Bypass RunAs

Guest · Sep 19, 2007

Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

Guest · Sep 19, 2007

Not if you want the executable to run as an administrator. There is no setuid
equivalent on Windows.

If you control the executable, the proper way to do that is to refactor the
executable into a service portion, which runs elevated and performs the
administrative tasks, and a user-mode portion that runs as the user.

Steve Easton · Sep 21, 2007

Have you tried embedding a manifest file as a resource in your application?
That will do it.

Info here:
http://www.devx.com/VistaSpecialReport/Article/33856/0/page/2
specifically in the middle of the page.

Guest · Sep 21, 2007

The manifest governs how elevation is invoked (automatica, only for members
of the admins group, or not at all). It does not permit automatic,
password-less elevation of only certain apps.

Alex K. Angelopoulos \(MVP\) · Sep 23, 2007

A minor caveat - there actually _is_ a setuid included in the free SUA
add-on from Microsoft:

http://www.microsoft.com/downloads/details.aspx?FamilyID=93ff2201-325e-487f-a398-efde5758c47f

Security implications of enabling setuid aside (you're warned in setup),
from a practical standpoint you're still right. Using setuid isn't something
that most users will want to get into.

Guest · Sep 23, 2007

Good point Alex. I didn't think of that. Does it actually do what setuid does
on Unix though? Does it let limited Windows users run administrative
applications?

Robert Firth · Sep 23, 2007

The clear answer is that yes, it is possible. Make the program not require
administrative privileges. If it does require admin privileges, then it must
prompt the user.

Alex K. Angelopoulos \(MVP\) · Sep 23, 2007

Sorry about the response lag.

I had originally just noted that it was possible to do this while installing
SUA on Vista; it has options for allowing setuid (and also sutoroot) during
install phase. I went back this morning and tried allowing setuid to work,
even reinstalling SUA, but I can't even find the binary - just the man page.

I think this is going to take someone who knows more about SUA to answer,
which kind of drives home the point that it isn't a practical solution for
most people.

Adding Links to the Links field in IE7	1	Mar 6, 2007
Running a batch file	4	Sep 25, 2009
Problem in executing my application in Vista Home edition	1	Feb 21, 2008
Adminstrator Rights	1	Jan 16, 2010
Vista: "Run as..." while UAC disabled	5	Nov 29, 2008
Admin rights on Vista	6	Apr 21, 2007
runas explorer /separate	2	Mar 5, 2008
Security Prompt Issue	9	May 12, 2009

Bypass RunAs

Guest

Guest

Steve Easton

Guest

Alex K. Angelopoulos \(MVP\)

Guest

Robert Firth

Alex K. Angelopoulos \(MVP\)

Ask a Question

Similar Threads