Using RunAs With a Password

Written: 07/24/13

Last Updated: 07/24/13

There are certain situations where it is desirable to launch programs under the Administrator account, through the use of a batch file or other similar means. This techtorial will show you how to do exactly that, using the built-in command “RunAs”. More specifically, I present a sort of trick to bypass the RunAs prompt for a password, thus allowing this step to be easily automated.

Before I go into an explanation of how to set this up, I must first discuss the dangers in this procedure. This process involves enabling the Administrator account and giving it a null password, which inherently opens up a security vulnerability. Additionally, it allows blank passwords to be used throughout the system. Lastly, the password is passed to RunAs as plain text.

If you are still reading, I assume you understand the risks. This is a process geared towards individuals wishing to automate certain tasks on test computers. I would not recommend using this on your home computer. If you wish to still launch tasks using the Administrator account, but more securely, you will need to use a third-party program.

The first step involves changing the security policy to allow blank passwords. I have techtorial on this already. In the efforts of not duplicating material, you may find that article here.

The second step requires enabling the Administrator account and assigning it a null password. Follow this article to enable the account. That techtorial will by default create the Administrator account with a null password. If the account was already enabled and has a password, then you will need to change it. If you are all set, click here to skip those directions.

To change the Administrator account password start by opening the run dialog, by pressing the windows key and “R” at the same time. Type “compmgmt.msc”, as shown below, and then press enter.

run-computer-management

Click on “Local Users and Groups” -> “Users”. Right click on “Administrator” and click on “Set Password…”.

set-Administrator-password

Read the warning (You may not want to change the password this way. If not, log in as Administrator, press CTRL+ALT+DELETE and click “Change Password”.). When you are ready press “Proceed”.

set-password-warning

In the below dialog press OK.

set-password

You should get the below dialog. If so press OK.

set-password-confirmation

The last step will seem a little silly. It involves creating a null text document. This can be done anywhere that you have write permissions, by right-click in that directory and clicking on “New” -> “Text Document”. For simplicity, create the file on the desktop and give it the name “pass.txt”.

create-null-text-document

Now open up command prompt, by pressing the windows key and “R” and then typing in “CMD”.

run-cmd

Since I have UAC disabled, CMD will default open as Administrator. You can tell what type of command prompt you have by reading the window title. If it says “Administrator: …” then you have an Administrator prompt, otherwise you are running it under de-elevated permissions.

All that is left is to run whatever program you want as Administrator. Let us assume you want to open up CMD as Administrator. Execute the below command, making sure to replace the path names with the appropriate ones. Make sure to specify the full path name, as local paths may induce errors.

runas /user:Administrator “cmd” < “C:\Users\TechTorials\Desktop\pass.txt”

The first parameter of RunAs specifies that you wish to launch the program as Administrator. The next parameter is the program you wish to run. This program can even have arguments. Just make sure to include the full path to the program and any desired arguments. Next, we are passing the contents of our text file to the command. This will bypass the normal prompt of when it asks for the password. Once again, make sure you specify the full path to the text file and include it in double quotes (not necessarily required, but it will ensure that it will always work).

Unfortunately, the password must be blank. I believe a workaround would be to create a single line file with no line ending characters; however, I have not yet tested this. If anyone knows of a better solution, please let me know in the comments. I do know that creating a single line text file, through normal means, with the password in it will not be successful.

Below is an example of what a working solution should look like. You will notice that the prompt to enter the password is still given, but that we did not have to manually type in the password.

runas-final

Discussion (4)

There are 4 responses to “Using RunAs With a Password”.

  1. you can confirm the blank password with <nul redirection

  2. Lakpriya responded:

    · Reply

    Is there any way to execute a batch script with supplied domain username & password to run a vbs script shared on another machine?any help would be highly appreciated.Can i get a sample script.Basically the batch file will execute as a domain admin privillege account.So that it can execute the vbs script as an admin user.

    • Remote script execution is possible, but it is messy. PsExec is probably what you will want to look at using. This can be a dangerous tool. Use this at your own risk.

Leave a Reply