“RunAs” basic (and intermediate) topics

In this posting: 

  • What is RunAs? 

  • How to use RunAs from the GUI (even if you can’t see it)

  • Using RunAs from the command line

  • When RunAs won’t work

  • Useful RunAs shortcuts and related tips for the non-admin


Did you know that millions of people run as non-administrator every day?  It’s true!  What do they do when they come to a point where something requires administrator privileges?  Simple:  they call their helpdesk.  And if they ask really nice, a sysadmin makes a note to stop by sometime within the next month.  When he arrives, he logs in as administrator and performs some magical administrative tweak that renders the user’s computer unbootable.  “Oops!”  Of course, that’s not really true.  The sysadmin can now log in remotely to render the user’s computer unbootable, without even leaving his desk!  (I’m sure there’s research going on somewhere about how remote administration is contributing to increased sysadmin obesity.)


If you are your own helpdesk (i.e., you administer your own machine), how do you run something with admin privileges?  Fast User Switching is the best option (see previous blog entry), but it isn’t available in Windows XP if your computer is joined to a domain.  You can log out, shutting down all your apps, and log back in as administrator.  Sometimes that will be necessary (I needed to do that when installing the beta of Microsoft Office 2003), but most of the time logoff is more disruption than necessary.  At these times, the Secondary Logon service is your friend, typically exposed through RunAs.


The Secondary Logon service was first introduced in Windows 2000, and is in Windows XP and Server 2003.  When you start a new process through RunAs, you provide credentials for the account you want the process to run under – for example, the local Administrator account.  Assuming the credentials are valid, the Secondary Logon service then causes several things to happen:

  • creates a new logon session for the specified account, with a new token;

  • ensures that the new process’ token is granted appropriate access to the current window station and desktop (the specifics change somewhat for XP SP2, but aren’t important here);

  • creates a new job in which the new process and any child processes it starts will run, to ensure that the processes are terminated when the shell’s logon session ends (correcting a problem with the NT4 Resource Kit’s SU utility).

Is this description too nerdy?  The net is that it lets you run programs as a different user on the same desktop with your other running programs.  The new process and (generally) any programs it starts will run under this new account.


The “How to develop code as a non-admin” item in Keith Brown’s upcoming book, A .NET Developer's Guide to Windows Security, covers some of the same ground I’m covering here.  We cover the details differently and offer different tips, though, so you should read us both!


RunAs GUI, in Windows XP and Server 2003:


In Windows Explorer or the Start menu, right-click on any Application (.exe) or Microsoft Common Console Document (.msc) file or shortcut, and choose “Run As…” from the context menu.  In the “Run As” dialog, choose the 2nd radio button (“the following user”) enter the user name and password for the account, and click OK.  (I’ll discuss the first radio button and the “protect my computer and data…” option in a future post.)


I said “any”, but that’s not quite true.  If the shortcut is a “special Microsoft Windows Installer link”, you’ll need to hold down the Shift key while right-clicking to get Run As on the menu.  (Don’t ask me why.  It’s better than in Windows 2000, where you never saw Run As on the right-click menu unless you pressed Shift.)  On my Start menu, these “special” shortcuts include Adobe Reader 6.0, MSN and Windows Messenger, and MapPoint 2004. 


The “hold down Shift” trick is also needed to get Run As on the context menu for most Control Panel shortcuts – specifically those that link to a .cpl file.  RunAs doesn’t work for all Control Panel items, though.  Some of them, such as Folder Options, Fonts, Network Connections, and Scheduled Tasks, actually run within Windows Explorer, which by default doesn’t play well with Run As.  More on that in a future post.


There’s also a little problem with the Power Options applet.  According to Keith Brown’s analysis (no longer online? I can’t find it), when you click OK or Apply, it writes both per-machine and per-user settings.  If you are a normal User, it quietly fails when writing the per-machine settings and never writes the per-user settings.  (As of XP SP2 RC1, this is “fixed” in that it at least tells you that it failed to save the settings.)  If you use RunAs to run it as the local administrator, the per-user settings it writes are those of the administrator account, not your user account.  Sadly, to change your own power settings, you need to be an admin.  (This is addressed by my MakeMeAdmin script, which I’ll describe in an upcoming post.  Stay tuned!)


You can avoid the right-click context menu and make “Run as…” the default action for a particular .exe or .msc shortcut by opening its Properties dialog, clicking Advanced, and checking “Run with different credentials”.  When you invoke the shortcut, you’ll get the RunAs dialog, and the shortcut’s target will run under the account you specify.


RunAs from the command line:


RUNAS.EXE is a console (a.k.a., “text mode”) application that prompts for alternate account credentials and starts a new process under that account.  Console applications are often started from a cmd.exe command prompt, but they can also be started from the Start/Run dialog or from an Explorer shortcut.


RUNAS.EXE offers more flexibility than the GUI, including the ability to authenticate with a smart card, to use the account only for network authentication but continue to use your current account locally, and to control which profile and environment to use.  Type “RUNAS” without parameters at a command prompt to see its command line options.  Look up “runas” in Windows XP Help and Support for more info and examples.


When RunAs won’t work:


A common source of frustration and confusion is to start an application with RunAs, only to find that it is continuing to run in your original logon session.  (First, how do you tell?  My favorite tool here is Process Explorer from SysInternals.  Add “User name” to the displayed columns.  Starting with v8.30, ProcExp no longer requires admin privs – thanks, Mark!  Also look for my PrivBar utility in another upcoming post.)


The problem is that when started, many applications – such as MS Word and Windows Explorer – look on the current desktop for an already running instance of itself.  If found, the new process will send a message to the previous instance to handle the request and then exit.  That previous instance will often be running under the account you originally logged on with, not that of your alternate credentials.  A similar effect occurs when a new app is not started directly by the parent app, but is instead started through the shell, via ShellExecute[Ex] or through DDE.  The new process then inherits the security context of the shell, and not of your alternate account.  The cmd.exe start command will do this in certain circumstances.


I promise to discuss how to get Windows Explorer to play nicer with RunAs in a future post.  In the meantime, Keith Brown’s “How to develop code as a non-admin” describes how you can use Internet Explorer to achieve some of the same results (search the item for “But I hate the command prompt!”).


Some tips and tricks:


I really like Keith’s recommendation to change the background bitmap for your admin IE, but there’s an easier way to do it:  the TweakUI Power Toy.  Run it as admin and navigate to Internet Explorer \ Toolbar Background.  And here’s a bitmap I like to use.


Many people like to keep a cmd.exe shell running as local admin.  To reduce the possibility of mistakes, I strongly advise making it obviously different from your normal command shells.  The easiest, one-time setup is to click on the admin shell’s system menu, choose “Defaults” and change the colors.  This is a per-user setting, so all future console windows running as local admin will appear in the colors you choose.


Another way is to specify distinguishing characteristics in the cmd.exe command line.  For example:

cmd.exe /k cd c:\ && color fc && title ***** Admin console *****

The /k option says to run the commands that follow, and not exit after running them.  (FYI, /c runs the commands and then exits.)  The commands that are executed change the current directory to the root of C: (somewhat safer than being in the system32 folder), the color command changes the console’s color to light red on bright white (run “color /?” to see other choices), and the title command changes the window title to something distinctive.  I keep a shortcut in my Quick Launch bar that invokes runas with that command line.


Yet another way, suggested by MS employee John Lambert (NT), is to associate a custom icon with the shortcut.  The icon will appear in the Alt-Tab window, the taskbar, and of course the upper-left corner of the cmd window itself.  Note that this works only with a cmd.exe target, and you need to use the GUI RunAs option, not the runas.exe console app.  Here is an icon you can use.


The admin command shell is a popular way to start apps with elevated privileges.  You don’t have to be a total nerd to enjoy its power, though.  Examples:


Windows Installer Packages (.msi files) don’t offer a RunAs context menu option.  You might be able to get away with hacking the registry to add that option, or you can just run the .msi file directly on the command line of your admin shell. 


In general, the command shell recognizes file associations, so you can invoke a data file on the command line and it will start the associated application.


You can start Control Panel applets from the command line just by typing the name of the .cpl file.  Some examples:

Start “Date and Time Properties”:


Start “Add or Remove Programs”:


Start “System Properties”:



To start Internet Explorer from the command shell, you can type the full path ("C:\Program Files\Internet Explorer\iexplore.exe" – rather a PITA even with command completion).  I just keep an ie.cmd file in a folder in my path (posted here as a .txt – just rename it to .cmd).  It starts IE, and takes an optional URL parameter.  E.g.,

C:\>ie blogs.msdn.com


That will have to do for now.  Please continue to post comments, and I’ll try to get everything addressed.

Comments (149)
  1. Frank de Groot says:

    I’ve been doing this since I saw Keith’s article and it generally works well for me.

    The only trouble I had was when running a code from VS.NET with VS.NET running as admin. A debug run works ok, but running without debugging started the process but doesn’t show the window (and you can’t kill it either because it’s running as admin).

    I suppose the program was sent to the wrong desktop.

  2. Frank – was this ASP.NET? And the window you’re looking for IE?

  3. Dana Epp's ramblings at the Sanctuary says:

    Aaron Margosis pointed out to me today his weblog which contains some good references and information about running as a limited user on Windows. He had an interesting comment on my different credentials post I did almost a year ago in which he uses a shortcut directly to a cmd window with runas instead of using the explorer view. His suggestion is to do: C:WINDOWSsystem32runas.exe /u:Administrator "%windir%System32cmd.exe /k cd c: && color fc && title ***** Admin console *****" Makes total sense if you want to use an admin shell. Personally I prefer having the UI available through the explorer view… which has its own limits. This way I don’t have to try to remember where the CPL paths are, or what they are called. I just click ‘My Computer’ and then ‘Control Panel’ and have at ‘er. To each his own. Aaron has some good pointers on his blog about different ways of approaching this. Consider checking it out….

  4. Richard Cass says:

    I have tried to follow Aaron’s advice about running in Standard User mode, but continually hit the snag that folders don’t exist (they do).

    e.g. Run As cmd.exe produces error C:WINDOWSsystem32cmd.exe The directory name is invalid.

    This happens with others (windows update). I am running WXP SP1 on a domain.

    What step have I missed?

  5. Richard Cass – can you provide more details about how you’re getting to that error message? I’ve never seen that in this context.


  6. Richard Cass says:

    My XP Pro SP1 machine is on a domain. Normally I have my user account as part of the Domain Admins as well as a Local Administrator of my PC. No problems there.

    I wanted to test whether my users could run as a Standard User (currently they are also in the Local Admins group – most of them are software engineers and compiling & installing seems to require admin rights).

    So I removed myself from these admin groups (ie Users group), logged off/on and tried to test for restrictions. As an example I tried to use Run As on the Command Prompt icon, logged in as the domain admin and then had the error message given in my first feedback.

    I also tried Windows Update (as a Standard User) and the web page titled Administrators only came up, indicating to use the Run as option. Doing that then gave me the error: C:WINDOWSsystem32wupdmgr.exe. The directory name is invalid.

    I was also getting the usual restriction messages (cannot change some of the network settings etc), but I expected that.

  7. ch. says:

    well I want non-admins run certain applications as admins (otherwise they don’t work) – but it keeps forgetting that I set them to run as admin. Once I set the run as admin and then reboot, the setting is lost and normal users can’t use it.

  8. ch – RunAs-admin is not a permanent setting. You *can* specify on a shortcut that it should run with different credentials, but the user will be prompted for the admin credentials each time the shortcut is invoked.

  9. Richard Cass – I’ve asked around and everyone seems stumped by the symptoms you’ve described. One colleague suggested the possibility that the DA account does not have the "bypass traverse checking" privilege. Could you check that? Also, make sure that Domain Admins is a member of the local Administrators group.

  10. Jeff Sontag says:

    I like using a shortcut configured to offer the option of using alternate credentials.

    I noticed that the local administrator account was offered as the default username in the "the following user" section. I added my domain account (the one that is a memeber of Domain Admins) to the local machine’s Administrators group ("Domain Admins" was already in this group) and now I can pick my domain admin account from the drop-down list in the "the following user" section. I hoped that it would remember it even if I then removed my DA account from the local machine’s administrator’s group, but no good. Do you know a way to make the "the following user" drop-down list remember just domainusername entries, and not the password, without adding the accounts to the local machine’s admins or users group?

  11. How to get Windows Explorer to work with RunAs (and why you might want to).

  12. Jeff Sontag – Sorry, no, it’s not configurable and it doesn’t remember previously used names. It lists only usernames explicitly listed in the BUILTINAdministrators group, as well as Client Authentication certificates in the current user’s Personal cert store, including smart cards. (You can run certmgr.msc to see your certs).

  13. Chad Pankratz says:

    A possible explanation for the "The directory name is invalid" error: Many shortcuts in the Start Menu have "Start in" set to "%HOMEDRIVE%%HOMEPATH%". If this maps to a network drive on your domain, then if you attempt to Run As a user that cannot see the drive, you will receive the error.

  14. Richard Cass says:

    Aaron: Sorry I haven’t been back before (RSS is great for the initial Post but not for Comments), but setting the DA permission to have the "bypass traverse checking" privilege did not do anything.


    Chad: That was it! Removing the default "Start in" sorted the problem.

    Many thanks guys.

  15. A toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is running

  16. Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions…

  17. The idea that the principle of least privilege requires that a user or process be given no more privilege than necessary to perform a job makes a lot of sense in this hostile digital divide we live in. Least privilege has become a passion of mine, and its reflected in everything that I design now adays. Which is why Carina works so well in the face of hostile and malicious code. In today’s show I talk about the security principle of least privilege, how we use it to protect our customer’s information… and how you can use it to protect your desktops. For more information about least privilege please check out some of these links: nonadmin.editme.com – This is a community web site (wiki) for Windows users who want to learn how to run without Administrator privileges, and why they should do this. "RunAs" basic (and intermediate) topics – Aaron Margosis’ introduction on how to use the runas command in Windows Secure Coding Practices: Running with Least Privileges in Windows – An older article I wrote for CodeProject on how to develop using least privilege on Windows Developing Software in Visual Studio .NET with Non-Administrative Privileges – Lars Bergstrom’s great article that explains how to productively develop software while logged on with non-administrative privileges. Using a Least-Privileged User Account – A small article on TechNet discussing LUA, and how it will affect LongHorn. After listening to customer feedback, we are going to try a new format with this podcast. We will keep these single topic recordings short (somewhere around 5 minutes) so that people with busy schedules can still get a chance to listen to it. We will leave longer shows for more in depth interviews etc. Please let me know if you like the new format. Think strategically. Protect your information. Enjoy! MP3: Scorpion Vault: Understanding Least Privilege (4:59s / ~4.7mb)…

  18. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  19. rduke15 at gmail.com says:

    Sorry, I meant "This is really UN-related…" in the previous post.

  20. rduke15 at gmail.com says:

    This is really related to runas and privileges, but is a question about cmd.exe and shells, in case someone knows.

    Can I find out if my console app. was started from an open cmd.exe console window, or from Start->Run?

    I have a Perl script which prints output that the user wants to read.

    If started from Start->Run, the window will close immediately. If I put a "press key" prompt in my app, it’s annoying in the other case, when the cmd window is staying open anyway and pressing a key would not be needed.

    Can I somehow differentiate how the app was called, and prompt for a keypress only if needed?

  21. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  22. Alex Mondale says:

    I am attempting to follow the shining LUA path, but the following is frustrating me:


    RUNAS ERROR: Unable to run – cmd.exe

    5: Access is denied.


    Could this be because the account I am attempting to runAs has a null pwd? Any other thoughts? Where would I find out what access is being denied to whom?

  23. Alex Mondale says:

    Interesting, when I (as local admin) runAs a nonpriv account I get

    RunAs ERROR: 1327: account policy restriction: nonblank password, …

    This is something we developers (unfortunately) try to do all the time: develop as local admin, runAs another less priv’ed account, and see what breaks.

  24. Alex Mondale says:

    Aha! I made the following discoveries:

    — when I removed my former Admin Account from Administrators, it had all kind of other rights (act as part of the OS, run as a Service, etc.). Just removing from Admins and adding to Users didn’t remove these policy-granted rights.

    — Having removed these "extra" privs, I still cannot runAs. Now, I get the same message as when I attempt to run as a nonpriv from a priv account:

    "RUNAS ERROR: Unable to run – cmd.exe

    1327: Logon failure: user account restriction. Possible reasons are blank passw

    ords not allowed, logon hour restrictions, or a policy restriction has been enfo


    — Gave the local admin a password, guess what happened? It worked, of course.

    So where do I go to adjust this ppolicy restriction? and, what process or app caused this policy restriction to be made? (Not ruling out Yours Truly, I have the attention span of a Gnat!).

  25. Alex Mondale says:

    http://tinyurl.com/6u739 has info on the use of blank passwords as a Local Sec Policy enforcement. But why should this clobber RunAS?

  26. Alex —

    As you found in that URL


    local accounts with blank passwords can be used to log on only at the console logon screen, not through any other manner. If you have a computer in a secure location (e.g., a home computer) where you can trust everyone who has physical access, this is very convenient. RUNAS was specifically and deliberately disallowed with blank passwords. The reason is because if it were allowed and a LUA user accidentally downloaded some malware, RUNAS would offer an easy elevation of privilege for the malware to run code as an admin. There is a security option that will allow blank password for all other logon types, but I would strongly advise against changing it.

  27. Alex Mondale says:


    I have discovered that if the user that is "becoming" admin doesn’t have read-only rights to the USER.DAT in the Admin’s documents and settings folder, the RUNAS will fail. I have also discovered that MAKEMEADMIN will fail for the same reason.

    Also, I have seen the MAKEMEADMIN batch file fail in "mid-stream" so that the user was made member of Administrators and then not "demoted" after running the program. Any one else reported this?


  28. jodah says:



    When I launch Explorer as Admin (RunAs)

    Explorer won’t refresh things automatically. For example, if I create a new file, it might not show up in my admin Explorer window. I know pressing [F5] would solve this problem.

    Isn’t there a possibility to let (admin)-Explorer refresh automatically???

    Thank you for your help

  29. Alex Mondale – 1. Under what (normal) circumstances would the admin not have full control over its own NTUSER.DAT file? 2. The error handling in MAKEMEADMIN should always remove the user from the admins group, unless you close the console window prematurely.

    Jodah – I know of no fix for that particular annoyance. Just F5 after every operation.

  30. Jason Mayer says:

    Just curious, but do you know of any method to change the default user name when you Run As another user?

  31. Jason Mayer says:

    I found the answer on another web site. Make a shortcut that runs the command line version of the run as program and use the switches to change the default login.

    An example would be:

    C:WINNTsystem32runas.exe /profile /user:somedomainjmayer sol.exe

  32. Derrell Rivers says:


    In your tips and tricks you mentioned the following, "Windows Installer Packages (.msi files) don’t offer a RunAs context menu option. You might be able to get away with hacking the registry to add that option, or you can just run the .msi file directly on the command line of your admin shell."

    Where I work, our developers started using .msi files which doesn’t allow desktop support to use Runas option for installs.

    What steps are needed to set a group policy for our entire environment permitting Runas on .msi?

  33. HairyMonster says:

    Instead of having ie.cmd or any other .cmd file for starting a registered application, simply type "start iexplore" from the command prompt. If you can use the Start/Run menu item to run the app, this will work from the command-line.

  34. Perro_Flaco says:

    Hi everybody!

    I hope someone can help me with this, because I’m getting really angry.

    I’m trying to execute the following command:

    "runas /user:user_name cmd.exe"

    When I hit return, it asks me for my password, and here is where the

    problem begin. I get this error:

    "Error 1326. Logon failure: unknown user name or bad password."

    I’ve tried with different combination of user_name and password with

    the same result. I’m sure about the user_name and password. I also have

    tried this:

    "runas /user:mymachineuser_name cmd.exe"

    But the problem remains.

    I’ve been looking for a solution in the google, but without any

    success. Please, if anybody knows how to fix this, let me know!

    Thank you very much for your help!

  35. Daveib says:

    When I use Runas with the following full command line

    %windir%system32runas.exe /profile /user:OFFICETestUser/savecred "C:Program FilesInternet Exploreriexplore.exe"

    it comes up with what looks like a command prompt, asking for a password, but the keyboard does not work. I am unable to type in the password, so the command line window closes without anything happening.

    Any ideas?

  36. Daveib – several things:

    1. It might just be a typo, but you need a space between TestUser and /savecred.

    2. The console doesn’t echo any characters when you type a password at the RunAs prompt.

    3. Are you invoking runas.exe from the Run dialog or from a command shell (cmd.exe)? If the former, runas.exe is probably telling you what the error is, but the console window is closing before you can see it. Try running it within a command shell instead of from the Run dialog.


  37. kcnpeppa says:

    Good article. I pretty much always use runas and have finally gotten the hang of the workarounds. However, the few times it does not work is frustrating. Currently, start menu shortcuts give a "directory name is invalid" error for cmd.exe. Navigating to the file or running from the run menu works fine. Mysterious ….. but not surprising.

    Perro – if this is a local account that should work but I’ve seen times where it just won’t. Use the GUI. Navigate to the file and right click. If it’s a valid username and the password has not expired, you should be ok.


  38. JB/kcnpeppa —

    The issue you raised was covered in an earlier comment: http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx#183263


  39. RJT says:

    To provide access to local items requiring Administrator priveleges in our network environment, we created a Service Account with the appropriate authority. Then, we wrote a Visual Basic application where Windows EXE programs are launched via the "RUN AS" using the Service Account within the VB program. The problem we have is with command line (CMD) programs. We have yet to determine a programmatic method to launch the CMD including the credentials required to RUN AS as either VB lines or external BAT files. We need this to allow users access to items like "IPConfig /release"

  40. RJT – the best way to grant users the ability to do things like "ipconfig /release" is simply to add them to the "Network Configuration Operators" local group. Members of this group can manage a small set of network configuration features, such as the "ipconfig" operations. Note that it does not grant the ability to configure the firewall.

  41. jimmer says:


    Below is a vb script I wrote years ago to flush dns using ipconfig.  You could easily modify it to ipconfig /release ipconfig /renew.  Look out for line wraps in this post.

    On Error Resume Next

    strComputer = "ITLWWS02"

    Const ForReading = 1

    Const ForWriting = 2

    Const ForAppending = 8

    vBatPath = "C:temp"

    vBatFile = "flushdns.bat"

    vLocBatFile = vBatPath & vBatFile

    vRemBatFile = "\" & strComputer & "c$temp"

    set fs = CreateObject("Scripting.FileSystemObject")

    if fs.FileExists(vLocBatFile) Then


    End If

    if fs.FileExists(vRemBatFile) Then


    End If

    set vOutPutFile = fs.CreateTextFile(vLocBatFile, True)

    vOutputFile.writeLine "ipconfig /flushdns"

    vOutputFile.writeLine "echo flushdns Completed"

    vOutputFile.writeLine "echo flushdns Completed > c:tempflushdns.log"

    fs.CopyFile vLocBatFile, vRemBatFile

    CmdLine = vLocBatFile

    Path = "c:test"

    set objwbemLocator = CreateObject("WbemScripting.SWbemLocator")

    set objwbemServices = objwbemLocator.ConnectServer(strComputer, "", "", "", "", "", 0, null)

    set Process = objwbemServices.Get ("Win32_Process", 0, null)

    Process.Create CmdLine, Path, , ProcessID

    wscript.echo "Complete"

  42. Kaplaa says:

    Seems to me that 1) there is no good way to make a shortcut programatically with runas selected and 2) there is no way to set a runas shortcut to user the calling user’s environment, such as the /env command from the command line.  Am I missing something?

  43. Kaplaa:

    1) Search MSDN for SLDF_RUNAS_USER

    2) The RunAs dialog doesn’t offer as many options as the RunAs.exe console app.  How about something like a shortcut to:

    runas.exe /env /u:targetuser targetprogram.exe


  44. Kaplaa says:

    I am using Vbscript/VBA to create a new shortcut for a database.  It appears IShellLinkDataList is not accessible this way — it is not in the shell createshortcut action nor is it exposed by the WMI interface.  Using runas.exe forces me to hardcode the alternate user, which is too kludgy.  Currently I advise the users to manually set it in the advanced tab of the shortcut I create using the Shell object. Thanks.

  45. Kaplaa – as far as I can tell, that setting is not exposed to any of the scripting interfaces.  C++/COM appears to be required.

  46. Regina says:

    Hi to all, I just used the RunAs command using these parameters: %windir%system32runas.exe /profile /netonly /user:regieaadministrator "C:CPSSmallExeCPS.exe" (it’s a system that we used in the office and I am logged as a standard user) to run a program as administrator. I was able to do the usual things that we used to do without the RunAs but when I check for the network printer, it is not listed in the printer setup of the program. Running the program as a limited user doesn’t give me the right to access some modules so I tested to run it as administrator with the RunAs command. Any idea why?

  47. Regina – try using MakeMeAdmin instead (see http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx).  If your standard user account is a domain account, the local admin account you’re using with runas will not have any authenticated access to network resources, nor to printers configured under your standard user account.  Also, if you use "/netonly" in the runas command, you’re not running with admin privileges locally – you are merely authenticating as the built-in local admin when making remote requests – which won’t be of value since your local accounts are not recognized on remote systems.

  48. In today’s Webcast we first started off with a continuation from last week.  Last week we explored…

  49. Ganesh says:

    How to provide password for Runas remote shutdowm command in the text file.

    This remote shutdowm will be triggered from an application with user account having appropriate remote shutdown privilege. But when I ran that in the command line, it is asking for password. I want to provide the password in the runas command itself.

    Any help please?

  50. Ganesh:  RunAs accepts passwords only from the keyboard.  It was designed this way to help people avoid the unsafe practice of putting passwords in script files.

  51. Rajesh says:

    Is there a away to supply password automatically? I want to make a batch file using "runas" that runs without asking for a password. I tried :

    echo mypassword >pass.txt

    runas /noprofile /env user:domainadministraor cmd <pass.txt

    I get an access  denied error.

    Any ideas?

    thanks in advance,


  52. Rajesh – RunAs accepts passwords only from the keyboard.  It was designed this way to help people avoid the unsafe practice of putting passwords in script files.

    (I need to put this in the post itself…)

  53. A systematic approach for working around LUA bugs that avoids unnecessary exposure – &quot;the rest of the story&quot;

  54. asdf says:

    I used a slipstreamed version of windows 2000 and changed the "Administrator" user to "admin" (if I do this post install, the folder becomes "Administrator" instead of the shorter version, which is why I didn’t opt to do that). Anyway, the RunAs GUI keeps defaulting to "Administrator" which is extremely annoying. Is there anyway to change this behavior (besides renaming the "admin" user to "Administrator" of course)?

  55. asdf – As far as I know, "Administrator" (or localized equivalent) is hardcoded in Windows 2000.  In Windows XP it defaults to the actual name of the builtin admin account (the account with the SID ending with -500).

  56. Stefan says:

    sometimes we need to let our limited user accounts run as admin accounts only for SPECIFIC applications. of course, mark detailed well the procedure on how to do this. It seems you have to give your limited user the admin name and pw for him/her to enter into the run as dialog. but what if you dont want to give your limited user the the admin password? the limited user could then just log on to the admin acct.

    how can i specify that information securely in a desktop shortcut in a way that the user cannot dig out? Does anyone here have a teenage child?-you know what i mean.

    i found this little utility called ‘encrypted runas’ from wingnut software. Mark, what do yo think of it?

  57. Stefan –

    Already answered.  See Fixing LUA Bugs, Parts I & II:



    Utilities such as the one you mentioned are dealt with after item #5.  Not highly recommended.

  58. mookie says:

    How would I trouble shoot windows crashing when trying to use the runas command.

  59. mookie — I don’t know.  What do you mean by "windows crashing"?  Blue screen?  Explorer has an access violation?  Monitor falls off the back of the desk?  The windows in your house falling out of their frames and smashing on the floor?

  60. Adam Curtis says:

    There’s another tidbit with windows.

    Microsoft ended remote concurrent logons with SP2. I have a fix for that so I can have users logged on remotely without kicking me (the admin) off of my login. Also I have had problems with fast user switching. For some reason my admin can have any password length. But my other users have to default to 13 chars.

    Try this, Setup a limited account. Make a password over 13 chars. Login to the user. It lets you good. Now switch user, to admin without logging off your new account. Set your screen saver time to 1 min. Make sure it goes to welcome screen on return of user. Now try to logon. For some reason it only lets me type 13 chars into the password box now. Or it just won’t logon.

  61. Adam Curtis – Sorry, but I get absolutely no repro.  First of all, XP never supported concurrent remote desktops – you could have one logon per user, and only one would ever run "connected" at a time, either at the console or via Remote Desktop.  If another user connected via RD, other sessions were disconnected.  If you connected via RD with an account that was already logged on, you connected to the session already running – you never got two separate interactive logon sessions for the same user.

    I tried the password scenario you described, and that didn’t repro at all.  The text box in which you enter the password might look the same if you type characters after the available space has been filled, but you still need to type the full >13 character password in order to log on.

  62. Jolly181 says:

    Hi Folks….

    I may have missed it in the context but… Iwant to be able to allow end users who do not have the Admin privilages required to be able to get WIndows Updates using the wupdmgr.exe, but I cannot seem to get it right where I can setup the shortcut to start when I double-click on it…??

    I have changed the START IN box to reflect %WINDIR% — Nod Good

    I have pressed SHIFT and then selected RUN AS option and selected "teh Following user" with user name admin and entered the admin’s password and clicked OK — No Good

    What amI doing wrong..???

    How can I get this to work.????



  63. Sachin says:


    Thanks a lot for this insightful post and I keep referring back to it every now and then :). Just for the records I’ve been running my Win XP under a non-admin a/c for past one year and "till date" there wasn’t any issue that I couldn’t deal with using RunAs.

    Now the problem is that ncpa.cpl (it’s the control applet for network connections) doesn’t want to run at all with RunAs, all it does is open the explorer (and that is being run under the current logged-on user priveleges). There were two ways I tried it out:

    1) Opened a admin cmd shell using RunAs first, then typed in ncpa.cpl at the prompt: it opens a explorer window running under logged-on user a/c.

    2) Specified ncpa.cpl as the parameter to the RunAs, something like:

    C:WINDOWSsystem32>runas /user:xxx "RunDLL32 shell32.dll,Control_RunDLL ncpa.cpl "

    Produces the same results as in 1.

    The funny thing is running ncpa.cpl from a normal command shell (i.e. cmd shell running under logged-on user) opens the network connections applet just fine (obviously the stuff like Repairing Wireless Network etc. commands are disabled).

    I also tried the above two steps for another control applet: timedate.cpl and it worked as expected.

    Is there something I am missing, I really need to get ncpa.cpl working due to my flaky wireless connexn :(.


  64. Sachin, the answers to your questions are in this follow-up post about RunAs and Explorer:  http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx

    The full Table Of Contents for all my non-admin blog posts is here:  http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

  65. Sachin says:

    Never mind, just read your next post on the same thing and got it to work under explorer by checking the "Run in separate process" flag.

  66. Mike Freake says:


    I’m running a Java program (wrapped in an EXE) that can be launched through two shortcuts on my desktop.  The first has target:


    The second has a target:

    %windir%system32runas.exe /user:services /savecred C:vbmaxmaxpw.exe

    The EXE being launched runs a batch file that is launched using the command:

    C:WINDOWSsystem32runas.exe /user:services /savecred C:vbmaxregquery.bat

    This batch file needs to be launched on startup of my program to get a registry key value, otherwise my program throws an error and terminates. The first shortcut works everytime for launching the batch file, but I need to launch my program as services. The second shortcut does not always work (i.e. launch the batch file and get the result), only if I’ve previously logged into the services account.

    Any ideas?  It appears to me that unless I’ve previously logged in as services, my batch file when launched will not be able to run as services for some reason.

    Any help would be MUCH appreciated.


  67. Jbee says:

    I’ve a case where a program generates an access violation when run with the user as ‘administrator’ but not when run as ‘kathy'( for example). Even if ‘kathy’ and ‘administrator’ both have administrator privilages.

    Where should I look?

    Sounds like a profile issue — I’m guessing that “Administrator” installed the program, and that the app was designed/implemented with the implicit assumption that the account that installed the app would be the account that uses the app.  Contact the vendor.

    — Aaron

  68. Joe Smokie says:

    Great information. We are looking to lock down our users here but at the same time minimize their pain. Setting up the Admin CMD windows will  help out a lot.

  69. Leandro Oliveira says:


    I´m trying to execute the command interpreter as a domain user.

    My machine isn´t joined on a doimain.

    I always receive a same message when the following command is executed:

    Attempting to start cmd as user “MYDOMAINMYUSER_ON_THIS_DOMAIN” …
    RUNAS ERROR: Unable to run – cmd
    1326: Logon failure: unknown user name or bad password.

    I was pretty shure that I typed the rigth password.

    What am I doing wrong?

    [ ]s

    The reason you’re running into this problem is because your non-domain computer doesn’t know anything about the domain you’re trying to authenticate against.  I.e., it doesn’t know how to authenticate anything against the MYDOMAIN domain.  Because it’s not in the domain or in any trusting domain, it can’t know with any degree of assurance what server can authenticate that user.


    — Aaron

  70. Eric says:

    What do you think about sudo for windows…?

    Without referencing the security implications of any specific implementation of SUDO-like functionality for Windows, I wrote a bit about the issues around automatic elevation implementations in Option #5 in Fixing LUA Bugs, Part II.  On the whole, I would consider it something to be avoided if possible.

    — Aaron

  71. Henrik Jensen says:

    Hi Aaron

    Is there a specific security reason that the enviroment variable %APPDATA% is not defined under a RunAs shell ?

    Just experienced some programs ( well UltraEdit to be precise) using that enviroment variable to locate its ‘Application Data’ Folder and that obviously can give some problems when you start up a RunAs shell.


  72. Kunal Sharma says:

    I want to know by editing which registry key, I will be able to reset my admin password to blank.

    Thanks & waiting for the reply

    — kunal

  73. Nelson Ruest says:

    Hi Aaron,

    My partner and I have been running as normal users in XP for over three years with very few issues. We make extensive use of the command-line Runas command and built .cmd files to create shortcuts to our most common administrative tools. We also rely on the /savecred switch which makes life so much easier when running as a standard user. We are also beta testing Vista as we have several books and white papers to write on it (you’ll be seeing the first chapter of our Definitive Guide to Vista Migration coming out very soon from Realtime Publishers).

    We have a few bones to pick with UAC and Runas in Vista. The first is that none of our .cmd Runas commands work in Vista anymore. They all come up with error 740: “the process requires elevation”. So basically, there is no longer any way to create command files to easily launch administrative processes. It works in the UI, of course, but we find that that is also a problem. As you know the first job of any hacker is to find out the name of a high privileged account. Well, it will be a no-brainer in Vista because all anyone has to do is select Run as Administrator to view a complete list of all activated administrative accounts on the system. Then all they need is to figure out the password. Not sure this is very good for corporate organizations. At lesat in XP, the Run As GUI is hidden and users need to hold down the Shift key as they right-click a shortcut.

    We think Vista needs a new switch for the Runas command so that you can create .cmd files to launch your most common administrative tools. UAC is great, but when you need to manage systems, it won’t take long for system administrators to just turn it off if they have to use the GUI and type in their passwords each time they want elevated privileges.

    Just our opinion,

    Nelson Ruest

    Nelson, thanks for posting.

    Re /savecred — see my post Fixing LUA Bugs, Part II (item #5, last resort) for my opinion re the use of /savecred.

    RunAs.exe on Vista is no longer the same animal it was on XP.  Now, nothing runs elevated unless the user specifically goes through a confirmation step that is a lot hardier than what we had on XP.

    The names of accounts with admin privileges has never been secret, and protection of those names has never offered significant defense.  (E.g., from a non-admin command prompt, run “NET LOCALGROUP ADMINISTRATORS” on an English-language system.)  On systems with password-based logons (rather than smartcards, for example), strong passwords are absolutely required.  “All they need is to figure out the password” should be somewhere in the range from very difficult to infeasible.  (Search for Steve Riley and Jesper Johansson articles on password security.)

    One way to avoid going through the UAC prompt without giving up the security that UAC provides is to launch a command shell as admin (one UAC prompt) and then run admin apps from that command shell.

    Hope this helps – and sorry for the delayed response.

    — Aaron

  74. Andrew Jones says:

    I love this article — I’ve been dealing with all of these issues for over a year.  My solution was to refine an in-house admin console to include a "launch pad."  I run the admin console as an admin and then anything it launches inherits the privileges.

    The launch pad has "favorite" folders [network unc and local] which are opened via Internet Explorer.  They can also be opened with CMD.EXE (it automatically maps Z: and runs CMD there).  

    It also has "favorite" applications, including Internet Explorer, Word, etc, to get around the problem of doing a "RunAs" on a shortcut per se.

    It also has "favorite" connections, URI controlled FTP, telnet, etc, connections, which honestly don’t need to be run under a different context, but it’s just flippin’ easy to have everything I need in one place.

    This is all customizable.

    It’s an in-house app, of course, and is powerful beyond compare.  It has replaced EMCO Network Management, DameWare utilities, and SMS, all of which we’ve tried and disliked.

    What do you guys think it’s worth? 🙂

  75. Krangath says:

    To run an .msi as admin do a ‘Runas’ on the ‘Command Prompt’ under Accessories, and run the .msi from the command prompt.

  76. Henrik says:

    Hi Aaron

    In Xp, I have made a registry entry on the file type ‘*’ to give a "Run as Admin…" right click menu item in Explorer on all files. This calls the runas console as usual with the account you specify.

    Doing this, instead of using the GUI "Run as…" spares me some mouse clicks and selecting the right account in the "User name" Drop down edit box ( very annoying, as someone else also has commented on earlier, because, in my case the default Administrator is listed first). Further more I get the bonus that all registered and unregistered file extension gets a faster Run As path. (The GUI RunAs only seems to work on certain extensions)

    The .reg file looks like this and does only change the ‘*’ right click menu for the current user.


    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareClasses*shellRun as Admin…command]

    @="%SystemRoot%\system32\runas.exe /user:%COMPUTERNAME%\YourAdminAccount "%L""


    Now I just wondered if you can see any security implications with this approach ?


  77. Henrik says:


    ‘YourAdminAccount’ in the above registry file example must be replaced with the name of your Admin account e.g.:

    @="%SystemRoot%\system32\runas.exe /user:%COMPUTERNAME%\SuperMe "%L""


  78. Henrik says:

    Oh boy

    %SystemRoot% does not expand so one has to hard code

    @=”C:\Windows\system32\runas.exe /user:%COMPUTERNAME%\SuperMe “%L””

    and I just discovered that it only works on files registered as executable (of course stupid).

    I might better find some other way to spare me from all those mouse clicks when I want to run as admin.

    Sorry for the clutter


    Did you try creating an “Expandable String Value” (REG_EXPAND_SZ) instead of just a “String Value” (REG_SZ)?

    — Aaron

  79. Henrik says:

    Yeh the REG_EXPAND_SZ type had slipped my mind that was oc the problem. 🙂

    Anyway – I thought that I wouldn’t post it because the raw REG_EXPAND_SZ in a .reg file looks ugly but here it is: ( also changed the ‘*’ to ‘exefile’ to only show for exe and lnk files)


    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareClassesexefileshellRun as Admin…command]








    Do you know if it’s possible to use a human readable notation for REG_EXPAND_SZ in .reg files ? – e.g:

    @=ascii(2):%SystemRoot%\system32\runas.exe /user:%COMPUTERNAME%\SuperMe "%L"


  80. Henrik says:

    And now you cannot change ‘SuperMe’ to the your Admin Account name but has to manually go to the reg path

    [HKEY_CURRENT_USERSoftwareClassesexefileshellRun as Admin…command]

    and do the changes, ( unless you’ve got a "Absolute hex-pitch" http://en.wikipedia.org/wiki/Absolute_pitch 😉 )


  81. LUA Works says:

    Why the heck would you even bother with LUA if you try to run with blank admin passwords?!

    Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password.  By default, an account with a blank password can be used only for logging on at the console.  It cannot be used for network access, and it cannot be used with RunAs.  The user experience of just clicking on your name to log on can’t be beat for simplicity.  If you can trust everyone who has physical access to the computer not to log on as someone else or abuse the admin account, this is a great way to go.  If not, you can always enable passwords.

    — Aaron

  82. Ewic says:

    With Vista, is it possible to perform a runas.exe /user:<specific user domainaccount> through the GUI like can be done with the CLI?

    I only have "run as administrator" in my menu option and i cannot specific different accounts, it just always opens up the programs without asking me who i want to run it as.

    Is this feature gone or am I missing something?



  83. Brian says:

    I have the same question as Ewic. A bit frustrating when I can’t run admin tools as a specific user.

  84. cannedsoda says:

    Same question as above.  I used the runas command to run selected apps and consoles as my domain admin account.  When trying to open up command prompt with privileges to run some vbscripts.  It returns back,

    "Cscript error: Loading your settings failed. (Access is denied.)"

  85. cannedsoda says:

    I guess the workaround is to change the local GPO to prompt for credentials instead of prompt for consent.  Found it over at Josh’s windowsconnected site, http://windowsconnected.com/blogs/joshs_blog/archive/2006/12/01/windows-vista-tip-run-as-administrator.aspx.

  86. William says:

    After installing a required application for some client’s, when they try to Right Click and select “RunAs” on an advertised shortcut, for example in the AdminToolPak, the GUI dialogbox that allows alternative credentials to be entered does not appear. If the application causing the issue is removed, “RunAs” functions properly again.

    Is there a registry key that controls the GUI interface for RunAs?

    William, it sounds to me like the required application is installing a shell extension of some kind that is modifying the shortcut menu and hijacking the effects of the RunAs verb, causing it to do nothing. Possible?

    — Aaron

    More info: a colleague informs me that a common cause of the behavior you’re seeing is a badly implemented context menu extension that implements ::InvokeCommand() without testing the verb that it was called with.


    — Aaron

  87. Dmitry says:

    Hello All,

    Is it possible to start runas and type password for user automaticaly on Windows Vista?

    I’m use command line:

    runas.exe /user:i_am some_program.exe


    Than password input has required.

    How to input password automatically via parameters or type it by another program?

    Thank you

    Dmitry, RunAs accepts passwords only from the keyboard.  It was designed this way to help people avoid the unsafe practice of putting passwords in script files.

    — Aaron

  88. IE is definitely the most insecure gateway to a PC. So I was thinking: why not run it in a guest account…

  89. mike says:

    im confused about something simple

    the only reason to use RunAs or MakeMeAdmin, is for convenience over the Fast User Switching?

    mike — Generally, Fast User Switching (FUS) is preferable.  However, on Windows XP, FUS is not available when the computer is joined to a domain.  (That limitation has been removed in Windows Vista.)  MakeMeAdmin can still be useful if you need to temporarily elevate your regular account.


     — Aaron

  90. Juls says:

    Interesting reading.  Is there a way to programmitically display the RUNAS GUI to install a setup.exe. I could simulate the front end but that seems excessive.

    Juls, if you try to start any program called setup.exe or install.exe from Explorer or the Run dialog, it will automatically display a RunAs prompt.

    Does this help?

    — Aaron

  91. Domingos Zamberlan says:

    I need to run the timedate.cpl passing parameters in the line command. It’s possible?

  92. Domingos Zamberlan says:

    Sorry…My english is not very well.. Do you know how parameters are accepted by timedeate.cpl? Is possible running with runas? TKS…

    Domingos:  I don’t know of a way.  timedate.cpl actually becomes an argument to rundll32.exe (as do all .cpl files).  What exactly are you trying to do with it?

    — Aaron

  93. Coder says:

    Whats the point of having a commad that cannot be used programaticaly, in fact why does windows even bother with tere commad shell at all, it like the guys at MS said those UNIX guys always seem to messing around at with “some kind of text window???” lets have one too it will make it look like we know what we’re doin!

    Coder:  I assume your point is about runas.exe not taking a password as a parameter.  Runas.exe is not a command — it’s a utility program.  It is designed specifically for interactive use, with a goal of not encouraging the unsafe practice of embedding passwords in plain-text script files.  The underlying APIs (e.g., CreateProcessWithLogonW) can be used programmatically.  And wrt the command shell, nothing in the UNIX world (that I’m aware of) can match what Windows PowerShell does.  Download it and try it out.

    — Aaron


                / ___|______/

           _n__/ =|]  |_____|

         ~{8-B )——|)____

            u    ____|_____|


  94. Coder says:

    Im not accessing it from a script im a accessing it from java’s runtime.exec with other exe i can run them and read from their stdOut and write to their stdIn, only RunAS doesn’t use stdIn like most command line apps, so i cannot pass in the password to it. The password is not stored in plain text anywhere so there is no chance of it being read. Besides I’M THE ADMINISTRATOR so if i want to write the password i ten foot high letters on the outside of the building then thats my look-out surley.

    Well, RunAs is not the right tool for you, then.  That’s not what it was designed for.

    Where does the password come from, then?  Is it embedded in your Java source?

    — Aaron

  95. Coder says:

    Its ok i fixed the problem apparently i needed to install Solaris, not windows. As windows isn’t very good at this type of interaction with none ms products.

    Where does the password come from, then?  Is it embedded in your Java source?

    – Over secure connection.

    Ha.  Very cute.  So if you’re writing custom code anyway, you want to use CreateProcessWithLogonW as I mentioned before, not RunAs.exe.  If you really need a command line utility, you can use PsExec, as deXter recently mentioned here.

    — Aaron

  96. I have groups of users that need to be given admin access to their workstation just to be able to update software on their PC as needed.

    In the ‘good old’ unix days – I could just set the sticky bit on the program – and the privilege would follow the application.

    Is there a Windows equivalent to ‘trusted’ applicaiton.

  97. Iggs says:

    I’m not a scripting guy, I’m a sysadmin. I would love to use this script for making administative changes on users’. By default Domain Admins are members of local Administrators group, but I never sure what is local administrator’s password is. I tried making changes to the script to prompt me for username and password of an account with admin rights, which is a domain admin account and it works, however for some reason it does it twice. I used SET /P for that, just for the reference, I would like to know how to populate _Admin_ variable with something I want.

    Thank you in advance.

    Iggs:  the only change you should need is to change the set _Admin_ line to
            set _Admin_=MYDOMAINMyAdminAccount
    where MYDOMAIN and MyAdminAccount are replaced with your domain and your domain admin account.  Is that not working?  When you say, “it does it twice”, what do you mean — it does what twice?  Note that with MakeMeAdmin, you get prompted for two passwords:  first the admin account password, then the password of the user you’re temporarily elevating.


    — Aaron

  98. Roger Sarlouis says:

    I just installed Vista on my computer.

    I went to winzip to download the latest version.

    I downloaded it to a ( Updates ) folder that I created within the new windows explorer.  On the top left section I Clicked on the Organize drop down and created the new folder.

    I can download winzip110.exe without issue.

    Every time I trywinzip110 in order to install winzip I get the following error:

    Directory name is invalid.


  99. Firefox says:

    "Its ok i fixed the problem apparently i needed to install Solaris, not windows. As windows isn’t very good at this type of interaction with none ms products."

    Windows isn’t too hot at interaction WITH ms products either!

    I have the problem whyby I am using runas from the command prompt in Vista and it goes away to call the app/program, I am then prompted with a password box (as expected) I type this in, then………………..NOTHING, yep nothing actually happens.

    I also got round the run as administrator option to be able to run explorer as my own admin account, all appears to function correctly with explorer opening, it’s only after trying to access something I realise it hasn’t actually raised my credentials at all! HELP  

  100. How to automatically set the color and title of *all* CMD shells based on admin/elevation status with a one-time, one-line configuration change to your system.

  101. Marvin says:

    Problems in vista with runas and similar tools like cpau, runasprofessional, emco runas…

    The tools can pipe a password to run applications with anohter useraccount. Now the tools have got problems to run applications with an activated uac on vista. I only know the tool runasspc from robotronic who can work together with uac on vista.

    The only way i found to use the other tools is to deaktviate uac or use the built-in administrator account.

    Any other solution?

    On Vista, RunAs.exe will let you run an app as another user, but not elevated — you cannot get something running elevated without going through the UAC elevation UI.  That is a good thing.

    — Aaron

  102. Marvin says:

    you can not pipe a password in runas like cpau.

    On vista cpau is not working.

    Now i use the tool runasspc.


  103. Aikidojoe says:

    I am having a problem when I use Run As to start an application, with opens the app, but does not include any local/network printers.  Is there a solution to this problem?

  104. Aikidojoe says:

    It happens in both 2000 and XP, this used to work about one month ago.

  105. John Tonks says:

    Hi all, I have read through most of this to apologies if this is a repeat.

    I was having problems using the RUNAS command from a XP/SP1 worksation, logged on as a normal users account. I was trying to run a command box as a admin user from another domain, based on windows 2000.

    First I Mapped a network drive to the \windows2000serverc$ as (Z:) in the other domain & selected the connect using a different user name, input my admin name and password so <otherdomainadmin><password> in the relevant box’s. Then brought up a command box, switched to z: then typed <runas /user:otherdomainadmin "cmd"> but got 1326: Logon failure. So tried <runas /netonly /user:otherdomainadmin "cmd"> but got 3: The system cannot find the path specified. So it was authenticating at some level? So it got me thinking where is it checking for the user credentials…

    RESOLUTION: On my local workstation I added in the <otherdomainadmin> account into the local administrators group (rebooted). Then typed runas /netonly /user:otherdomainadmin "cmd">. SUCCESS! A new cmd box appeared with cmd(running as otherdmainadmin) in the top box. I then loaded my excel spreadsheet with all my lovely macros in it from via the command prompt, and all functioned as it it was being run by an administrator in the other domain, except on this domain on a standard users workstation.

    So I think what that equates to is that runas wont work unless the user name your “running as” has the relevant permissions on the local machine your running it from

  106. John Tonks says:

    So yes no need to map network drives or what have you just sort the permissions out and run a cmd box and type runas /netonly /user:otherdomainadmin “cmd”

    @John Tonks:  For runas.exe (without /netonly) the account you specify after the /u option must be able to log on to the local machine.  You mentioned that this was an account from another domain — that could be a problem.  When you specify /netonly, the program runs as the same account on the local system, but whenever it uses SSPI to authenticate to a remote system, it does so using the account credentials you specified.  The account is not authenticated locally, only when you attempt remote access.


    — Aaron

  107. André says:

    How can I execute applications with RUNAS in MS ACCESS 2003 VBA?


    I want to execute applications via a database. The user must login, and when logged-in, the user can execute applications.

    For the moment I use de SHELL command in VBA.

    Works very nice but when I need to us RUNAS it is not working.

    SHELL ("RUNAS x") does not work because it is closing each time the CMD window. When I place the string RUNAS x after starting CMD manually, it works fine.

    Regards, André

  108. Paul says:

    Password sending and runas.  The short answer is that with out a real bodge you can not use runas.  A defferent exe that I found runas102.exe http://www.anbsoftware.co.uk/netadmin/runas/

    Will let you pass the password

    copy it to your %windir$%

    open us a cmd prompt and type runas102.exe /?

    Works a treat

    Paul:  Looks highly risky to me — it doesn’t even pretend to protect the password, so you’re going to keep it in a plain text file?  Bad idea.

    BTW, what is a “bodge”?

    — Aaron

  109. Paul says:

    Hi Aaron:

    Yes in plain txt it is risky.

    This is the runas102.exe that will let people pass a password.  

    From there once you have the context of using runas102.exe you can move it in to a VBS (encoded) script.  As a strong suggestion, do not use domain admin credentials.

    Is a vbs encoded script decyptable, Yes found the tool on good old google.

    They wanted to use runas with a password from the comand line, with runas102.exe you can.  

    Obviously in each case security would need to be looked at.

    On a funnier note you can only use the application in the context of the user you are running as.  If you runas a local power or admin user, from the application you will not be able to directly save to the network.

    “bodge”= Australian for some times work sometimes does not.




    Paul:  Encoding is not the same as encryption.  And even then:  anything that can be automatically decrypted by authorized software running as the user can be decrypted by malware running as the user.

    — Aaron

  110. MikeH says:

    You can activate UAC UI through VB-Script and then start your batch file with elevated rights: http://newyear2006.wordpress.com/2007/02/04/datum-unter-vista-per-vbscript-setzen-mit-uac-unterstutzung/

  111. Rose says:

    I am currently building applications on Longhorn and need to run as a different service account.  At the command prompt, I’ve entered ‘>runas /user:domainserviceaccount cmd’.

    I enter in the password when prompted. and then get this error:

    RUNAS ERROR: Unable to run – cmd

    1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

    The password is correct so I’m at a loss as to what to do next.


    Rose:  Is the service account granted the ability to log on interactively?

    — Aaron

  112. Maria says:

    How do you get the runas to authenticate on the domain along with the local computer?  I am trying to run an install which requires access to network shares.  Without domain authentication, I cannot make this happen!




    — Aaron

  113. What becomes of all my earlier non-admin tips, tricks and recommendations vis-à-vis RunAs, MakeMeAdmin, PrivBar and their interactions with IE and Explorer? The short answer is that Vista changes just about everything with respect to running with least

  114. Hank says:

    Great post!

    I’ve read through much of this and haven’t seen anything that addresses my issue.

    I’m trying to connect to another network via VPN and use resources there (https: and sharepoint websites in particular). My local PC is not known to the domains I reach through the VPN, so I can’t log onto my local PC with a remote Windows account. I start the VPN client, enter my remote credentials and I get in. But once there, I can not get remote websites to honor my remote credentials. I’ve tried starting IE via runas with the remote credentials, but it doesn’t make any difference. IE just hangs, showing "opening page …" on the bottom left. Any ideas? Thanks

  115. David Shawn says:

    There is a tool "admintoolslauncher" which centralizes most of the adminstrative tasks under one application. One single log-in with administrative rights and you can launch all tools from one pool. It is limited to all windwos os before Vista. It can be found in this blog: http://www.stackenbloggen.de/PermaLink,guid,3406fa39-d95e-4ee3-bd64-7f55870b26ff.aspx

  116. Tom Newby says:

    I needed to cause a domain replication to happen from a script:

    Here is how I did it….

    Set WshShell = CreateObject(“WScript.Shell”)

    WshShell.run “runas /user:domainusername /noprofile “”repadmin /syncall ldap.domain.com”””

    Wscript.sleep 2000

    WshShell.SendKeys “password{ENTER}”

    [Aaron Margosis] Risks:

    • Malicious person or software gets your script — password exposed.
    • Try to run this on someone else’s system (e.g., via startup/logon script) — password easily exposed
    • Assumes that the “runas” window gets focus and keeps focus for at least two seconds.  (See previous bullet — if I switch to Notepad, the password will be entered into Notepad.)

    If you’re launching it interactively (i.e., you’re present at the time) you’re a lot safer just entering the password at the console.

  117. Tom Newby says:

    Yes Aaron, all those things are true, but after encrypting the file to a .vbe, The password is no longer exposed. As far as losing focus shorten the time, and be aware it could happen.

    [Aaron Margosis] But it will be decrypted in the user’s context, and then be available to the user in the clear.  (Perhaps not as easy for most users to get to, but it’s still there for them.)

  118. Redearl says:

    I use Runas allot, with various usernames, and domains.

    There is a limit on the number of domainusernames that can be stored in the list.

    How do i flush the domainusername cache?

  119. Frank Denman says:

    On an XP SP2 box, logged in as LUA, when I try to launch the Windows Defender ui using runas administrator, I get  the error:

    "Application failed to initialize. 0x80070005. Access is denied."

    Any thoughts for a work-around?



  120. Happy user says:

    All this effort to try an impersonate a tool that linux has always had and just works.  Why don´t you all start making the switch to linux.  Eventually you will all be much happier people.

  121. Lahens says:

    Hi friends,

    I have one problem, my system is on network and I can access internet if I run firefox or IE as different user. I do that with “runas”,

    It runs fine for couple of minutes but after that it starts running as login user… please help



  122. I improved Hendrik’s work on a RunAs Shell Explorer extension by adding an option for MSI files and making the dialog pause if you enter the password incorrectly.

    Note: You need to change the user to match your user.

    Thanks for this page Aaron!

    Windows Registry Editor Version 5.00

    ; %SystemRoot%system32cmd.exe /C "%SystemRoot%system32runas.exe /user:PCPOOLadm_oezbek "%L" | pause"

    [HKEY_LOCAL_MACHINESOFTWAREClasseslnkfileshellRun as Admin…command]










     ; %SystemRoot%system32cmd.exe /C "%SystemRoot%system32runas.exe /user:PCPOOLadm_oezbek "%L" | pause"

    [HKEY_LOCAL_MACHINESOFTWAREClassesexefileshellRun as Admin…command]










    ; %SystemRoot%system32cmd.exe /C "%SystemRoot%system32runas.exe /user:PCPOOLadm_oezbek "%SystemRoot%system32msiexec.exe /i "%L"" | pause"

    [HKEY_LOCAL_MACHINESOFTWAREClassesMsi.PackageshellRun as Admin…command]













  123. Marvin says:

    For all who search a runas solution on vista.

    runasspc on robotronic.de/runasspcEn.html

    can use it on vista like runas on xp.

    [Aaron Margosis]  … or see Sysinternals’ new ShellRunAs utility:  http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx

  124. Jason says:

    Is there a way to bring up the GUI runas prompt from the command line?  I know this sound strange but hear me out… We have a program that has an inventory of our servers and I can make a right-click item for each server to run a command.  However there are multiple domain/workgroup for different servers.  Instead of having to create a separate item for each possible login we could use (based on what server we select), is there anyway to just make the command (exe or dll) bring up the runas gui for any given executable?  The command line version of runas will prompt for a password, but not for user name and password.

  125. Docfxit says:


    I’m trying to start a bat file from the network. I’m getting an error saying:

    Enter the password for ATUUSER4Administrator:

    Attempting to start C:BatchMAKEME~1.CMD ” as user “ATUUSER4Administrator” …

    RUNAS ERROR: Unable to run – C:BatchMAKEME~1.CMD “

    5: Access is denied.

    Any ideas what could be wrong?

    XP Pro Sp2

    [Aaron Margosis] Did you modify MakeMeAdmin.cmd to have it try to run something else other than CMD.EXE?  You say you’re trying to start a bat file from the network, but you’re indicating MakeMeAdmin.cmd on the C: drive.  Where does the network come into play?  Also:  is ATUUSER4 the name of the computer, or is it a user name?  Do both the non-admin user and the administrator have permissions to read the files in the C:Batch folder?

  126. Vaclav says:

    How to run Control Panel as Administrator in Windows XP:

    runas.exe /u:Administrator "explorer /separate,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}::{21EC2020-3AEA-1069-A2DD-08002B30309D}"

  127. Alexander says:


    There is a really nice app called Advanced Run (http://www.ilyns.com/advanced-run.asp). This is a great alternative for a standard Windows Run dialog box. You are able to specify user credentials to run whatever command you need. You are able to open documents with ‘Advanced Run…’ context menu item. You are able to specify Shell Verbs to perform advanced actions over the document you work with. Command templates and shortcuts are really great features that allow user to increase his performance by automating frequently actions. Furthermore, there is a possibility to share settings over a local network. Personally I believe people need such a great program because it’s not convenient and not flexible to use RUNAS command and other alternates such as Sudo for Windows are not such user friendly and powerful. Check it out!

  128. Vimal says:

    use the utility in the above link to run explorer with different user account in ur machine

  129. vimal says:

    use the utility in the below link to run explorer with different user account in ur machine


  130. feralber says:

    Very useful information. Thanks a lot

  131. Karl says:


    ******** Temp Solution ********


    Thank you for above discussion and brief summariztion to run id/pwd in cmd:

    1. cmd “runas” CANNOT do this

    2. need VB or C

    3. need install 3-party software

    Luckily found PsTools v2.44 By Mark Russinovich (thanks!!) and tested whole day – pretty good and easy to use!!

    1. Accept ID/Pwd in script. No more keyboard.

    2. No need install in other client PC(s)

    3. Suitable to W2K, XP, 2003

    4. Slient to users. Run at backend.


    Happy Sharing and enjoy. 🙂


    [Aaron Margosis]  Yes, but remember that if you put this in a script, in order for your users to run it, they need to be able to read the script.  Putting admin passwords in plain text script files is generally considered not so great from a security perspective.

  132. jack says:

    Please, post the ie.cmd lines here on blog also. Old link is not working.

  133. Keith says:

    Okay.  I am not sure if this would be considered basic OR intermediate for that matter but here is my problem and I hope someone can help.

    First things first I !cannot! run any third party programs NOR can I do any reg hacks as the guidelines of my position strictly prohibit them.

    I am working with Windows Vista and have the dissappearing Control Panel issue which requires the Software Licensing and SL UI Notification Service to be restarted.  I wanted to make this easy objectivly that has not happened.

    All computers are Local only there is no domain.

    All computers have had a user added that is an Admin, as part of the trial process, whether or not this is needed I do not know.

    The problem I am running into is when I am trying to elevate inside of CMD.EXE the account is still not granted the right to run the required NET STOP/START to disable and reenable the services.

    I was looking at the /trustlevel switch but the only level I can find is 0x20000 which is the basic user.  I need to run CMD.EXE at the administrative level to enable the ability to run the NET STOP/START that is required.

    I cannot Turn off UAC either by the way, lucky me right?

  134. Bob Bosco says:

    As with post #631638 above, I am also having trouble running the ncpa.cpl network applet as Administrator.

    I have the "Launch folder windows in a separate process" flag set for both the target Administrator account as well as my Limited User account, but it still won’t work.

    The ncpa.cpl is the only applet that won’t run as Admin… everything else works fine.

    Any ideas?

  135. Bob Bosco says:

    Wow, I posted that 4 months ago and still no answer… does anyone actually read these?

  136. Scott Radden says:

    I’m experiencing the Directory name is invalid error from the explorer shortcut. If i delete the start in %HOMEDRIVE%HOMEPATH% from the shortcut then the error goes away but explorer doesn’t start.

    Any suggestions because i would really like to get this working.

  137. Von Stein says:

    The tips are non-sense since they don’t work with IE 7 and older.

  138. Phil Somerset says:

    I have a user who suddenly, for some reason, has this problem: Double-clicking on any program on the desktop causes a RunAs dialog box to come up. He is the only user defined to the system and he has Administrator access.

    What could cause this, and how can it be corrected.

    [Aaron Margosis]  From others who have experienced this, it sounds like registry corruption.  Contact me through the email link on this page if you want to pursue figuring out what’s causing it.

  139. Grant Jason says:

    The tool admintoolslauncher has moved to wurstkoffer.wordpress.com/…/admintoolslauncher.

  140. Kevin Shannon says:

    Links to the file are not working.



  141. LoWang says:

    Aaron could you please answer Henrik's question?

    "Is there a specific security reason that the enviroment variable %APPDATA% is not defined under a RunAs shell ?"

    I stumbled upon this strange windows Xp behavior too and I would really like to know WTH is this. It can cause trouble installing applications via runas. Thank you

    [Aaron Margosis] I don't know.  I did verify that it happens on XP but doesn't on Vista and Win7.  It may have been oversight or a bug, or it may have been by design.  But in any case, at this late date with Windows XP well into its extended support phase, it will not be changed.

Comments are closed.

Skip to main content