topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 6:31 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: suggestion: ability to launch with reduced privileges (or as different user)  (Read 5657 times)

gottadoit

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 45
    • View Profile
    • Donate to Member
Mouser,
  As mentioned earlier (but probably when you were busy doing other things) would it be something that you might consider allowing processes to be launched with more limited privileges (or even as different users with stored and encrypted credentials) ?

Well Process Explorer isn't really a "competing" launch program but it can launch programs in a special way (with limited privileges in the same user context)

As I mentioned in the FARR forum it would be great to extend this a little to also be able to have stored credentials inside the launchbar *and* additionally allow the launchbar to remove the appropriate privilege tokens and change group memberships so that the user context is still the same but the process is effectively running as a limited user

With this setup it would then nice to be able to specify the desired context as the default (if not otherwise specified), then this nice tool would also give some non-trivial security benefits as well

Ref: http://www.sysintern...d-user-easy-way.html

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
this could easily be accomplished with the runas command built in to windows 2000 and xp.

gottadoit

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 45
    • View Profile
    • Donate to Member
Not exactly, have a read of what I suggested again and have a look at the link to the sysinternals site
The sysinternals suggestion involves *removing* security tokens from the current user for the child process and running with the same username and that gets around quite a lot of issues that you would encounter switching to a completely different user

In relation to the save credentials option for runas, I thought I would check as I had thought savecred was limited to XP Pro and assuming that the help is correct it seems to be
C:\>runas /?
RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /smartcard [/user:<UserName>] program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows XP Home Edition
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
                     smartcard.
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   program         command line for EXE.  See below for examples

Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:[email protected] "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  USER@DOMAIN is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.
« Last Edit: July 19, 2006, 12:16 PM by gottadoit »