RunAs issues

[aleph01]

Greetings,

I'm having a bit of trouble getting a script to start a service when it's run under a non-administrator profile.  I  open the properties of the service I'm trying to start, open the task manager to verify that the script is running, start the script, see it as a process in task manager, and my process remains stopped.  The process is set to automatically start upon bootup, and normally it does, but at some random point, it's liable to stop for no obvious reason.  I've been testing it on a Windows 8 x64 system compiled as 32 bit and 64 bit.  Here's the script:

RunAs ("username", "domain", "password", 2, @ComSpec & " /c " & 'net start Browser', "", @SW_HIDE)
Sleep (5001)

The script works fine when I run it as an administrator.  The sleep gives me time to see it in task manager while on a staff profile, but it doesn't affect the browser service, which I'm using for testing.  I'll be looping this with an If ProcessExists statement, but I can't seem to get my RunAs line to work.  Any ideas?  Thanks in advance.

_aleph_

[MattHiggs]

Can you confirm that the secondary logon service is running?  Help files says it is necessary in order for this function to succeed

[aleph01]

Yes, the two staff machines I used for testing both have the secondary logon service set to manually start, and are started.  Thanks for the suggestion.

[MattHiggs]

So is it safe to assume that the profile you are using in the Runas function for the admin credentials is a domain profile?

[MattHiggs]

I ask because the flag you have set in the function is $RUN_LOGON_NETWORK(2), so if this a local administrator account, then you would have to use a different flag

[MattHiggs]

And if the administrator accounts are local, change "domain" from whatever the domain name is to @computername

[aleph01]

Yes, a non-admin domain profile.  I've tried each of the logon_flags mainly because I don't really understand them.  Could you clear that up for me as well?  Thanks,

[MattHiggs]

ok.  Hold on a second.  your confusing me.  The profile which is in the RunAs function is NOT an admin but IS a domain profile?

[MattHiggs]

If you are using a non-admin account to try and start a service, than that more likely than not is the issue right there.  Whether the profile is local or member of the domain, it needs admin rights to the computer to modify services.  If you do not have access to a domain administrator account, but there is a local administrator account configured on the computers which you do have access to, I would try Runas ( Adminprofile, @computername, password, 0, @ComSpec & " /c " & 'net start Browser', "", @SW_HIDE)

[aleph01]

Sorry if I was unclear.  The credentials I am passing in the RunAs line are of a domain administrator.  This script needs to be run by non-admin staff who don't have permission to start or stop services.  It didn't occur to me to try using a local administrator.  I'll give it a try.  Thanks again.

[MattHiggs]

Yeah I would try that.  It could be just the simple fact of if the domain account you are using has ever logged in to that particular machine before and registered as an admin on the local machine, so try the local admin route and let me know how it goes

[aleph01]

Using the local administrator account gave me the same results - I saw the script running in task manager, but no effect on services.

[MattHiggs]

Ok.  You say you want this script to run when it starts up, correct?  How exactly are doing that?  For example, is it being pushed out to other computers via group policy?  Is the script being placed in the "startup" folder manually?  That should shed some more light

[aleph01]

I'll place it in an infinite while loop and use an If ProcessExists statement to decide whether to run the services-start part of the script.  Probably put it in Program Files with a shortcut in the startup folder.  Maybe have it wait a couple of minutes before the While loop for bootup time.  The actual service I'll be using it with is an RFID service on our STS computers (staff transaction stations.)

Right now, I'm just trying to run it successfully from a USB drive under a staff profile, but it is being stubborn.  After changing it to use the local administrator, I used logon_flag 1, Interactive logon with profile.
.

[MattHiggs]

Ok.  That is probably the problem right there.   Whatever application you run in the startup folder does not run with admin credentials, even if you explicitly programmed them in your script.  There is a workaround though.  You can launch programs at startup using the Task scheduler:  open run prompt, then type "taskschd.msc" then enter.  Then just right click any folder, select create basic task, set it to trigger when computer starts, and select to run your script file.  That will give you the solution you are looking for.

[aleph01]

OK, I got looking at the script and realized that I left the domain name in quotes - "@ComputerName".  It looks like changing it to use the local admin account was the correct thing to do.  Silly me putting a macro in quotes.

Thanks MattHiggs for putting in the time with me.  Sorry I have osteocapita (bone-headedness.)

_aleph_

[MattHiggs]

No problem man.  Glad you found your solution

[aleph01]

If it won't run from startup, I'll put an entry in the Run registry key.

Thanks,

[MattHiggs]

I would try the task scheduler if I were you.  Like I said, it will actually preserve the credentials you need to perform the action you are trying to accomplish

[MattHiggs]

But hey, if it works, it works.  To each his own