RunAs logon flags - explain please

[aleph01]

Greetings, forum:

I use RunAs on a domain when the logged in user isn't an administrator but the task at hand requires admin credentials.  For instance, when a service crashes, I can have a script restart the service when the user wouldn't have the rights to start or stop services.  I do this by using an AutoIt script to RunAs a batch file to start the service, using administrator creds.  I looked at some older posts, but the logon flags aren't explained very well.

from the <helpfile> 
$RUN_LOGON_NOPROFILE (0) - Interactive logon with no profile.
$RUN_LOGON_PROFILE (1) - Interactive logon with profile.
$RUN_LOGON_NETWORK (2) - Network credentials only.
$RUN_LOGON_INHERIT (4) - Inherit the calling process's environment instead of the user's
</helpfile>

I've typically used 0 or 2 and usually have success, but I would like to know which flag is really the most appropriate in any given circumstance.  I all too often write a script that works as designed when tested, but after some time, it doesn't work anymore.  This is why, if someone would be so kind, I would like an explanation of the situations in which each of the flags would be most appropriate.

Thanks,

_aleph_

[JLogan3o13]

The internet is a wonderful thing....

https://technet.microsoft.com/en-us/library/bb490994.aspx

[aleph01]

JLogan3o13, your sig says it all.  I don't mean to be difficult, but I'm stupid (or, if I'm to be generous, I'm merely ignorant.)  TechNet seems to say that logon_no_profile may work and be faster, but it might not work, so logon_profile might be in order.  Logon_network seems to mean that using a local admin account wouldn't work, which doesn't affect me - I'm using a network admin credentials.  Logon_inherit is a mystery.  How does one determine a process's environment when the process doesn't even exist yet?

Allow me to post some code that seemed to work for a while, but ultimately failed:

#NoTrayIcon
; Wait 20 seconds for boot-up
Sleep(20001)

; Poll the process list every 10 seconds for the RFID process,
; & run the batch file if the process doesn't exist.
While 1
    $i = ProcessExists("ewRfidLinkSvc.exe")
    If $i = 0 Then RunAs("network adminname", "domainname", "password", 2, "C:\StartRFID.bat", "", @SW_HIDE)
    Sleep (10001)
WEnd

Bear in mind that this batch file  (C:\StartRFIC.bat)  is only using net start "processname" and exit.

When that stopped working, I changed the logon flag to 0, as you can see

#NoTrayIcon
; Wait 20 seconds for boot-up
Sleep(20001)

; Poll the process list every 10 seconds for the RFID process,
; & run the batch file if the process doesn't exist.
While 1
    $i = ProcessExists("ewRfidLinkSvc.exe")
    If $i = 0 Then RunAs("network adminname", "domainname", "password", 0, "C:\StartRFID.bat", "", @SW_HIDE)
    Sleep (10001)
WEnd

and that seemed to work for a while.

These were tested remotely by me stopping the service through the Control Panel applet and watching with satisfaction as the process restarted within seconds.

And now, as the service fails and doesn't restart, I'm wondering if my process polling is failing.  Consequently, I'm now reduced to the grossly inelegant

#NoTrayIcon
; Wait 20 seconds for boot-up
Sleep(20001)

; Run the batch file every 10 seconds
While 1
    RunAs("network adminname", "domainname", "password", 2, "C:\StartRFID.bat", "", @SW_HIDE)
    Sleep (10001)
WEnd

I don't know how long this will work, but maybe you see why I think a more thorough understanding of the logon_switches might help me.

On the other hand, If someone has a more fool-proof way or sees an error in my code, I'm open to suggestions.

Thanks for your reply, JLogan3o13, but I just am not at the level of understanding that I want to be on this.

In a perfect world, I'll end up with reliable and elegant code AND an understanding of the RunAs switches.

Remember, I'm stupi  ...um merely ignorant of this information at this time.

_aleph_

Edited August 25, 2016 by aleph01

[orbs]

@aleph01,

for running a simple batch file locally,  default flag 0 (/noprofile) is most suitable.

you need to load a profile (flag 1, /profile) if you call a process that requires a profile - for example, running most GUI application, using a temporary folder, reading the user registry, etc.

flag 4 (/env) - as you know, different users have different environments. by default, the process will use the environment of the account you specify. if you set this flag, the process will inherit the environment of the original account (of the script that called the RunAs command). use with caution, as there may be conflicts of permissions between the resources available in the environment and the resources accessible by the specified account.

flag 2 (/network) is the most enjoyable. it implies that the process will authenticate only to network resources with the specified account, but keep using local resources with the original account.

now read the "Remarks" section of RunAs in the help file very carefully. but for your issue: the reason your script failing now and then is probably not related to the logon flag you use. here's a few suggestions:

1) use RunAsWait instead of RunAs.

2) why use a batch file? call net start directly in the RunAs command.

3) read the output of the process (stdout) to get a feedback for the success/failure.

4) if this script is running constantly in the background, then skip the entire issue altogether and just use Task Scheduler to run it under the SYSTEM account.

[aleph01]

Thanks, orbs, I have used Task Scheduler for this in the past.  Maybe I'll return to it.  The vendor says they're working with Microsoft to make their service more reliable.