Run as a different user without a password from an elevated prompt in Windows
There are a several utilities to run as a different user (eg: runas
, cpau
, psexec
) but all of them require the password for the respective user, even if you are already running with elevated privileges.
I'd like to achieve the following:
- I already have an elevated prompt (
Administrator
) - I'd like to execute a command (eg:
calc.exe
) asjohn
without typing/passing their password to the launcher utility.
For example, in Unix system you could just:
root@server:~# su - john
I use this all the time. It does take entering a credential the first time it's used (and when the password changes) but that's it.
runas /user:yourusernamehere /savecred "Your Executable Here"
If you save this command as part of a bat file you can create a shortcut that will launch this with administrative rights using a target like the following.
C:\Windows\System32\cmd.exe /c "C:\yourbatfilehere.bat"
In Windows, you can only do this if there is a current logon session of the user you are attempting to impersonate. This is due to the local group policy "Impersonate a client after authentication" allowing members of the Administrators group to do exactly that (Found under Local Policies > User Rights Assignments).
One tool I know that allows you to do this is Process Hacker 2. Run the tool as a local admin, and find a process that is running as the user you wish to impersonate. Right Click on it, select Misc > Run as this user..., you then type the binary path you want to run as that user, for example cmd. CMD would then open as that user without prompting for that user's password.