Page 3 of 5 <12345>
Topic Options
#154080 - 2006-01-03 09:02 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
An easy test is as follows:

runnas /user:JOE.USER /pass:xxxxxx cmd

then in the new command window if you do a SET you will see that the environment variables belong to JOE.USER and if you do a REGEDIT you'll see that the HKCU belongs to JOE.USER.

Could something like Chris suggest be done ? Kinda. The trick is to have runnas do two things:

1) Map the ENV variables of the calling process to the new process

2) Map the HKCU of the calling process to the new process.

What I mean by kinda is that your not really elevating the priviledges, your running the current user environment with a more priviledged account.


Top
#154081 - 2006-01-03 09:16 PM Re: RUNNAS - Tokenized Runas Utility
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
and with those lengthy posts you still need to go conclude with my simple and short answer which is clear for everyone, "no".
_________________________
!

download KiXnet

Top
#154082 - 2006-01-18 10:52 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
ok going to go slow with these changes ... Version 1.7 is available.

Added the /ENV switch - this substitutes the callers environment (variables) into the callee's environment (variables). Similiar to the way Microsoft's runas does (although I'm not too sure if the ms /env also substitues HKCU or not, will have to test that).

Encoding environment variables into the token file needs a bit more work and testing.

"Thinking about" the other change now - token substitution ... need more thought on that one.

Not sure if these changes are moving things along in the direction that will help you out or not - please advise.

[edit]

It appears the ms runas /env just substitutes environment vars.

Top
#154083 - 2006-01-19 03:55 AM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
ok, runnas version 1.8 is now available ... this new release supports substituting "tokens" on the command line ... it works like this:

1) Create a token file that starts notepad - the filename is a token:

> runnas "notepad.exe <p1>" /user:joe /pass:xxx /tok:notepad.tok

2) Run the tokenfile and replace <p1> at runtime:

> runnas notepad.tok /p1:file1.txt

Note: If you tokenize part of the executable path, and you want a /crc check, then you must at least provide that token on the command line (/crc needs to locate the file).

I'm not sure how much of a security risk this adds - much would depend on what kind of command line you crafted, and specifically what you tokenize - if anyone wants to "discover" possible spoofing scenarios, please post your example command lines.

Top
#154084 - 2006-01-19 05:11 AM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
I will post the first example of how NOT to use the new token substitution feature:

runnas "<p1>" /user:admin /pass:xxx /tok:file.tok

Top
#154085 - 2006-01-19 03:37 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Updated documentation is first post showing how to substitute tokens in a tokenfile.

Top
#154086 - 2006-01-20 05:11 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
New version of runnas available (1.10) added the following features:

  • /wait Wait for the program to finish.
  • /return Return errorlevel of program. Use with /wait.
  • /title For console processes, this is the title displayed in the
    title bar if a new console window is created.





Top
#154087 - 2006-01-20 06:43 PM Re: RUNNAS - Tokenized Runas Utility
Chris S. Offline
MM club member
*****

Registered: 2002-03-18
Posts: 2368
Loc: Earth
Good additions. How about a default behavior for the title parameter of: "<process> - <user>"?
Top
#154088 - 2006-01-20 06:58 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Quote:

How about a default behavior for the title parameter of: "<process> - <user>"?





Boy, talk about the new younger GUI age.

Top
#154089 - 2006-01-20 07:32 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Chris thanks. I like that idea too. May be a little tricky but will look into (might be a bit of a chicken and egg thing)... on another matter, I've been waiting for Ron to flame over supporting token substitution, maybe he hasn't seen that yet ;0)
Top
#154090 - 2006-01-20 07:39 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Hey, we're all supposed to be big boys here and we've already clammered over the potential issues in some cases, so if it becomes one, oh well you've been warned. As with any othe similar software - Use At Your Own Risk.

I think Shawn has done a great job with this utility though overall and I plan on using it for certain tasks myself.

Thanks for creating and sharing this utility Shawn.

Top
#154091 - 2006-01-20 09:18 PM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
No flames here either... caveat emptor
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154092 - 2006-01-21 05:18 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Posted a new version (1.13) added the following new security feature...

/logononly

Use if command is to be run during interactive logon only.

Tested this on Windows XP logon. Don't have Windows 2000 machine to fully test with. If anyone tries this switch on w2k please advise if any issues.

Top
#154093 - 2006-01-22 02:10 AM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Posted a new version (1.14). Added more error handling. Added some extra (internal) security counter-measures.
Top
#154094 - 2006-01-22 03:01 AM Re: RUNNAS - Tokenized Runas Utility
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Sounds like you're getting serious about security.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154095 - 2006-01-22 01:35 PM Re: RUNNAS - Tokenized Runas Utility
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
Quote:

security counter-measures



Less secure? Aren't you saying you're implementing counter- measures against security?
_________________________
There are two types of vessels, submarines and targets.

Top
#154096 - 2006-01-22 02:35 PM Re: RUNNAS - Tokenized Runas Utility
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
lol ok, how about "extra security measures" ? ;0)

man, you guys are a tough bunch - glad someone's keeping me honest.

Top
#154097 - 2006-01-22 11:32 PM Re: RUNNAS - Tokenized Runas Utility
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
Being German I can safely blame my DNA for this anal attention to detail, what's your excuse?

Edited by sealeopard (2006-01-22 11:33 PM)
_________________________
There are two types of vessels, submarines and targets.

Top
#154098 - 2006-02-07 09:38 PM Re: RUNNAS - Tokenized Runas Utility
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
Recently came across this KB and thought it might be of some value if for nothing else some examples of how the Microsoft version works.

Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context
http://support.microsoft.com/kb/225035
 

Top
#154099 - 2006-07-17 06:10 PM Re: RUNNAS - Tokenized Runas Utility
imjin Offline
Lurker

Registered: 2006-03-17
Posts: 4
Let me start off by saying that this is a great tool! This is my 1st post since I've usually been a lurker here while I learn KiXtart... I have a question on a possible future modification to runnas.

This tool is currently the only way I've been able to execute apps under an administrative context for our users at login, most of which are not local admins (teachers, students, etc..). We're in the process of migrating away from ScriptLogic due to renewal costs (to the tune of $250k) and I've been attempting to rebuild everything ScriptLogic did. I've pretty much got everything rebuilt with the exception of being able to execute a program (or script) under an administrative context and run it hidden. At login, one of the first things we do is run a "net localgroup" command from a batch file and add a series of domain groups to the local administrators group of each machine. Runnas does this beautifully, but I have to make a separate line for each execution, so if have 6 groups to add, it flashes up 6 windows. On the occasion where the group is already a part of the local administrators group, it will show the error 1378 (account name is already a member of the group) in the dos window. When the users see this, they think all hell is breaking loose because they just saw the word "error".

I've tried combining the RunEx UDF (which does a shellexecute) with Runnas unsuccessfully. I'm not sure if it had to do with requiring single/double quotes within each, but I gave up on that endeavor. I've tried a few other things like piping the stdout to NUL which works unless the accounts are already present, then the errors flash by in the dos window again. Is it possible to add another option that allows for hidden execution?

Top
Page 3 of 5 <12345>


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 339 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.072 seconds in which 0.024 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org