ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE. Software > LaunchBar Commander

suggestion: ability to launch with reduced privileges (or as different user)


  As mentioned earlier (but probably when you were busy doing other things) would it be something that you might consider allowing processes to be launched with more limited privileges (or even as different users with stored and encrypted credentials) ?

Well Process Explorer isn't really a "competing" launch program but it can launch programs in a special way (with limited privileges in the same user context)

As I mentioned in the FARR forum it would be great to extend this a little to also be able to have stored credentials inside the launchbar *and* additionally allow the launchbar to remove the appropriate privilege tokens and change group memberships so that the user context is still the same but the process is effectively running as a limited user

With this setup it would then nice to be able to specify the desired context as the default (if not otherwise specified), then this nice tool would also give some non-trivial security benefits as well

-gottadoit (March 09, 2006, 05:14 AM)
--- End quote ---

this could easily be accomplished with the runas command built in to windows 2000 and xp.

Not exactly, have a read of what I suggested again and have a look at the link to the sysinternals site
The sysinternals suggestion involves *removing* security tokens from the current user for the child process and running with the same username and that gets around quite a lot of issues that you would encounter switching to a completely different user

In relation to the save credentials option for runas, I thought I would check as I had thought savecred was limited to XP Pro and assuming that the help is correct it seems to be
C:\>runas /?

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /smartcard [/user:<UserName>] program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows XP Home Edition
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
   /user             <UserName> should be in form [email protected] or DOMAIN\USER
   program         command line for EXE.  See below for examples

> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:[email protected] "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  [email protected] is not compatible with /netonly.
NOTE:  /profile is not compatible with /netonly.
--- End quote ---


[0] Message Index

Go to full version