26 04:57 PM
Re: RUNNAS - Tokenized Runas Utility

Was thinking... the UserID is saved in the tokenized file as the human readable name and not the SID of the account. This can be a good thing in the case of local accounts that would have different SIDs but I wonder if there may be a desire to force it to the SID instead? Maybe an optional /SID parm?

I cannot think right now of how someone might abuse this, but just because I'm paranoid, doesn't mean someone is NOT out to get me.


NTDOCAdministrator
(KiX Master)
2005-12-26 06:17 PM
Re: RUNNAS - Tokenized Runas Utility

Les,

Correct was not thinking of your concern. Was thinking more in the terms of a user making a copy of the file, renaming it and then using it on his/her system with copies of tokenized files until he/she was able to inject their own program, but your concern is actually much more likely.

I suppose I'm too used to analyzing from a more advanced level.

As for the UserID being in the tokenized file as plain text not sure where you saw that. I'm certainly not seeing anything like that here.

Well think Shawn has some good ideas about CRC checking the exectuable and if possible even the path.

Told him to also include some semi-legal disclaimers along with the utility and even inside the utility because you know sooner or later someone is going to try and abuse the tool on purpose like a butt-head. Just like they did with WSH - actually a nice tool but then the scripting kiddies thought it would be cool to damage people's stuff with it.
 


NTDOCAdministrator
(KiX Master)
2005-12-26 06:27 PM
Re: RUNNAS - Tokenized Runas Utility

Shawn I was unable to run network accounts with the password stored in the tokenized file. It prompts for the password.

ShawnAdministrator
(KiX Supporter)
2005-12-26 07:05 PM
Re: RUNNAS - Tokenized Runas Utility

I'm coding in the CRC check and some other things ... the command line is starting to become a little "complex" ... will probably have to re-structure the command line args ... so until the next version come out ... lets re-try the network account thing then ... the tokenized file format will be changing then as well.

Les
(KiX Master)
2005-12-26 07:42 PM
Re: RUNNAS - Tokenized Runas Utility

DOC,
Did not mean for you to infer that the UserID was stored in clear text cuz it ain't but the human readable form of it is what is tokenized, not the SID of the account.


Les
(KiX Master)
2005-12-26 07:46 PM
Re: RUNNAS - Tokenized Runas Utility

Shawn,
Since this util most likely will go through many iterations, there is a probability that the tokenized parm file will not always be backward compatible so I might suggest you write the version to the file and then check it at runtime.


ShawnAdministrator
(KiX Supporter)
2005-12-26 08:23 PM
Re: RUNNAS - Tokenized Runas Utility

I agree Les but I think it would be easier (on me) if the the token file could remain in flux until this util stabilizes a bit. I always wondered why Ruud could (would) never keep the Kixtart tokenized file versioned - now I understand why.

NTDOCAdministrator
(KiX Master)
2005-12-26 09:17 PM
Re: RUNNAS - Tokenized Runas Utility

Okay it may be a command line parsing issue because I can get some tasks to run using network credentials.

As for the algorithm for the obfuscation it is not a basic number flipping routine and the average desktop user will not be reverse engineering it. That is not to say that someone with more advanced computer skills that takes on the task of trying to beat it won't figure it out in time.
And one could also run this through an advanced debugger and extract the code.

As with any tool like this, caution should be used when and where used.
 


ShawnAdministrator
(KiX Supporter)
2005-12-27 06:13 PM
Re: RUNNAS - Tokenized Runas Utility

New version with fix in regards to specifying domain accounts. Added the /user switch to make it more compatible with microsoft runas.

ShawnAdministrator
(KiX Supporter)
2005-12-28 02:34 AM
Re: RUNNAS - Tokenized Runas Utility

Version 1.3 is now available. I implemented a wise suggestion from Les ... to do with the tokenized (encrypted) file. The token file is now a "moving target" - the encryption will vary between invocations - even if the command line remains constant. This will hinder any "brute force" attempt to crack the encryption.

-Shawn


LonkeroAdministrator
(KiX Master Guru)
2005-12-28 11:02 PM
Re: RUNNAS - Tokenized Runas Utility

you using the dot net crypto?
might also include at least the md5 stuff to kf .net once you are on it. (so I don't need to )


ShawnAdministrator
(KiX Supporter)
2005-12-28 11:06 PM
Re: RUNNAS - Tokenized Runas Utility

nah, this util has zero dependencies - other than it only works on nt5 and above.

LonkeroAdministrator
(KiX Master Guru)
2005-12-29 12:11 AM
Re: RUNNAS - Tokenized Runas Utility

just saw the error condition line:
"This application cannot run using the active version of the Microsoft .NET Runtime"


NTDOCAdministrator
(KiX Master)
2005-12-29 02:14 AM
Re: RUNNAS - Tokenized Runas Utility

Okay, RUNNAS should now be up to version 1.6

Been chatting with Shawn on MSN and ironed out a few other issues with error codes.

Shawn should post and update soon.


ShawnAdministrator
(KiX Supporter)
2005-12-29 02:17 AM
Re: RUNNAS - Tokenized Runas Utility

I kinda lumped the last changes into a 1.4 which is posted.

ShawnAdministrator
(KiX Supporter)
2005-12-30 08:18 PM
Re: RUNNAS - Tokenized Runas Utility

Runnas 1.5 is available. Added the /CRC switch. This performs an optional Cyclic Redundancy Check on the command line executable and saves it to the tokenfile. Later, when run from a tokenfile, the CRC is re-validated for added security.

Chris S.
(MM club member)
2005-12-30 08:42 PM
Re: RUNNAS - Tokenized Runas Utility

Sounds great so far.

Can you turn it into a COM component and tokenize the "cmd files"?


ShawnAdministrator
(KiX Supporter)
2005-12-31 12:10 AM
Re: RUNNAS - Tokenized Runas Utility

good idea and could. but not in the short term. only have one more thing to add, then going to put this to rest for a while.

ShawnAdministrator
(KiX Supporter)
2005-12-31 01:14 AM
Re: RUNNAS - Tokenized Runas Utility

runnas 1.6 is available. added the following two parameters:

/allowargs - allow additional arguments to be passed to tokenfile.

/args - additional arguments for tokenfile.

-Shawn


Les
(KiX Master)
2005-12-31 01:37 AM
Re: RUNNAS - Tokenized Runas Utility

args huh?
caveat emptor
I could see that possibly be exploited in some cases.


ShawnAdministrator
(KiX Supporter)
2005-12-31 01:41 AM
Re: RUNNAS - Tokenized Runas Utility

yup i agree - thats why by default its turned off. but otherwise pretty handy to have. would definitely by a security issue if your were running cmd.exe.

Les
(KiX Master)
2005-12-31 01:43 AM
Re: RUNNAS - Tokenized Runas Utility

ja, I'm sure you are aware of the implications. Just wanted to put on record that when it comes to security, it is caveat emptor.

LonkeroAdministrator
(KiX Master Guru)
2005-12-31 01:48 AM
Re: RUNNAS - Tokenized Runas Utility

implications...
hmm...
gladly I don't need to see those.


NTDOCAdministrator
(KiX Master)
2005-12-31 03:02 AM
Re: RUNNAS - Tokenized Runas Utility

Be careful there Shawn. Don't want your util turning out to be like the SONY software. They certainly did not forsee or wish for it to be abused as such but you can see the outcome there.

Anyways... KF.ORG appears to be down at the moment, can't download the latest version at the moment.


ShawnAdministrator
(KiX Supporter)
2005-12-31 03:12 AM
Re: RUNNAS - Tokenized Runas Utility

ja understood. like i say by default its not enabled. so one has to enable it in a heads-up kinda fashion. much would depend on what was being called and how. but you guys do make a good point.

ok its been re-hosted.


NTDOCAdministrator
(KiX Master)
2005-12-31 03:22 AM
Re: RUNNAS - Tokenized Runas Utility

Thanks, new download worked fine.

Chris S.
(MM club member)
2006-01-03 02:38 PM
Re: RUNNAS - Tokenized Runas Utility

Since there are times when an application must be installed under the current user's context would it be possible to add a /RUNASADMIN switch that either temporarily raises the user's rights or allows that process to run elevated?

LonkeroAdministrator
(KiX Master Guru)
2006-01-03 02:52 PM
Re: RUNNAS - Tokenized Runas Utility

no.

NTDOCAdministrator
(KiX Master)
2006-01-03 08:05 PM
Re: RUNNAS - Tokenized Runas Utility

Chris, it already should work for many things as the main process can be launched using the current user's profile, but with the credentials of an Administrative account.

If a stub process is kicked off that did not maintain the thread process level then it would lose those Admin rights, but otherwise should run as the account you specified.

I'm sure that there are installs that can or would be problematic, but would think many others should work fine as the process is then editing the registry and placing files in the system32 folder, etc...

I plan on doing some testing in that area this week and will post my findings.


ShawnAdministrator
(KiX Supporter)
2006-01-03 09:02 PM
Re: RUNNAS - Tokenized Runas Utility

An easy test is as follows:

runnas /user:JOE.USER /pass:xxxxxx cmd

then in the new command window if you do a SET you will see that the environment variables belong to JOE.USER and if you do a REGEDIT you'll see that the HKCU belongs to JOE.USER.

Could something like Chris suggest be done ? Kinda. The trick is to have runnas do two things:

1) Map the ENV variables of the calling process to the new process

2) Map the HKCU of the calling process to the new process.

What I mean by kinda is that your not really elevating the priviledges, your running the current user environment with a more priviledged account.



LonkeroAdministrator
(KiX Master Guru)
2006-01-03 09:16 PM
Re: RUNNAS - Tokenized Runas Utility

and with those lengthy posts you still need to go conclude with my simple and short answer which is clear for everyone, "no".

ShawnAdministrator
(KiX Supporter)
2006-01-18 10:52 PM
Re: RUNNAS - Tokenized Runas Utility

ok going to go slow with these changes ... Version 1.7 is available.

Added the /ENV switch - this substitutes the callers environment (variables) into the callee's environment (variables). Similiar to the way Microsoft's runas does (although I'm not too sure if the ms /env also substitues HKCU or not, will have to test that).

Encoding environment variables into the token file needs a bit more work and testing.

"Thinking about" the other change now - token substitution ... need more thought on that one.

Not sure if these changes are moving things along in the direction that will help you out or not - please advise.

[edit]

It appears the ms runas /env just substitutes environment vars.


ShawnAdministrator
(KiX Supporter)
2006-01-19 03:55 AM
Re: RUNNAS - Tokenized Runas Utility

ok, runnas version 1.8 is now available ... this new release supports substituting "tokens" on the command line ... it works like this:

1) Create a token file that starts notepad - the filename is a token:

> runnas "notepad.exe <p1>" /user:joe /pass:xxx /tok:notepad.tok

2) Run the tokenfile and replace <p1> at runtime:

> runnas notepad.tok /p1:file1.txt

Note: If you tokenize part of the executable path, and you want a /crc check, then you must at least provide that token on the command line (/crc needs to locate the file).

I'm not sure how much of a security risk this adds - much would depend on what kind of command line you crafted, and specifically what you tokenize - if anyone wants to "discover" possible spoofing scenarios, please post your example command lines.


ShawnAdministrator
(KiX Supporter)
2006-01-19 05:11 AM
Re: RUNNAS - Tokenized Runas Utility

I will post the first example of how NOT to use the new token substitution feature:

runnas "<p1>" /user:admin /pass:xxx /tok:file.tok


ShawnAdministrator
(KiX Supporter)
2006-01-19 03:37 PM
Re: RUNNAS - Tokenized Runas Utility

Updated documentation is first post showing how to substitute tokens in a tokenfile.


ShawnAdministrator
(KiX Supporter)
2006-01-20 05:11 PM
Re: RUNNAS - Tokenized Runas Utility

New version of runnas available (1.10) added the following features:

  • /wait Wait for the program to finish.
  • /return Return errorlevel of program. Use with /wait.
  • /title For console processes, this is the title displayed in the
    title bar if a new console window is created.






Chris S.
(MM club member)
2006-01-20 06:43 PM
Re: RUNNAS - Tokenized Runas Utility

Good additions. How about a default behavior for the title parameter of: "<process> - <user>"?

NTDOCAdministrator
(KiX Master)
2006-01-20 06:58 PM
Re: RUNNAS - Tokenized Runas Utility

Quote:

How about a default behavior for the title parameter of: "<process> - <user>"?





Boy, talk about the new younger GUI age.


ShawnAdministrator
(KiX Supporter)
2006-01-20 07:32 PM
Re: RUNNAS - Tokenized Runas Utility

Chris thanks. I like that idea too. May be a little tricky but will look into (might be a bit of a chicken and egg thing)... on another matter, I've been waiting for Ron to flame over supporting token substitution, maybe he hasn't seen that yet ;0)

NTDOCAdministrator
(KiX Master)
2006-01-20 07:39 PM
Re: RUNNAS - Tokenized Runas Utility

Hey, we're all supposed to be big boys here and we've already clammered over the potential issues in some cases, so if it becomes one, oh well you've been warned. As with any othe similar software - Use At Your Own Risk.

I think Shawn has done a great job with this utility though overall and I plan on using it for certain tasks myself.

Thanks for creating and sharing this utility Shawn.


Les
(KiX Master)
2006-01-20 09:18 PM
Re: RUNNAS - Tokenized Runas Utility

No flames here either... caveat emptor

ShawnAdministrator
(KiX Supporter)
2006-01-21 05:18 PM
Re: RUNNAS - Tokenized Runas Utility

Posted a new version (1.13) added the following new security feature...

/logononly

Use if command is to be run during interactive logon only.

Tested this on Windows XP logon. Don't have Windows 2000 machine to fully test with. If anyone tries this switch on w2k please advise if any issues.


ShawnAdministrator
(KiX Supporter)
2006-01-22 02:10 AM
Re: RUNNAS - Tokenized Runas Utility

Posted a new version (1.14). Added more error handling. Added some extra (internal) security counter-measures.

Les
(KiX Master)
2006-01-22 03:01 AM
Re: RUNNAS - Tokenized Runas Utility

Sounds like you're getting serious about security.

Sealeopard
(KiX Master)
2006-01-22 01:35 PM
Re: RUNNAS - Tokenized Runas Utility

Quote:

security counter-measures



Less secure? Aren't you saying you're implementing counter- measures against security?


ShawnAdministrator
(KiX Supporter)
2006-01-22 02:35 PM
Re: RUNNAS - Tokenized Runas Utility

lol ok, how about "extra security measures" ? ;0)

man, you guys are a tough bunch - glad someone's keeping me honest.


Sealeopard
(KiX Master)
2006-01-22 11:32 PM
Re: RUNNAS - Tokenized Runas Utility

Being German I can safely blame my DNA for this anal attention to detail, what's your excuse?

NTDOCAdministrator
(KiX Master)
2006-02-07 09:38 PM
Re: RUNNAS - Tokenized Runas Utility

Recently came across this KB and thought it might be of some value if for nothing else some examples of how the Microsoft version works.

Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context
http://support.microsoft.com/kb/225035
 


imjin
(Lurker)
2006-07-17 06:10 PM
Re: RUNNAS - Tokenized Runas Utility

Let me start off by saying that this is a great tool! This is my 1st post since I've usually been a lurker here while I learn KiXtart... I have a question on a possible future modification to runnas.

This tool is currently the only way I've been able to execute apps under an administrative context for our users at login, most of which are not local admins (teachers, students, etc..). We're in the process of migrating away from ScriptLogic due to renewal costs (to the tune of $250k) and I've been attempting to rebuild everything ScriptLogic did. I've pretty much got everything rebuilt with the exception of being able to execute a program (or script) under an administrative context and run it hidden. At login, one of the first things we do is run a "net localgroup" command from a batch file and add a series of domain groups to the local administrators group of each machine. Runnas does this beautifully, but I have to make a separate line for each execution, so if have 6 groups to add, it flashes up 6 windows. On the occasion where the group is already a part of the local administrators group, it will show the error 1378 (account name is already a member of the group) in the dos window. When the users see this, they think all hell is breaking loose because they just saw the word "error".

I've tried combining the RunEx UDF (which does a shellexecute) with Runnas unsuccessfully. I'm not sure if it had to do with requiring single/double quotes within each, but I gave up on that endeavor. I've tried a few other things like piping the stdout to NUL which works unless the accounts are already present, then the errors flash by in the dos window again. Is it possible to add another option that allows for hidden execution?


NTDOCAdministrator
(KiX Master)
2006-07-18 12:53 AM
Re: RUNNAS - Tokenized Runas Utility

Hello and welcome to the board lurker.

Let's see your code please as the entire script can be run without being seen so we need to see where you're code is not managing the feedback.
You should check for Admin rights too yourself if you do or don't want to run something based on current rights of the user.

Please use CODE TAGS and post your code for review.


ShawnAdministrator
(KiX Supporter)
2006-07-18 05:16 AM
Re: RUNNAS - Tokenized Runas Utility

Hi imjin

The other thing, what OS are you running runnas on ? xp ? sp1 or sp2 ?


imjin
(Lurker)
2006-07-18 03:15 PM
Re: RUNNAS - Tokenized Runas Utility

I'm testing on XP SP2, but we've got 2000 SP4 out there as well. The 98 machines I just ignore, hoping they'll fall into a pit somewhere. Most of our user base are set as Power Users, so everything we'd need to use runnas would almost always require local admin to execute.

Here's the line I'm currently using that executes great, but in this sample I'm not trying to pipe the stdout anywhere, but because I have to do a "net localgroup" for every entry in the local administrators group, I've got 4 lines, each of which pops a dos window up, although it closes quickly. I put the Runnas.exe command in it's own function called RunAs($TargetApp) so I could shorten main line that calls it. Forgive the chr() commands... old VB habit and I have a few helpdesk techs that could be editing these scripts down the road and the multiple quote characters would probably throw them, and they'd leave out a triple-quote somewhere.

Code:
RunAs("net localgroup " + Chr(34) + "Administrators" + Chr(34) + " " + Chr(34) + "domain\domain admins" + Chr(34) + " /add")
RunAs("net localgroup " + Chr(34) + "Administrators" + Chr(34) + " " + Chr(34) + "domain\integrators" + Chr(34) + " /add")
RunAs("net localgroup " + Chr(34) + "Administrators" + Chr(34) + " " + Chr(34) + "domain\schoolsmca" + Chr(34) + " /add")
RunAs("net localgroup " + Chr(34) + "Administrators" + Chr(34) + " " + Chr(34) + "domain\trfcmca" + Chr(34) + " /add")
;
Function RunAs($TargetApp)
Shell "%COMSPEC% /c runnas.exe /user:adminuserid " + Chr(34) + $TargetApp + Chr(34) + " /password:adminpassword"
EndFunction



Normally, in ScriptLogic's app launcher we'd call a batch file that sits in the netlogon folder that has several things in it pertaining to these "net localgroup" commands and a few other cacls folder permission setting entries, so if I could call the batch file on one line, all the better. This was actually the way I first started trying to do it, by executing the teacher.bat file using Runnas.exe, but because the results dos window would appear every time displaying the "net localgroup" errors, I switched to the method above since it as least hide the failed "net localgroup" messages. I've tried adding a " > NUL" to each line in the batch file, which does hide successful commmand results, but any failed commands that error out show up in the popup dos window.

I just played around with Howard Bullock's GrpMaint tool which I'm thinking may be easier to use by passing a member file to it. Then it just logs failed group membership additions and doesn't fly em across the screen like the command prompt method does.



bizcuts
(Fresh Scripter)
2006-07-18 03:46 PM
Re: RUNNAS - Tokenized Runas Utility

sorry for posting in here, but i cant seem to see the make new thread/post button...and i have a few things i need to ask?

"n00b!!!!" yes i know... green as green can be

any help would good


ShawnAdministrator
(KiX Supporter)
2006-07-18 04:22 PM
Re: RUNNAS - Tokenized Runas Utility

Quote:


Tried adding " > NUL" to each line in the batch file, which does hide successful commmand results, but any failed commands that error out show up in the popup dos window.





To hide failed commands, add 2>NUL


imjin
(Lurker)
2006-07-18 04:48 PM
Re: RUNNAS - Tokenized Runas Utility

Always the last thing I seem to find... a typo.

If you're using Runnas.exe to fire off a batch file, is there a way to hide the DOS window the batch file spawns?


NewAtKix
(Lurker)
2006-11-09 04:26 PM
Re: RUNNAS - Tokenized Runas Utility

Hi.. great utility..

I have a Q.

Is it possible to run the runnas.exe from network-drive like L:\folder\runnas.exe setup.tok??

Because when trying I get the following the error:
"RUNNAS: The system cannot find the path specified"

Thx..
Ejner


Björn
(Korg Regular)
2006-11-09 04:45 PM
Re: RUNNAS - Tokenized Runas Utility

perhaps if you mapp it as the user you're trying to run it as, but best practise seems to be to run it locally, easiest at least.

Mart
(KiX Supporter)
2006-11-09 04:46 PM
Re: RUNNAS - Tokenized Runas Utility

What happens if you specify the full path to setup.tok?

Richard H.Administrator
(KiX Supporter)
2006-11-09 05:20 PM
Re: RUNNAS - Tokenized Runas Utility

Quote:

Is it possible to run the runnas.exe from network-drive like L:\folder\runnas.exe setup.tok??




Tricky.

When you run in the context of another user you normally create a new environment, and that environment does not have the mapped drives of the session that you started the command in.

This means that the process is effectively orphaned from the drive on which it started, so of course cannot find the file to open it.

Clear?


darkblueturbo
(Lurker)
2006-11-29 12:57 PM
Re: RUNNAS - Tokenized Runas Utility

On a similar vain I'm getting the error "unknown command [runnas]" when trying the simple example script of "runnas /user:admin mmc"

I've tried runnas.exe and the full path to runnas.exe, as mentioned above, but still get the same error.

I'm obviously being quite thick here - the runnas.exe file is in the same directory as kix32.exe - so just wondered if anyone could help.

This is before I start looking at tokenizing files and suchlike, which is liable to get my very basic knowledge of Kix very condfused...

Thanks for any help guys...


Huron
(Lurker)
2007-02-26 04:42 PM
Re: RUNNAS - Tokenized Runas Utility

I'm not usually active with posts on the board since I'm more of a silent reader, but in this case I wanted to make an exception to thank you personally Shawn.

I've been looking at 'the best way for me' to perform some actions with admin privs calling one loginscript from the other. And I've tested a whole bunch of tools/ways to do this.

But I'm impressed by the simplicity and quality of your RUNNAS.EXE tool.
I got it to work doing what I wanted in less than no time at all.

I was almost ready to start building my own runas tool, but I'm not going to reinvent the wheel since your tool has all I need.

I'm using this in a multi-site corporate environment with about 1000 workstations. And it's working like a charm.

Kudo's Shawn !

Greetz,

Huron.


babyjosef17
(Lurker)
2007-09-10 04:57 AM
Re: RUNNAS - Tokenized Runas Utility

I need you help on this one pls.

I want to remotely install SAP on the network.

i wanted to make a bacth file, that later I can insert to the logon script.

I keep getting the error:

RUNNAS: Access is Denied.

here is my bat file for your review:

 Code:
  @Echo off
\\sgnas1\library\General\Install\SAP\runnas /user:username "sap.bat" /password:password


and here are the contents of that sap.bat:

 Code:
 
@Echo off
L:\General\Install\SAP\SapFrontEnd640\Setup\SapSetup /install /checkdb /p:"Mhis"


I also tried not using the sap.bat ang typing the installation command directly like so:

 Code:
\\sgnas1\library\General\Install\SAP\runnas /user:username "L:\General\Install\SAP\SapFrontEnd640\Setup\SapSetup /install /checkdb /p:"Mhis"" /password:password


but keep getting this error
Runnas: Cannot find the specified path

pls help is there anything wrong in the code or maybe some mo attributes to add. Thank you very much


Les
(KiX Master)
2007-09-10 05:27 AM
Re: RUNNAS - Tokenized Runas Utility

Network drives are mapped per user so I suspect there is no L: mapping for the elevated user.

babyjosef17
(Lurker)
2007-09-10 06:20 AM
Re: RUNNAS - Tokenized Runas Utility

tnx for the reply.

That's the thing. L:\ drive is standard in all our workstation so every pc has it. Really having trouble with this one. \:\)

is there a way for runnas to lets say, use the instalation folder in the server machine? so i would not use a network drive folder anymore.


NTDOCAdministrator
(KiX Master)
2007-09-10 07:16 AM
Re: RUNNAS - Tokenized Runas Utility

No, when you launch RUNNAS that has it's own profile and there is no mapping for it.

Please read through the examples and discussions in the RUNNAS thread and you hopefully will find the answer by understanding the process more.


Glenn BarnasAdministrator
(KiX Supporter)
2007-09-10 01:28 PM
Re: RUNNAS - Tokenized Runas Utility

Run your command, but add a
 Code:
Shell '%COMSPEC% /c Net Use > c:\mapped.txt'
to the beginning of it - you may be surprised by what you find in the file.

I would NOT use UNCs for installations - if you change the server or share, the program may have problems checking for updates and uninstall. I always map a drive during installations, and use a consistent drive letter, and have never had such issues since doing so.

Glenn


ShawnAdministrator
(KiX Supporter)
2007-09-10 01:44 PM
Re: RUNNAS - Tokenized Runas Utility

also, your command line has double-quotes within double-quotes. may have to escape those inside quotes with the \ char ...

\\sgnas1\library\General\Install\SAP\runnas /user:username "L:\General\Install\SAP\SapFrontEnd640\Setup\SapSetup /install /checkdb /p:\"Mhis\"" /password:password

or you might try just removing those inside quotes


LonkeroAdministrator
(KiX Master Guru)
2007-09-11 01:27 AM
Re: RUNNAS - Tokenized Runas Utility

hmm...
could also try manual install.
it's always refreshing. \:\)


Rixter
(Fresh Scripter)
2008-04-17 05:36 PM
Re: RUNNAS - Tokenized Runas Utility

Shawn,

I'm trying to use your RUNNAS to perform the MXLOGIN.CMD command file for Vista users to login to our network. My MXLOGIN.KIX runs fine but the portion before that using XCOPY is where I get stuck.

I've created an XCOPY.TOK file using the syntax: (using a real acct and password)
runnas /user:domainadmin "xcopy.exe" /pass:acctpwd /tok:xcopy.tok /logononly

Now I'm not at all sure how to take the XCOPY.TOK (which by the way is the version that comes with Vista) and actually incorporate it into my logon script.

Can you please help me out? Thanks VERY much!

MXLOGON.CMD:
@echo off
if exist %systemdrive%\kix32.exe goto logon
xcopy %0\..\*.exe c:\ >nul
:logon
REM %0\..\Kix32.exe %0\..\MXlogin.kix
%systemdrive%\Kix32.exe %0\..\MXlogin.kix
if errorlevel 1 copy %0\..\*.exe %systemdrive%\ >nul
exit


ShawnAdministrator
(KiX Supporter)
2008-04-17 07:16 PM
Re: RUNNAS - Tokenized Runas Utility

Not sure what you mean when you say "XCOPY.TOK is the version that comes with Vista.". TOK files are generated by runnas.

Rixter
(Fresh Scripter)
2008-04-17 09:21 PM
Re: RUNNAS - Tokenized Runas Utility

Shawn,

Sorry for the confusion. I ment that I'm using the version of XCOPY.EXE that comes with Vista.

I've created an XCOPY.TOK file using the syntax: (using a real acct and password)
runnas /user:domainadmin "xcopy.exe" /pass:acctpwd /tok:xcopy.tok /logononly

Now I'm not at all sure how to take the XCOPY.TOK (which by the way is the version that comes with Vista) and actually incorporate it into my logon script.


Mart
(KiX Supporter)
2008-04-17 09:25 PM
Re: RUNNAS - Tokenized Runas Utility

You cannot just tokenize xcopy.exe. You need to create a script that uses xcopy with the username and pw and all other stuff you need and tokenize the script.

Rixter
(Fresh Scripter)
2008-04-17 10:11 PM
Re: RUNNAS - Tokenized Runas Utility

Mart,

That makes more sense to me. The problem is, and maybe I'm going about this all wrong, is that in order to run the login script, which for us is a AD profile setting not a GPO, KIX32.EXE is copied locally to C:\. In my LOGIN.CMD file I have the following:

if exist %systemdrive%\kix32.exe goto logon
copy %0\..\*.exe c:\ >nul
:logon
%systemdrive%\kix32.exe %0\..\login.kix
if errorlevel 1 copy %0\..\*.exe %systemdrive%\ >nul
exit

LOGIN.KIX works fine, it's just the copying of KIX32.EXE locally doesn't work without elevated priviledges for Vista. Do you think there's a better way of me doing this?


Mart
(KiX Supporter)
2008-04-17 10:23 PM
Re: RUNNAS - Tokenized Runas Utility

Copying kix with an admin script would be one way. Collect all computer names that should get kix and run a copy job from one admin workstation.
An other way it to create a folder on lets say c:\ on each machine with a startup script and set permissions on it with xcacls or the Vista equivalent (if there is a special vista version). Then you can use a logon script to copy stuff to that folder.
A third way would be to run kix32 from the server and not from the local workstation. Something like \\domain\somefoldershere\sysvol\kix32.exe \\domain\somefoldershere\script.kix.

We have the second option in place for some generic home made apps and other stuff. The third is the one I use to kick off my logon script. This way you have only one place to worry about when upgrading to a newer version of kixtart.


JJ1
(Just in Town)
2008-11-15 02:15 AM
Re: RUNNAS - Tokenized Runas Utility

It is possible to create a new parameter for the next release from RUNNAS?
It would be great to have a add. parameter "/hide" to hide the window for the starting program / process.

The background is that I want start admin tasks, where the window is hidden or shown and the program waits or run async. --> the last point "/wait" is already exist "/wait Wait for the program to finish.".

I have try to realise it (hide the window) with the UDF RunEx or with some WSH code, but without any result \:\( .
I think it works to hide the program runnas.exe but I can not hide the new starting process from the runnas utility .....

Here my current example code that should be "Pre-tokenizing", but the $HIDE=1 part is not working (hide and wait) \:\( :
 Code:
Function runas($cmd,$hide,$wait)
    Dim $User, $Pass, $runnas
    $User = "DOMAIN\LOGONADMIN"
    $Pass = "secret"
    If Check_Server() = 0
	IF $LOGGING WriteLog ("RunAs - Script not running on an Logonserver -> quit logon script - " + $Server) ENDIF
	Quit
    ENDIF
    $runnas = @SCRIPTDIR + '\Tools\RunAs\runnas.exe'
    IF $HIDE = 1
	IF $WAIT = 1
	   RunEx($runnas, '/user:' + $User + ' "' + $cmd + '" /password:' + $Pass + ' /ENV /WAIT')
	ELSE
	   RunEx($runnas, '/user:' + $User + ' "' + $cmd + '" /password:' + $Pass + ' /ENV')
	ENDIF
    ELSE
	IF $WAIT = 1
	   SHELL $runnas + ' /user:' + $User + ' "' + $cmd + '" /password:' + $Pass + ' /ENV /WAIT'
	ELSE
	   RUN $runnas + ' /user:' + $User + ' "' + $cmd + '" /password:' + $Pass + ' /ENV'
	ENDIF
    ENDIF
EndFunction 


Or exist any other solution to hide the starting program?
I have try to search the forum but I have not found a solution.

I think I can it also build it up with AutoIT but with this I miss the parameter "/ENV" .....


AllenAdministrator
(KiX Supporter)
2008-11-15 02:22 AM
Re: RUNNAS - Tokenized Runas Utility

May or may not have anything to do with your question, but what/where is RunEx?

LonkeroAdministrator
(KiX Master Guru)
2008-11-15 07:20 PM
Re: RUNNAS - Tokenized Runas Utility

sounds like my old UDF.

LonkeroAdministrator
(KiX Master Guru)
2008-11-15 07:21 PM
Re: RUNNAS - Tokenized Runas Utility

http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=83752

NTDOCAdministrator
(KiX Master)
2008-11-17 07:18 PM
Re: RUNNAS - Tokenized Runas Utility

A Shell out to the program should be hidden using the CMD redirects

JJ1
(Just in Town)
2008-11-18 11:34 AM
Re: RUNNAS - Tokenized Runas Utility

 Originally Posted By: NTDOC
A Shell out to the program should be hidden using the CMD redirects

Mmm, ok this works for this case:
 Code:
runas('%windir%\system32\cacls.exe %windir%\BGInfo.bmp /E /C /G "Users":F' > nul,1,0)

but not for this:
 Code:
runas("\\myserver\ofcscan\AutoPcc.exe > nul",1,0)

Currently I use a own program with Autoit to hide and start the program, but want use in the future the runnas utility, so it would be nice the have an /HIDE switch ...., or have anybody an other idea to hide the window for an .exe file?



AllenAdministrator
(KiX Supporter)
2008-11-18 03:03 PM
Re: RUNNAS - Tokenized Runas Utility

Might this help?
http://esupport.trendmicro.com/support/viewxml.do?ContentID=1034748


JJ1
(Just in Town)
2008-11-18 04:07 PM
Re: RUNNAS - Tokenized Runas Utility

 Originally Posted By: Allen

Yes, thank you this helps for the AutoPcc.exe .....

BUT my wish with the "/HIDE" parameter is maybe also for application where it is not so easy to hide the output.
I think it can be a usefull parameter...., and with it you (or better I ;\) ) must not search for other "tricks" to hide the output (?).


NTDOCAdministrator
(KiX Master)
2008-11-19 09:08 PM
Re: RUNNAS - Tokenized Runas Utility

To hide a console application you need to use and shell to CMD.EXE which supports the redirects, not the application.

AllenAdministrator
(KiX Supporter)
2008-11-20 12:06 AM
Re: RUNNAS - Tokenized Runas Utility

Yeah... but then the cmd shell pops up instead. I think he was looking for completely hidden/silent.

NTDOCAdministrator
(KiX Master)
2008-11-20 02:40 AM
Re: RUNNAS - Tokenized Runas Utility

No the CMD shell does not pop open. I use it all the time. The only reason you might see it is if you don't redirect it to nul or if it's just some odd behaving application that spews junk no matter what.

Here is an example
 Code:
SHELL '%COMSPEC% /C "\\MYSERVER\SHARE2\WHOAMI.EXE" >NUL 2>NUL'



JJ1
(Just in Town)
2008-11-20 03:09 PM
Re: RUNNAS - Tokenized Runas Utility

This will be my last post in this thread maybe I should open a new post in the beginners section with the topic "What shell redirects are possible" ;\) .
I have try a lot of combination with redirects but all without any good result.

My question is how can I hide any window from the starting program? --> when I start the program with the runnas.exe!
I my example below it open every time the "CMD.EXE" window, of course I can hide the output in the CMD.EXE window, but not the window itself.

Maybe someone can show me in my small example how I can HIDE any output/window from my starting program (example 1 and 2)?

 Code:
$rc = SetOption('NoVarsInStrings','ON')
$rc = SetOption('Explicit','ON')

; File _dir.cmd
;@ECHO OFF
;DIR %WINDIR% > %1\out.txt

; Example 1
runas(@SCRIPTDIR + '\_dir.cmd ' + @SCRIPTDIR)

; Example 2
;runas('%comspec% /c dir %WINDIR% > ' + @SCRIPTDIR + '\out.txt')

Function runas($cmd)
    Dim $User, $Pass, $runnas
    $User = "DOMAIN\USER"
    $Pass = "PASSWORD"
	$runnas = @SCRIPTDIR + '\runnas.exe'
	RUN $runnas + ' /user:' + $User + ' "' + $cmd + '" /password:' + $Pass + ' /ENV /WAIT'
EndFunction 


So I think it would be a good idea the have an extra switch, as example /HIDE, to hide any output/window from programs which are started with the runnas.exe.

In the meanwhile I have play with AutoIt and now I have an similar function with my "_RunAs.exe", is this possible with the runnas.exe in a similar way -> redirect or whatever?

As example what I mean my AutoIt code......
 Code:
#NoTrayIcon 

;  PARAMETER
; _RunAs /user:USERNAME "command" /password:PASSWORD [/HIDE] [/WAIT]

If $CmdLine[0] > 2 Then
	$Username = StringSplit ( $CmdLine[1], ":")
	If $Username[1] = "/user" Then 
		$Username = $Username[2]
	Else
		_help()
	EndIf
	
	$Domain = StringSplit ( $Username, "\")
	If @error Then
		$Domain = @ComputerName
	Else
		$Username = $Domain[2]
		$Domain = $Domain[1]
	EndIf
	
	$CMD = $CmdLine[2]

	$Password = StringSplit ( $CmdLine[3], ":")
	If $Password[1] = "/password" Then 
		$Password = $Password[2]
	Else
		_help()
	EndIf
Else
	_help()
EndIf

If $CmdLine[0] > 3 Then
	If $CmdLine[4] = "/HIDE" Then 
		$Window = @SW_HIDE 
	Else 
		$Window = @SW_MAXIMIZE 
	EndIf
Else
	$Window = @SW_MAXIMIZE
EndIf

If $CmdLine[0] < 5 Then
	$WAIT = "/NOWAIT"
Else
	$WAIT = $CmdLine[5]
EndIf

If $WAIT = "/WAIT" Then 
	RunAsWait($Username, $Domain, $Password, 0, $CMD, @TempDir,$Window)
Else
	RunAs($Username, $Domain, $Password, 0, $CMD, @TempDir,$Window)
EndIf

exit 0

Func _help()
	MsgBox(64,'Help','_RunAs.exe /user:USERNAME "command" /password:PASSWORD [/HIDE] [/WAIT]' & @CRLF & @CRLF & '<USERNAME> should be in form USER or DOMAIN\USER.')
	Exit
EndFunc





Qnix
(Just in Town)
2009-09-23 03:42 PM
Re: RUNNAS - Tokenized Runas Utility

Hi guys,

First of all many thanks for all the great tools. Secondly I want to launch the logon script in NT4 with admin rights and colon is not an allowed character so /user:user doesn't work for example. Could you perhaps add an alternative character as well? Space would do fine, to have runnas.exe abc.exe /user user /pass pass, instead of runnas.exe abc.exe /user:user /pass:pass? Or another allowed character for the logon script name string under NT4. It would save me a lot of headache! \:\)

Again, many thanks!


Björn
(Korg Regular)
2019-04-29 08:02 PM
Re: RUNNAS - Tokenized Runas Utility

Imagine, 2019 and I thought I remembered runnas.. let's see if it still runs ;).

NTDOCAdministrator
(KiX Master)
2019-05-03 08:28 PM
Re: RUNNAS - Tokenized Runas Utility

It should run. Some new stuff in Windows 10 but basics should work I would think.

Let us know what you find, please.