INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

RunAs not working

RunAs not working

(OP)
Our users login automatically to Windows XP Pro using a 'Power Users' account. We use VNC to manage their PC's remotely.

My problem is that 'RunAs' just doesn't work.

At a CMD prompt I enter:
runas /env /user:Administrator explorer.exe
I get the prompt to enter the password for Administrator and enter it (I set the PC up so I'm definite that I'm entering the correct password)
I see 'Attempting to start explorer.exe as User "A12345\Administrator".. but nothing happens, I'm just returned to the prompt.

- The PC is Win XP Pro SP1a and patched with all Critical Updates.

- The Secondary Logon service is running.

- 'Launch folder windows in a seperate process' in unchecked (as I saw on http://snakefoot.fateback.c..innt/tweak.html that this was a problem)

-CapsLock is Off (the Administrator password is lowercase)

This is just an example.. RunAs doesn't work with any exe, e.g. control.exe (We hide the Control Panel from users).

The overall effect is that we are locked out of being able to administer the PC without logging on as Administrator.

Does anyone know of any circumstances that would prevent RunAs from working or know of any things I may have done to stop it from working (Group Policy, Registry setting)?

Rick

RE: RunAs not working

Anything here apply?

225035 - Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context
http://support.microsoft.com/default.aspx?scid=kb;en-us;225035&FR=1&PA=1&SD=HSCH

303308 - Cannot Use Runas.exe to Run Remote Programs on Mapped Drives
http://support.microsoft.com/default.aspx?scid=kb;en-us;303308&FR=1&PA=1&SD=HSCH

294676 - HOW TO: Enable and Use the "Run As" Command When Running Programs in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;294676&FR=1&PA=1&SD=HSCH

RE: RunAs not working

Why is the "/env" switch being used?
Do you not want to just use the local security context?

RE: RunAs not working

(OP)
Hi linney and bcastner.

I was hoping you guys would respond. I've had no responses in earlier posts/other forums and, as a result, was about to  start again. I need help with this problem otherwise I'm going to have to create a new disk image from scratch.

Linney - Re: KB225035 - The Secondary Logon service IS started. Unfortunately, there's no difference between trying to use RunAs either in a CMD window or by right-clicking on a program (e.g. C:\Windows\explorer.exe)... neither work as expected. Re: KB294676 - This explains what should happen, not what I'm experiencing. Re: KB303308 - These are local programs, not programs on mapped drives.

bcastner - I'm using the '/env' switch because this was what I was advised to do by others and because it has worked beforehand in scripts used in other disk images to run programs with Administrator credentials whilst logged in as a 'Power User'.

linney/bcastner - I have a suite of 'Administrative function' scripts that I use in each XP Pro disk image. Some use 'Sanur.exe' to pipe the Administrator password, others use 'SendKeys' to send the Administrator password.

When I found that neither 'Sanur-based' nor 'Sendkeys-based' scripts were working, I used a CMD prompt to send the RunAs command directly. This was when I realised that RunAs itself was no longer working.

Any further help/suggestions would be greatly appreciated.

Rick

RE: RunAs not working

Ah.

That does help.  Let me ponder.

RE: RunAs not working

Try this and answer back if it does work:

runas /u:A12345\Administrator "explorer.exe"

RE: RunAs not working

Do you have to remove and End Task on the other users Explorer Shell before you can start the Administrator's Explorer Shell?

RE: RunAs not working

(OP)
linney,

I've never had to end the Power User's Explorer before starting an instance of the Administrators Explorer before.

bcastner,

I tried both 'runas /u:A12345\Administrator "explorer.exe"' and 'runas /profile /u:A12345\Administrator "explorer.exe"'. Still no joy. I wasn't aware of the CMD 'gotcha'. I've tried right-clicking on explorer.exe and choosing 'Run as...'. I get the prompt to change user, change to 'Administrator' and enter the admin password  but still nothing happens. I'm not getting a 'Logon failure:unknown user name or bad password' error so the password is accepted... but that's it.

Here's where it gets weird. I've just discovered that this failure is only with trying to run 'exe' files using RunAs. We hide all the Administrative Tools from users so one of my scripts uses RunAs (using Sanur to pipe the password) to display the Services snap-in (services.msc)... and this IS still working.

Here's a re-cap:
- RunAs is not working on EXE files from a CMD prompt.
- RunAs is not working on EXE files within Explorer.
- RunAs IS working on MSC files within Explorer

Hopefully this'll prompt an 'Aha!' to spring to mind. Could this be Registry corruption regarding registration of 'exe' files?

Rick

RE: RunAs not working

. One possibility is a path issue.  Check under the System Properties sheet, Advanced, Environmental variables, that the 'path' value is suitably populated to point to %windir%\;%windir%\wbem;%windir%\system32

. Group Policy?  See if the local Admin account is being blocked in any way.  I am hearted to see that .mmc does work, as this at least says that the RunAs is workig.  Odd though that explorer.exe would fail.

. Are you in a Domain?  Have you thought of passing Domain Admin credentials?

. Nothing in the Event Logs?

I do not see it as a registry issue, but you can rebuild the EXE associations easily:  http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

It sounds like a Group Policy setting.

If this is a workgroup setting, consider using the "Everyone but the Administrator" trick:  http://www.theeldergeek.com/gp07.htm



.

RE: RunAs not working

(OP)
bcastner,

Thank you for the replies. I've worked my way through them.

The environment variable for 'Path' is:-

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SystemRoot%\system32\nls;%SystemRoot%\system32\nls\ENGLISH;C:\Program Files\in4tek Ltd\paris\lib;C:\Program Files\in4tek Ltd\paris\bin

(NLS is part of the Novell Client and Paris is a third-party database)

Group Policy - There were very few policy settings, none connected to Explorer or Control Panel. Just to be safe, I reset them ALL to 'Not configured' and re-booted. No change, I'm afraid.

We're in a Novell server environment so only use Workgroups, not Domains.

There's nothing untoward or unexpected in the Event Logs.

I tried Doug Knox's utility to rebuild the exe file associations but no joy. However, looking at the exefile key in HKEY_CLASSES_ROOT I've found a 'runas' sub-key. I'm going to compare the settings on the problem PC with another PC where my 'runas' scripts work as expected.

Another little part of the mystery is that RunAs works with CPL files and exe files like Regedit.exe and Regedt32.exe. I haven't checked fully yet but it looks like my RunAs problem ONLY affects Explorer.exe and Control.exe.

I would be grateful for any more ideas 'cos this has me stumped.

RE: RunAs not working

http://support.microsoft.com/default.aspx?scid=kb;en-us;225035&FR=1&PA=1&SD=HSCH



"Certain programs are started indirectly by the Windows Explorer Shell. These include, Control Panel, Printers folder, etc. Since the shell is started in the primary security context during initial logon, any process started from the shell remains in that security context. You can workaround this by starting a tool using Run as... or killing the existing shell and restarting Explorer Shell in the administrative context.

You may be attempting to start and EXE from a network path and the credentials used to connect to that path are not the same as the one being used to start the EXE. The credentials used to start the EXE may not have access to the network path. Start Windows Command prompt using runas, reconnect to the network path with net use, and then start the EXE."

RE: RunAs not working

(OP)
Linney,

Apologies for the delay in replying but I've been slowly working my way through comparisons of registries on 'working' and 'non-working' PC's.

Sorry, I don't think I explained this well enough. Our 'stock' PC's are Compaq D530's. They have all been cloned from the same Ghost disk image and 'runas' works as I want on all of them. The PC's all autologon to Windows using a 'Power Users' account. Things like 'Control Panel' are hidden from 'Power Users' to deter changes.

Help Desk staff use VNC to remote in and can select my amended 'Administrative Tools'. One amended tool runs 'Windows Explorer' with Administrator credentials, another runs 'Control Panel' with Administrator credentials. All my  amended 'Administrative Tools' first popup a prompt for the 'Administrator' password then pipe this to my scripts (using either sanur.exe or sendkeys) which, in turn, run prgrams like 'explorer.exe' and 'control.exe.

These scripts all work perfectly on the Compaq D530's, i.e. you CAN start a new Explorer process with Administrator credentials without having to close the Power Users Explorer process or switch user (which we can't do because our use of Novell Client 32 disables Fast User Switching even though the Secondary Logon service is running).

My problem is with a Compaq D510 I'm prepping for use as a new disk image. I'm using exactly the same 'Administrative Tools' scripts I use on the Compaq D530's but the scripts that call explorer.exe and control.exe (which DO work on the D530's) DON'T work on the D510.

I've gone through the setup process time and time again and the only difference I've found so far is that the setup of the D530's was completed after SP1 and MOST of the other critical updates were installed, EXCEPT for the last 5 issued recently (i.e. the last 5 critical updates were added to an image where 'runas' was already working as expected with 'explorer.exe' and 'control.exe' and still continues to do so). The setup of the D510 was completed using the same process except SP1 and ALL the other critical updates were installed, INCLUDING the last 5 issued recently.

I've almost given up trying to fix this - but can't roll out the image until it's fixed. I cannot see any option other than to create the disk image all over again and install SP1 and the critical updates in exactly the same order as I did with the D530 image, checking every step of the way to find out when 'runas' stops working with explorer.exe and control.exe.

RE: RunAs not working

Hi Rick,
        Take a look at the RunAsUser wrapper application I have developed which is discussed here Thread779-676827 and can be downloaded from www.palmersoft.co.uk

I know that the functionality is not as you require. However it uses microsofts API's to invoke the RunAsUser login.

It might help to narrow down the actual cause of the problem.

Greg Palmer

----------------------------------------
Any feed back is appreciated.

RE: RunAs not working

(OP)
linney/bcastner,

I've just spoken to my line management and we've agreed I've spent enough time trying to fix the fault. I'm going to start all over again from scratch without installing the last 5 critical updates to test whether this was the cause of the problem. Thanks to both of you for your time and trouble.

(PS - Now, if one or both of you want to take a crack at my 'How to get Local Area Connection properties' post (0 replies so far) then please feel free... <grin>)

Regards,

Rick

RE: RunAs not working

Does this answer your question?

Run Windows explorer as an administrator:

runas /user:administrator "\"c:\program files\internet explorer\iexplore\" c:\\"

You can also access Control Panel icons in the C:\Windows\System32 folder.

In other words you should be able to perform most actions under the auto logged in account.

HTH,

D.

"I want to play..."
(Guess the X-Files episode!)

RE: RunAs not working

(OP)
Hi all,

I missed the last couple of posts yesterday as I was re-doing the image. I took a risk (didn't have anything to lose and didn't fancy starting from scratch) and Ghost'ed the D530 image onto the D510. All I had to do was fix the 2 hardware mismatches (onboard NIC and integrated sound) that XP couldn't resolve itself.

RunAs is now working once more on explorer.exe and control.exe! Yippee!

I guess I won't find out until next major hardware change whether the problem WAS due to the last 5 critical updates...

Thanks everyone for their contributions.

Rick

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close