Sign in to follow this  
Followers 0
thepip3r

Windows RunAs way to tell the Originating User in the Command Shell?

3 posts in this topic

so... lets say you're an admin on a machine and you runas cmd.exe so you get a command shell that's running with admin rights. if you run a SET command from that window, you'll see all the env variables propoated with your "admin account's" information. if you could NOT get out of that newly spanwed admin shell, is there a way to tell what account is the normal account actually logged into that machine? like maybe some parameter in the registry or wmi query or the like?? TIA.


My Additions:- RunAs AdminDeviant Fun:- Variable Sound Volume

Share this post


Link to post
Share on other sites



so... lets say you're an admin on a machine and you runas cmd.exe so you get a command shell that's running with admin rights. if you run a SET command from that window, you'll see all the env variables propoated with your "admin account's" information. if you could NOT get out of that newly spanwed admin shell, is there a way to tell what account is the normal account actually logged into that machine? like maybe some parameter in the registry or wmi query or the like?? TIA.

Here's a WMI query process I use to differentiate between the logged in user and the account that actually "owns" my script's process:

$sLoggedInUser = ""
$sLoggedInDomain = ""
$sResults = ""
$strComputer = "."
$objWMIService = ObjGet("winmgmts:" & "{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
If IsObj($objWMIService) Then
    $colComputer = $objWMIService.ExecQuery("Select * from Win32_ComputerSystem")

    For $objComputer In $colComputer
        $sLoggedInUser = $objComputer.UserName
    Next
    If StringInStr($sLoggedInUser,"\") Then
        $iSplit = StringInStr($sLoggedInUser,"\")
        $sLoggedInDomain = StringTrimRight($sLoggedInUser,(StringLen($sLoggedInUser) - $iSplit)+1)
        $sLoggedInUser = StringTrimLeft($sLoggedInUser,$iSplit)
    EndIf

    If $sLoggedInDomain <> "" Then $sResults &= "Logged in domain: " &$sLoggedInDomain &@CRLF
    If $sLoggedInUser <> "" Then $sResults &= "Logged in user: " &$sLoggedInUser & @CRLF
    $sResults &= "@UserName value: " &@UserName &@CRLF
    ConsoleWrite($sResults)
Else
    ConsoleWrite("Unable to connect to WMI Service" & @CRLF)
EndIf

- MoChr(77)& Chr(97)& Chr(100)& Chr(101)& Chr(32)& Chr(121)& Chr(97)& Chr(32)& Chr(108)& Chr(111)& Chr(111)& Chr(107)-------I've told you 100,000 times not to exaggerate!-------Don't make me hit you with my cigarette hand...-------My scripts:Random Episode Selector, Keyboard MouseMover, CopyPath v2.1, SmartRename for XP,Window Tracer[sup]New![/sup]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0