aleph01

RunAs issues

20 posts in this topic

Greetings,

I'm having a bit of trouble getting a script to start a service when it's run under a non-administrator profile.  I  open the properties of the service I'm trying to start, open the task manager to verify that the script is running, start the script, see it as a process in task manager, and my process remains stopped.  The process is set to automatically start upon bootup, and normally it does, but at some random point, it's liable to stop for no obvious reason.  I've been testing it on a Windows 8 x64 system compiled as 32 bit and 64 bit.  Here's the script:

RunAs ("username", "domain", "password", 2, @ComSpec & " /c " & 'net start Browser', "", @SW_HIDE)
Sleep (5001)

The script works fine when I run it as an administrator.  The sleep gives me time to see it in task manager while on a staff profile, but it doesn't affect the browser service, which I'm using for testing.  I'll be looping this with an If ProcessExists statement, but I can't seem to get my RunAs line to work.  Any ideas?  Thanks in advance.

_aleph_


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites



Can you confirm that the secondary logon service is running?  Help files says it is necessary in order for this function to succeed

Share this post


Link to post
Share on other sites

Yes, the two staff machines I used for testing both have the secondary logon service set to manually start, and are started.  Thanks for the suggestion.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

So is it safe to assume that the profile you are using in the Runas function for the admin credentials is a domain profile?

Share this post


Link to post
Share on other sites

I ask because the flag you have set in the function is $RUN_LOGON_NETWORK(2), so if this a local administrator account, then you would have to use a different flag

Share this post


Link to post
Share on other sites

And if the administrator accounts are local, change "domain" from whatever the domain name is to @computername

Share this post


Link to post
Share on other sites

Yes, a non-admin domain profile.  I've tried each of the logon_flags mainly because I don't really understand them.  Could you clear that up for me as well?  Thanks,


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

ok.  Hold on a second.  your confusing me.  The profile which is in the RunAs function is NOT an admin but IS a domain profile?

Share this post


Link to post
Share on other sites

If you are using a non-admin account to try and start a service, than that more likely than not is the issue right there.  Whether the profile is local or member of the domain, it needs admin rights to the computer to modify services.  If you do not have access to a domain administrator account, but there is a local administrator account configured on the computers which you do have access to, I would try Runas ( Adminprofile, @computername, password, 0, @ComSpec & " /c " & 'net start Browser', "", @SW_HIDE)

Share this post


Link to post
Share on other sites

Sorry if I was unclear.  The credentials I am passing in the RunAs line are of a domain administrator.  This script needs to be run by non-admin staff who don't have permission to start or stop services.  It didn't occur to me to try using a local administrator.  I'll give it a try.  Thanks again.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

Yeah I would try that.  It could be just the simple fact of if the domain account you are using has ever logged in to that particular machine before and registered as an admin on the local machine, so try the local admin route and let me know how it goes

Share this post


Link to post
Share on other sites

Using the local administrator account gave me the same results - I saw the script running in task manager, but no effect on services.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

Ok.  You say you want this script to run when it starts up, correct?  How exactly are doing that?  For example, is it being pushed out to other computers via group policy?  Is the script being placed in the "startup" folder manually?  That should shed some more light

Share this post


Link to post
Share on other sites

I'll place it in an infinite while loop and use an If ProcessExists statement to decide whether to run the services-start part of the script.  Probably put it in Program Files with a shortcut in the startup folder.  Maybe have it wait a couple of minutes before the While loop for bootup time.  The actual service I'll be using it with is an RFID service on our STS computers (staff transaction stations.)

Right now, I'm just trying to run it successfully from a USB drive under a staff profile, but it is being stubborn.  After changing it to use the local administrator, I used logon_flag 1, Interactive logon with profile.
.


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

Ok.  That is probably the problem right there.   Whatever application you run in the startup folder does not run with admin credentials, even if you explicitly programmed them in your script.  There is a workaround though.  You can launch programs at startup using the Task scheduler:  open run prompt, then type "taskschd.msc" then enter.  Then just right click any folder, select create basic task, set it to trigger when computer starts, and select to run your script file.  That will give you the solution you are looking for.

Share this post


Link to post
Share on other sites

OK, I got looking at the script and realized that I left the domain name in quotes - "@ComputerName".  It looks like changing it to use the local admin account was the correct thing to do.  Silly me putting a macro in quotes.

Thanks MattHiggs for putting in the time with me.  Sorry I have osteocapita (bone-headedness.)

_aleph_


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

No problem man.  Glad you found your solution

Share this post


Link to post
Share on other sites

If it won't run from startup, I'll put an entry in the Run registry key.

Thanks,


Meds.  They're not just for breakfast anymore. :'(

Share this post


Link to post
Share on other sites

I would try the task scheduler if I were you.  Like I said, it will actually preserve the credentials you need to perform the action you are trying to accomplish

Share this post


Link to post
Share on other sites

But hey, if it works, it works.  To each his own

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now