Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Rick998 (IS/IT--Management) (OP)
25 Apr 04 12:07
Our users login automatically to Windows XP Pro using a 'Power Users' account. We use VNC to manage their PC's remotely.

My problem is that 'RunAs' just doesn't work.

At a CMD prompt I enter:
runas /env /user:Administrator explorer.exe
I get the prompt to enter the password for Administrator and enter it (I set the PC up so I'm definite that I'm entering the correct password)
I see 'Attempting to start explorer.exe as User "A12345\Administrator".. but nothing happens, I'm just returned to the prompt.

- The PC is Win XP Pro SP1a and patched with all Critical Updates.

- The Secondary Logon service is running.

- 'Launch folder windows in a seperate process' in unchecked (as I saw on http://snakefoot.fateback.c..innt/tweak.html that this was a problem)

-CapsLock is Off (the Administrator password is lowercase)

This is just an example.. RunAs doesn't work with any exe, e.g. control.exe (We hide the Control Panel from users).

The overall effect is that we are locked out of being able to administer the PC without logging on as Administrator.

Does anyone know of any circumstances that would prevent RunAs from working or know of any things I may have done to stop it from working (Group Policy, Registry setting)?

Rick
linney (TechnicalUser)
25 Apr 04 16:35
Anything here apply?

225035 - Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context
http://support.microsoft.com/default.aspx?scid=kb;en-us;225035&FR=1&PA=1&SD=HSCH

303308 - Cannot Use Runas.exe to Run Remote Programs on Mapped Drives
http://support.microsoft.com/default.aspx?scid=kb;en-us;303308&FR=1&PA=1&SD=HSCH

294676 - HOW TO: Enable and Use the "Run As" Command When Running Programs in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;294676&FR=1&PA=1&SD=HSCH
Helpful Member!  bcastner (IS/IT--Management)
25 Apr 04 16:42
Why is the "/env" switch being used?
Do you not want to just use the local security context?
Rick998 (IS/IT--Management) (OP)
25 Apr 04 20:03
Hi linney and bcastner.

I was hoping you guys would respond. I've had no responses in earlier posts/other forums and, as a result, was about to  start again. I need help with this problem otherwise I'm going to have to create a new disk image from scratch.

Linney - Re: KB225035 - The Secondary Logon service IS started. Unfortunately, there's no difference between trying to use RunAs either in a CMD window or by right-clicking on a program (e.g. C:\Windows\explorer.exe)... neither work as expected. Re: KB294676 - This explains what should happen, not what I'm experiencing. Re: KB303308 - These are local programs, not programs on mapped drives.

bcastner - I'm using the '/env' switch because this was what I was advised to do by others and because it has worked beforehand in scripts used in other disk images to run programs with Administrator credentials whilst logged in as a 'Power User'.

linney/bcastner - I have a suite of 'Administrative function' scripts that I use in each XP Pro disk image. Some use 'Sanur.exe' to pipe the Administrator password, others use 'SendKeys' to send the Administrator password.

When I found that neither 'Sanur-based' nor 'Sendkeys-based' scripts were working, I used a CMD prompt to send the RunAs command directly. This was when I realised that RunAs itself was no longer working.

Any further help/suggestions would be greatly appreciated.

Rick
bcastner (IS/IT--Management)
25 Apr 04 20:13
Ah.

That does help.  Let me ponder.
bcastner (IS/IT--Management)
25 Apr 04 21:13
Try this and answer back if it does work:

runas /u:A12345\Administrator "explorer.exe"

bcastner (IS/IT--Management)
25 Apr 04 21:18
Also, watch out for the "gotcha" of running from a CMD session:  You no longer run with your secondary credentials:  http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q254094

runas /profile /u:A12345\Administrator "explorer.exe"
linney (TechnicalUser)
26 Apr 04 0:51
Do you have to remove and End Task on the other users Explorer Shell before you can start the Administrator's Explorer Shell?
Rick998 (IS/IT--Management) (OP)
26 Apr 04 4:50
linney,

I've never had to end the Power User's Explorer before starting an instance of the Administrators Explorer before.

bcastner,

I tried both 'runas /u:A12345\Administrator "explorer.exe"' and 'runas /profile /u:A12345\Administrator "explorer.exe"'. Still no joy. I wasn't aware of the CMD 'gotcha'. I've tried right-clicking on explorer.exe and choosing 'Run as...'. I get the prompt to change user, change to 'Administrator' and enter the admin password  but still nothing happens. I'm not getting a 'Logon failure:unknown user name or bad password' error so the password is accepted... but that's it.

Here's where it gets weird. I've just discovered that this failure is only with trying to run 'exe' files using RunAs. We hide all the Administrative Tools from users so one of my scripts uses RunAs (using Sanur to pipe the password) to display the Services snap-in (services.msc)... and this IS still working.

Here's a re-cap:
- RunAs is not working on EXE files from a CMD prompt.
- RunAs is not working on EXE files within Explorer.
- RunAs IS working on MSC files within Explorer

Hopefully this'll prompt an 'Aha!' to spring to mind. Could this be Registry corruption regarding registration of 'exe' files?

Rick

bcastner (IS/IT--Management)
26 Apr 04 5:13
. One possibility is a path issue.  Check under the System Properties sheet, Advanced, Environmental variables, that the 'path' value is suitably populated to point to %windir%\;%windir%\wbem;%windir%\system32

. Group Policy?  See if the local Admin account is being blocked in any way.  I am hearted to see that .mmc does work, as this at least says that the RunAs is workig.  Odd though that explorer.exe would fail.

. Are you in a Domain?  Have you thought of passing Domain Admin credentials?

. Nothing in the Event Logs?

I do not see it as a registry issue, but you can rebuild the EXE associations easily:  http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

It sounds like a Group Policy setting.

If this is a workgroup setting, consider using the "Everyone but the Administrator" trick:  http://www.theeldergeek.com/gp07.htm



.
bcastner (IS/IT--Management)
26 Apr 04 5:17
One other thought would be to try a Runas "wrapper", and to try running as the currently logged on user with a temporary security token:

. Runas "wrapper": http://www.tek-tips.com/viewthread.cfm?SQID=676827&SPID=779&page=1

. Security Token:  http://www.neovalens.com/sh2k/toolbarcop.htm6/index.html
Rick998 (IS/IT--Management) (OP)
26 Apr 04 13:42
bcastner,

Thank you for the replies. I've worked my way through them.

The environment variable for 'Path' is:-

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SystemRoot%\system32\nls;%SystemRoot%\system32\nls\ENGLISH;C:\Program Files\in4tek Ltd\paris\lib;C:\Program Files\in4tek Ltd\paris\bin

(NLS is part of the Novell Client and Paris is a third-party database)

Group Policy - There were very few policy settings, none connected to Explorer or Control Panel. Just to be safe, I reset them ALL to 'Not configured' and re-booted. No change, I'm afraid.

We're in a Novell server environment so only use Workgroups, not Domains.

There's nothing untoward or unexpected in the Event Logs.

I tried Doug Knox's utility to rebuild the exe file associations but no joy. However, looking at the exefile key in HKEY_CLASSES_ROOT I've found a 'runas' sub-key. I'm going to compare the settings on the problem PC with another PC where my 'runas' scripts work as expected.

Another little part of the mystery is that RunAs works with CPL files and exe files like Regedit.exe and Regedt32.exe. I haven't checked fully yet but it looks like my RunAs problem ONLY affects Explorer.exe and Control.exe.

I would be grateful for any more ideas 'cos this has me stumped.
linney (TechnicalUser)
26 Apr 04 15:50
http://support.microsoft.com/default.aspx?scid=kb;en-us;225035&FR=1&PA=1&SD=HSCH



"Certain programs are started indirectly by the Windows Explorer Shell. These include, Control Panel, Printers folder, etc. Since the shell is started in the primary security context during initial logon, any process started from the shell remains in that security context. You can workaround this by starting a tool using Run as... or killing the existing shell and restarting Explorer Shell in the administrative context.

You may be attempting to start and EXE from a network path and the credentials used to connect to that path are not the same as the one being used to start the EXE. The credentials used to start the EXE may not have access to the network path. Start Windows Command prompt using runas, reconnect to the network path with net use, and then start the EXE."

Rick998 (IS/IT--Management) (OP)
28 Apr 04 6:13
Linney,

Apologies for the delay in replying but I've been slowly working my way through comparisons of registries on 'working' and 'non-working' PC's.

Sorry, I don't think I explained this well enough. Our 'stock' PC's are Compaq D530's. They have all been cloned from the same Ghost disk image and 'runas' works as I want on all of them. The PC's all autologon to Windows using a 'Power Users' account. Things like 'Control Panel' are hidden from 'Power Users' to deter changes.

Help Desk staff use VNC to remote in and can select my amended 'Administrative Tools'. One amended tool runs 'Windows Explorer' with Administrator credentials, another runs 'Control Panel' with Administrator credentials. All my  amended 'Administrative Tools' first popup a prompt for the 'Administrator' password then pipe this to my scripts (using either sanur.exe or sendkeys) which, in turn, run prgrams like 'explorer.exe' and 'control.exe.

These scripts all work perfectly on the Compaq D530's, i.e. you CAN start a new Explorer process with Administrator credentials without having to close the Power Users Explorer process or switch user (which we can't do because our use of Novell Client 32 disables Fast User Switching even though the Secondary Logon service is running).

My problem is with a Compaq D510 I'm prepping for use as a new disk image. I'm using exactly the same 'Administrative Tools' scripts I use on the Compaq D530's but the scripts that call explorer.exe and control.exe (which DO work on the D530's) DON'T work on the D510.

I've gone through the setup process time and time again and the only difference I've found so far is that the setup of the D530's was completed after SP1 and MOST of the other critical updates were installed, EXCEPT for the last 5 issued recently (i.e. the last 5 critical updates were added to an image where 'runas' was already working as expected with 'explorer.exe' and 'control.exe' and still continues to do so). The setup of the D510 was completed using the same process except SP1 and ALL the other critical updates were installed, INCLUDING the last 5 issued recently.

I've almost given up trying to fix this - but can't roll out the image until it's fixed. I cannot see any option other than to create the disk image all over again and install SP1 and the critical updates in exactly the same order as I did with the D530 image, checking every step of the way to find out when 'runas' stops working with explorer.exe and control.exe.
gpalmer711 (IS/IT--Management)
28 Apr 04 6:36
Hi Rick,
        Take a look at the RunAsUser wrapper application I have developed which is discussed here Thread779-676827 and can be downloaded from www.palmersoft.co.uk

I know that the functionality is not as you require. However it uses microsofts API's to invoke the RunAsUser login.

It might help to narrow down the actual cause of the problem.

Greg Palmer

----------------------------------------
Any feed back is appreciated.

Rick998 (IS/IT--Management) (OP)
28 Apr 04 6:37
linney/bcastner,

I've just spoken to my line management and we've agreed I've spent enough time trying to fix the fault. I'm going to start all over again from scratch without installing the last 5 critical updates to test whether this was the cause of the problem. Thanks to both of you for your time and trouble.

(PS - Now, if one or both of you want to take a crack at my 'How to get Local Area Connection properties' post (0 replies so far) then please feel free... <grin>)

Regards,

Rick
deetee2k (Programmer)
29 Apr 04 3:22
Does this answer your question?

Run Windows explorer as an administrator:

runas /user:administrator "\"c:\program files\internet explorer\iexplore\" c:\\"

You can also access Control Panel icons in the C:\Windows\System32 folder.

In other words you should be able to perform most actions under the auto logged in account.

HTH,

D.

"I want to play..."
(Guess the X-Files episode!)

Rick998 (IS/IT--Management) (OP)
29 Apr 04 9:30
Hi all,

I missed the last couple of posts yesterday as I was re-doing the image. I took a risk (didn't have anything to lose and didn't fancy starting from scratch) and Ghost'ed the D530 image onto the D510. All I had to do was fix the 2 hardware mismatches (onboard NIC and integrated sound) that XP couldn't resolve itself.

RunAs is now working once more on explorer.exe and control.exe! Yippee!

I guess I won't find out until next major hardware change whether the problem WAS due to the last 5 critical updates...

Thanks everyone for their contributions.

Rick

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close