how to allow a program to run as administrator under a limited account in XP

[ZippyDan]

I have a family PC with Windows XP Pro that is setup, for obvious reasons, so that normal family users only have limited accounts.

There is a particular program that my brother needs to use (called Tunngle - a cool DIY VPN like Hammachi) to play Civilization with his friends. This program seems to require running as Administrator in order to start correctly (I assume since it needs access to network settings?). I know how to run it as Administrator manually, but this is annoying when I'm home, and impossible when I'm not as I have to enter my password in manually every time. I'd like to be able to setup this single program ONLY to run with elevated permissions under a limited account. How can I do this?

 

[Nothinman]

I believe you can setup runas to save credentials, so you could do that and create a batch file to start it for him.

 

[Emulex]

sudo for windows?

 

[Cal166]

You can also use permissions and just add the "Limited" Account to access/run it.

 

[Nothinman]

You can also use permissions and just add the "Limited" Account to access/run it.

I'm sure he can run it already, but since it's a VPN program it needs to enable/disable network interfaces which is only available to administrators.

 

[ZippyDan]

I'm sure he can run it already, but since it's a VPN program it needs to enable/disable network interfaces which is only available to administrators.

exactly, it's not a matter of the user not having permission to run it, it's a matter of the program not having permission to do what it needs to do given the user's limited privileges.

i need the software to run with administrator privileges while logged in as a limited user.

a batch file that could do it would be great, but if the user can just open the batch file with notepad and see the administrator password, then it defeats the purpose of them having a limited account...

any ideas?

 

[Nothinman]

exactly, it's not a matter of the user not having permission to run it, it's a matter of the program not having permission to do what it needs to do given the user's limited privileges.

i need the software to run with administrator privileges while logged in as a limited user.

a batch file that could do it would be great, but if the user can just open the batch file with notepad and see the administrator password, then it defeats the purpose of them having a limited account...

any ideas?

I already told you, runas...

 

[ZippyDan]

I already told you, runas...

I don't see where I can tell the Run As... dialog box to save credentials.

 

[Nothinman]

I don't see where I can tell the Run As... dialog box to save credentials.

I meant runas the cli tool, you'll probably need to create a batch file and make him run that instead of the normal shortcut but that's about it.

 

[ZippyDan]

I meant runas the cli tool, you'll probably need to create a batch file and make him run that instead of the normal shortcut but that's about it.

according to this:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true

the runas command will prompt me for my administrator password

if i make a .bat file that has my administrator password, then the whole point of this is defeated. unless there is a way to encrypt a .bat file and hide the cmd window that will flash across the screen while the batch is being executed?

 

[Nothinman]

Did you even look to see if /savecred was an option on your machine? I don't have an XP machine handy to check on, but Win2K3 and Google says it should be there.

 

[ZippyDan]

Did you even look to see if /savecred was an option on your machine? I don't have an XP machine handy to check on, but Win2K3 and Google says it should be there.

Sorry, I did not know of the existence of /savecred and it was not listed in that link I referenced. It seems it probably does exist in XP Pro (not Home), but from what I'm reading it leaves a rather large security hole:

"runas program1 /admin /savecred

will now allow anyone to type

runas program2 /admin
and it will work and run in the admin account with the first statement's savecred credentials."

Which again defeats the purpose of the Limited Account. However, your tip on /savecred has turned up some new google results, including this old thread that might be useful:

http://blogs.msdn.com/oldnewthing/archive/2004/11/29/271551.aspx

There are several references to alternate utilities (some freeware, some shareware, some broken links) that may address my issue.

I continue looking for a solution...

Edit: From that thread I've narrowed it down to the following candidates:

1. EPAL. Provided by Microsoft. Appears to be the most complicated to use, and unsure if it works in a home (non-domain) environment. http://technet.microsoft.com/en-us/library/bb727155.aspx

2. TqcRunas. Unfortunately does not seem to have a free for-home-use-only version. http://www.quimeras.com/Products/displayproduct.asp?IdProduct=4

3. CPAU. Simple freeware, but least secure method afaik, since the Admin password, though stored in encrypted form, gets passed in cleartext to CreateProcessAsUser. Still, to capture the password the user would have to have some moderate knowledge of programming and hacking, and therefore I judge this secure enough for basic home use. http://www.joeware.net/freetools/tools/cpau/index.htm

 

[Nothinman]

The savecred option isn't great, but you think he'll actually try to break into the machine via runas?

 

[Red Squirrel]

I've never used it myself, but try this:

http://www.joeware.net/freetools/tools/cpau/index.htm

It may work for what you need.