DigeratiPrime Posted January 27, 2006 Share Posted January 27, 2006 (edited) WARNING: we had a little challenge below to see how secure this method is. LLXX proved it is insecure by 'recovering' the admin password from the compiled exe. + ty prp8683.This guide will show how to launch an application with Administrative rights under a limited user account. This is very useful for people who want to use Limited User accounts but have some apps/games that do not work native in this environment.All you need is AutoIT (free) and the following code.Create a txt file and put this (make changes as necessary) inside:; Set the RunAs parameters to use local adminstrator account; Run program as admin; Reset user's permissionsRunAsSet("username", "computername", "password")RunWait("C:\Program Files\Path\To.exe")RunAsSet()rename this file runas.au3Now were just going to compile this as an exe so others cannot get the administrator password.Run Aut2ExeFor Source choose the au3 file you just created.For Destiniation choose a name for the exe to be created.(Optional) Choose an Icon for the exe.Uncheck decompilationFinish by hitting Convert to create the exe!Easy Right!? The Secondary Logon service must be running!You can always manually run/(un)install programs while a Limited User by right clicking on a file and selecting runas.The administrator account needs to have a password for this to work.If you are going to place this AutoIT exe in the same folder as the program you want to runas, for the path line in the script you can put just the name of the exe. You can extract the icon from any file using XN Resource Editor (free/standalone). [TWEAK] Hide the Administrator Account on the XP Logon Screen.You can logon as Administrator by switching to the classic logon by hitting Ctrl+Alt+Del twice at the xp logon screen.Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]"Administrator"=dword:00000000 Edited July 19, 2006 by DigeratiPrime Link to comment Share on other sites More sharing options...
prp8683 Posted February 8, 2006 Share Posted February 8, 2006 This guide will show how to launch an application with Administrative rights under a limited user account. [*]Uncheck decompilationDon't use this anywhere you really need security; it's still possible to retrieve or modify the script data (including the credentials for the admin account) by running the resulting EXE thru a debugger and watching as the data is decrypted. Hopefully MS will someday add real SUID support to Windows, and this will become a non-issue.--Phil Link to comment Share on other sites More sharing options...
DigeratiPrime Posted February 14, 2006 Author Share Posted February 14, 2006 very informative prp8683. debugging/decompiling did cross my mind but im not familiar enough with it.so for the record even if the exe was further encrypted using another program, you could still look for the decryption of the password? Link to comment Share on other sites More sharing options...
LLXX Posted February 14, 2006 Share Posted February 14, 2006 Any text in the script will appear directly in the resulting file, this is not a very secure method at all.With an uncompressed EXE, I could probably open it in Notepad and locate the password along with the computername and username.If it was compressed, I can still unpack it. Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted February 14, 2006 Share Posted February 14, 2006 A better option would be to figure out what NTFS/registry permissions the application requires and set them appropriately. Link to comment Share on other sites More sharing options...
TravisO Posted February 14, 2006 Share Posted February 14, 2006 (edited) Interesting idea, I sure hope Vista addresses this issue better. Edited February 14, 2006 by travisowens Link to comment Share on other sites More sharing options...
DigeratiPrime Posted February 19, 2006 Author Share Posted February 19, 2006 i dont know, I still believe this is safe. Nothing will give you absolute security. Here is a test. I will attatch a compiled exe made from the following script:; Set the RunAs parameters to use local adminstrator account; Run registry editor as admin; Reset user's permissionsRunAsSet("x", "x", "x")RunWait("x")RunAsSet()if this is so easy to reverse, please 'reveal' the true values where the 'x' are. I have not done anything else to the exe its made using the defaults in Aut2Exe.RunAs.zip Link to comment Share on other sites More sharing options...
Sn4k36 Posted February 19, 2006 Share Posted February 19, 2006 here's a faster way to run apps with the admin rights under the limit user account.. Just hold the Shift key and right click on the app and go to Run As and it'll open up a dialog so u can type in the admin name and password of the admin account. Link to comment Share on other sites More sharing options...
prp8683 Posted February 19, 2006 Share Posted February 19, 2006 very informative prp8683. debugging/decompiling did cross my mind but im not familiar enough with it.so for the record even if the exe was further encrypted using another program, you could still look for the decryption of the password?The exe must be decrypted before it is executed, and if it stores the user/pass in encrypted form, it must decrypt those before passing them to the API functions that log the user on to do whatever the script does. Connecting a debugger to the process during this procedure will reveal the userid/password. Link to comment Share on other sites More sharing options...
LLXX Posted February 19, 2006 Share Posted February 19, 2006 (edited) i dont know, I still believe this is safe. Nothing will give you absolute security. Here is a test. I will attatch a compiled exe made from the following script:; Set the RunAs parameters to use local adminstrator account; Run registry editor as admin; Reset user's permissionsRunAsSet("x", "x", "x")RunWait("x")RunAsSet()if this is so easy to reverse, please 'reveal' the true values where the 'x' are. I have not done anything else to the exe its made using the defaults in Aut2Exe.I accept your challenge... RunAsSet("administrator", "cpu", "msfn")"RunWait("ImgBurn.exe")...and here are the entire contents of the script ; ----------------------------------------------------------------------------; <AUT2EXE INCLUDE-START: D:\Program Files\AutoIT3\RunAs.au3>; ----------------------------------------------------------------------------; Set the RunAs parameters to use local adminstrator account; Run registry editor as admin; Reset user's permissionsRunAsSet("administrator", "cpu", "msfn")RunWait("ImgBurn.exe")RunAsSet(); ----------------------------------------------------------------------------; <AUT2EXE INCLUDE-END: D:\Program Files\AutoIT3\RunAs.au3>; ----------------------------------------------------------------------------Do you believe it's safe now? Edited February 19, 2006 by LLXX Link to comment Share on other sites More sharing options...
prp8683 Posted February 19, 2006 Share Posted February 19, 2006 here's a faster way to run apps with the admin rights under the limit user account.. Just hold the Shift key and right click on the app and go to Run As and it'll open up a dialog so u can type in the admin name and password of the admin account.True, but there are situations where:1. A user must run a particular program which requires administrative rights2. That user is not trusted to have administrative rightsAltering permissions to allow the application to run in the restricted user's context may work, depending on your security needs. (The application may require access you would not otherwise grant the user; e.g. an application which must load a device driver, and you don't want the user fiddling around with devices otherwise; in this case, granting the permissions required to run the program gives the user more access than you want. On the other hand, if the app simply stores user preferences in a global location and you don't care about the user changing system-wide preferences for that app, changing the permissions is probably OK.)The Run-As method you mention is useful for admins to use non-priviliged accounts and quickly gain priviliges to perform specific functions, but it requires that the user know an administrative password, thus defeating item 2 above. What is needed here is some mechanism that allows an admin to say that 'user x is allowed to run program y with the priviliges of user z, without knowing user z's password'. *nix systems do this with the sudo program, but Windows doesn't provide that functionality. Perhaps Vista will provide this, but I'm not holding my breath. Link to comment Share on other sites More sharing options...
Gouki Posted February 19, 2006 Share Posted February 19, 2006 i dont know, I still believe this is safe. Nothing will give you absolute security. Here is a test. I will attatch a compiled exe made from the following script:; Set the RunAs parameters to use local adminstrator account; Run registry editor as admin; Reset user's permissionsRunAsSet("x", "x", "x")RunWait("x")RunAsSet()if this is so easy to reverse, please 'reveal' the true values where the 'x' are. I have not done anything else to the exe its made using the defaults in Aut2Exe.I accept your challenge... RunAsSet("administrator", "cpu", "msfn")"RunWait("ImgBurn.exe")...and here are the entire contents of the script ; ----------------------------------------------------------------------------; <AUT2EXE INCLUDE-START: D:\Program Files\AutoIT3\RunAs.au3>; ----------------------------------------------------------------------------; Set the RunAs parameters to use local adminstrator account; Run registry editor as admin; Reset user's permissionsRunAsSet("administrator", "cpu", "msfn")RunWait("ImgBurn.exe")RunAsSet(); ----------------------------------------------------------------------------; <AUT2EXE INCLUDE-END: D:\Program Files\AutoIT3\RunAs.au3>; ----------------------------------------------------------------------------Do you believe it's safe now? So, Is he right or not? Link to comment Share on other sites More sharing options...
LLXX Posted February 19, 2006 Share Posted February 19, 2006 I'll let him decide, seeing as how I recovered his entire script, complete with comments and formatting, inside the compiled EXE Link to comment Share on other sites More sharing options...
ProClub Posted February 23, 2006 Share Posted February 23, 2006 If you need to install some stuff, you might alternatively do it in a startum/shutdown script implemented by group policies. I recommend shutdown, because the program will be ready for use next time the computer starts up.There will be no rights problems, because these scripts run as SYSTEM. (Logon/logoff scripts run as user!) Link to comment Share on other sites More sharing options...
DigeratiPrime Posted February 25, 2006 Author Share Posted February 25, 2006 awesome job LLXX, sorry i forgot to check the thread the other day. I'll put a warning in the top post. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now