Run program with different credentials?

[R00k]

Okay, I know all about runas.exe and running applications with a different set of credentials.

Here's my quandary... Application needs to run on one of my Windows 2000 PC's; Application needs at least Power User priveleges to start necessary hardware drivers.

This PC controls a print-head, and is constantly being used by different people. Any of those people needs to be able to step up to the PC, run the application (needs to have 2 networks drives mapped when they login, so needs to be a domain account). All these people have their own domain logins, but none of them are power users on any PCs.

The problem is, if I create a generic network login for this PC, then everyone who knows it will be able to login to the PC as a power user and do what they want (uninstall virus software if they chose).

The Application is kicked off with a bat file, btw. Bat file just does a 'net start' for each of the drivers it needs to run, and 'net stop' to close them.

Is there a way (besides writing a Windows Service) to either have the app components run under the local system account, or to specify a local/network username and password that it will run under, without the user having to know the password?

To add an extra twist, the software is written in such a (non-compliant, crappy) way that it will only run under the username it's installed under. If you install it under one account, it will not run under any other.

So I need to find a way for this app to run as (at least) a power user, but without the PC being logged in as an account with power user priveleges all the time. If it sits logged in as a power user, then anyone who walks up to it will be able to do whatever they want.


Sorry if I'm rambling a little - I'm fucking exhausted, or I probably would have found a way to do this already.

[Underpants?]

local policy can be different than domain policy, that way you can allow these users to be power users of this one machine only.

[Tormentius]

Sorry if I'm rambling a little - I'm fucking exhausted, or I probably would have found a way to do this already.

T&T :icon10:

I'd recommend creating an OU, placing this computer in it, and creating a GPO which will add Everyone to the Power Users group. You can use the Restricted Users section of the Computer Configuration/Security Policy to do this. As long as the kiosk machine is the only one in the OU then its the only station that this policy will apply to.

[Tormentius]

local policy can be different than domain policy, that way you can allow these users to be power users of this one machine only.

That would work easier than what I first suggested actually. You could manually add Domain Users to the local Power Users group on that machine. How can you tell that I've been fucking about with GPOs all day....

[Underpants?]

is this an old dos application? How about just always running the services as system with automatic startup type?

[Tormentius]

this page could possibly set you in the right direction or give you some ideas for a bat file that will 'run as' with a power user account:

http://www.petri.co.il/run_ad_tools_as_another_user.htm

RunAs can't save the password of the alternate user. I really hope they'll add that feature in a future version though.

[Underpants?]

local policy can be different than domain policy, that way you can allow these users to be power users of this one machine only.

That would work easier than what I first suggested actually. You could manually add Domain Users to the local Power Users group on that machine. How can you tell taht I've been fucking about with GPOs all day....

GPO was the first thing I thought of too, then I remembered how goddamned lazy I am

[Tormentius]

GPO was the first thing I thought of too, then I remembered how goddamned lazy I am

:olo: Same here. I try to automate everything including defrags through GPOs and scripts.

[Dave]

Deny internet access via local policy on the machine by setting firewall proxies to 0.0.0.0... domain shit will still work, but you can't get email and web virii that way. software will have to be installed by people who bring the CD. So make your people power users on the box and cut off the web access

[Tormentius]

too bad he's not on XP.

Thanks Riddla, I had no idea they'd finally gotten around to adding the option.

[R00k]

Okay, sorry guys, the entire situation has changed. Yes, I know, I should have posted this in T&T. :icon32:

Anyway, here's the new deal...

It is an XP box, not 2000 as I thought - I just went down and worked on it a little.

The application has 3 components that make it run:

1) The application files, which are in a directory right on the root of the C: drive (C:\Prism).
2) Two hardware devices that are started right before the application is started. These are listed in device manager, but are listed in the registry as services (HKLM\Software\MS\Windows\CurrentVersion\CurrentControlSet\Services).
3) The software only runs under the user it was installed for. However, this can be overcome by running a .reg file - it enters a key with 5 values under the HKEY_CURRENT_USER hive (HKCU\Software\Prism\WebController).

I am shooting to get this to run under any normal network login, if possible.

Setting permissions on the C:\Prism folder is easy, obviously. That's done.

I know there is a way to set permissions on the two services, so they can be run by a normal user, but haven't had any luck doing it yet. I tried using regedt32, and setting the Permissions on the two services listed under [HKLM\Software\MS\Windows\CurrentVersion\CurrentControlSet\Services]
so that all authenticated users have Modify access, but for some reason that still won't allow a normal user to start the device drivers.

I also know there is a way to enter information into a user's registry hive the first time they login. But the HKCU hive is different from the others, because it is different depending on who is logged in. How can I have make it so that Windows adds a certain key to the HKCU hive, only the first time a user logs in?
I tried adding the key to the HKCU\.DEFAULT tree, but that didn't do anything.

Any ideas?

[R00k]

BTW the runas option won't work even if you save the password, because all of our passwords expire every 60 days.

[raw]

I used this page ages ago to create a hidden Quake 3 server @ work which worked well.

Basically, in the link below tells you how to make a Windows Service out of anything you want. I've done it with batch scripts several times as well with standard applications. Once it is a service, you can set the account you want it to run as and if you want it to be shown on the desktop (as a running application) you can check the "Allow service to interact with desktop." box. Hope this helps.

http://www.raw-one.com/q3w/exe_as_service.mht

[Underpants?]

winnar!
once it's a service, you can allow it to run with system credentials.

[raw]

I'm the man.

[R00k]

You are the man, thanks. :icon14:

On a side note, I might be around West Palm in March or April. Haven't solidified the plan yet, but I've got a friend who moved down there I've been wanting to go see. No work, all pleasure.

[raw]

I have no idea what I'm going to be doing in April. I started this new job recently and we just started our big project which entails re-designing an existing WAN from the ground up which includes a Distaster Recovery (DR) solution.

[MKJ]

this is where Kracus' miracle website would come in handy innit! :gasp

[R00k]

I have no idea what I'm going to be doing in April. I started this new job recently and we just started our big project which entails re-designing an existing WAN from the ground up which includes a Distaster Recovery (DR) solution.

Sound like a nice job there man, I wish I still got to play with all that stuff. Are they hiring?

Anyway I'll let you know a little closer to April if/when we're coming and all that and see if you're busy.

[R00k]

I used this page ages ago to create a hidden Quake 3 server @ work which worked well.

Basically, in the link below tells you how to make a Windows Service out of anything you want. I've done it with batch scripts several times as well with standard applications. Once it is a service, you can set the account you want it to run as and if you want it to be shown on the desktop (as a running application) you can check the "Allow service to interact with desktop." box. Hope this helps.

http://www.raw-one.com/q3w/exe_as_service.mht

May be a silly question, but have you had any problems running this on XP?

[R00k]

If you need the srvany files I have them handy. I also run hidden services from work machines muahaha.

Would you mind sharing those?

I d/l'ed the ResKit programs from MS's ftp, but they're useless when I extract them. I don't have the ResKit CD handy anywhere, so I can't use the installer to extract them properly.

Do you have the files already extracted and useable?

Thanks.

[R00k]

I found it, and this is working like a champ, with only a few minor adjustments.

Thanks for your help guys, especially that fish-loving homo from Florida. :icon14:

[raw]

I crush the competition like I crush the hashish.

[Underpants?]

I found it, and this is working like a champ, with only a few minor adjustments.

Thanks for your help guys, especially that fish-loving homo from Florida. :icon14:

well done, now stop fucking around on the internet and get back to work, faggot.