In an earlier tip I wrote about the RUNAS command, which allows a user to run a program in the context of another user.
RUNAS has several limitations, not the least of which is there being no really elegant way to pass a username and password to the program without actually typing it in. This makes it almost worthless for applications that need to run in a protected context without the user knowing the password. I mentioned some possible workarounds, but since then I've discovered that a few people have come up with different solutions to the problem.
One answer is a third-party utility named Sanur (RUNAS spelled backwards!). Sanur is a console program that pipes a password either from the command line or from a file. One technique described in the Sanur FAQ shows how a password can be obfuscated by storing the password in an alternate data stream (on an NTFS volume). This is not exactly an orthodox way to hide data, but it's not dangerous and it has the benefit of not being obvious! The program and its documentation can be found at Commandline.co.uk.
Another variant is JoeWare.Net's free CPAU (Create Process As User) utility. CPAU has provisions for reasonably secure scripting that should prevent casual tampering—a script file can be fed into the program and can also be scrambled to prevent a user from opening it and reverse-engineering the password. Those who want a fairly secure way to do RUNAS can consider this as a starting point. The program can be found at JoeWare.Net.
Programmer Jeszs de la Vega has created an interesting adjunct to RUNAS, called runserv. runserv creates a system service on a Windows 2000 / 2003 computer which can then be remotely addressed through a command-line program named RUNASv. RUNASv's command line parameters consist of a program to run, a computer name or IP address, a username in the format \\domain\user, and a password. runserv can be handy for running tasks remotely without needing to create a separate login with administrative permissions, since it works directly with existing user credentials.
The original source code for the project is available, so a knowledgeable user could add their own extensions to it. See CodeGuru to download the program and see more notes on it.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in April 2004