Microsoft KB Archive/225035

= Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context =

Article ID: 225035

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q225035





SUMMARY
Windows secondary logon allows administrators to log on with a non-administrative account and still be able to perform administrative tasks (without logging off) by running trusted administrative programs in administrative contexts. In this scenario, system administrators require two user accounts: a regular account with basic privileges, and an administrative account (this can be a different administrative account for each administrator or a single administrative account shared among administrators).

Secondary logons address the security problems presented by administrators running programs that may be susceptible to "Trojan Horse" attacks (such as running Microsoft Internet Explorer in the administrative context while accessing a non-trusted Web site).

Even though secondary logon is primarily intended for system administrators, it can be used by any user with multiple accounts to start programs under different account contexts without the need to log off.

The Secondary Logon service is started automatically after a "clean" installation of Windows. A "clean" installation of Windows means either installing Windows on a blank hard disk, or installing Windows in a folder other than the folder in which an existing version of Windows is installed.



Starting a Command Shell in Local Computer Administrative Context
While logged on as a normal user:
 * 1) Click Start, click Run, type runas /user: \administrator cmd, where   is the name of your computer, and then click OK.
 * 2) A console window will appear, prompting for a password for the  \administrator account. Type the password for the administrator account and press ENTER.
 * 3) A new console will appear running in the administrative context (the title of the console will clearly state running as  \administrator).

Any command-based administrative programs can now be started from this console window.

Starting a Control Panel Tool in Administrative Context While Logged on as a Normal User
While logged on as a normal user:
 * 1) In Windows 2000, click Start, select Settings, Control Panel.
 * 2) Select the particular tool you want to run in administrative context (for example: Add/Remove Hardware).
 * 3) Highlight the selected tool by using a single left-click on the icon.
 * 4) Hold done the Shift key and right-click on the icon. You will notice the Run as... command that appears in the command list.
 * 5) Select the Run as... command. You will be prompted with a dialog box titled, "Run program as other user".
 * 6) Type the administrator account name and password in the appropriate fields. Note: the domain name can also be changed.
 * 7) After entering the credential for the administrator account, click OK and the program associated with the tool will start in the administrative context.

Starting a Shortcut in Administrative Context
The following example uses a shortcut to the Computer Management program, but this method will work on shortcuts of .EXE files and shortcuts of registered file types like .TXT, .DOC and .MSC files.

While logged on as a normal user:
 * 1) Use Windows Explorer to create a shortcut on your desktop for the file COMPMGMT.MSC. COMPMGMT.MSC can be found in the \%WINDIR%\SYSTEM32 directory. By default, this is the \WINNT\SYSTEM32 directory, located on the boot partition.
 * 2) Highlight the Shortcut to compmgmt icon on your desktop using a single left-click.
 * 3) Hold down the Shift key while right-clicking on the Shortcut to compmgmt icon on the desktop.
 * 4) Select the Run as... command. You will be prompted with the "Run program as other user" dialog box.
 * 5) Type the name and password for the administrator account in the appropriate fields. Click OK.

This will start an MMC console with the Computer Management snap-in loaded. This snap-in is now running in administrative context.

You can also configure a shortcut to always run using alternate credentials when opened by configuring the Properties for the shortcut as follows:
 * 1) Close and open MMC consoles and highlight the Shortcut to compmgmt icon on you desktop using a single left-click. Right-click on the icon and select Properties.
 * 2) In the center area of the Properties dialog box find the checkbox labeled, "Run as different user". Select the checkbox and click OK to close the Properties dialog box.
 * 3) Double-click on the Shortcut to compmgmt icon to start the console.
 * 4) You will be prompted with the "Run program as other user" dialog box. Enter the credentials in the appropriate fields. and click OK.

This technique may be used for any shortcuts that you desire to create and always run under a different security context.

Starting a Program in Administrative Context While Logged on as a Normal User
This example uses the Notepad program, but you can start any Windows program in an alternate security context using this same method.

While logged on as a normal user:
 * 1) Using Windows Explorer, copy the file NOTEPAD.EXE to your desktop. NOTEPAD.EXE can be found in the \%WINDIR%\ directory. By default, this is the \WINNT\ directory located on the boot partition.
 * 2) Highlight the Notepad icon on the desktop by left clicking on it.
 * 3) Hold down the Shift key while right on the Notepad icon.
 * 4) Select the Run as command. You will be prompted with the "Run program as other user" dialog box.
 * 5) Type the name and password for the administrator account. Click OK.

Notepad will now start up in the administrative context.

NOTE: There is no indication of which security context the program is running under. This is due to the fact that Windows programs define their own title text that cannot be manipulated by the called. This can cause confusion if you start up multiple processes under different contexts.

Starting an MMC in Administrative Context Using a Saved .msc File
The example below uses an existing .MSC file, COMPMGMT.MSC. However, any MSC file can be stated in a different security context using the method illustrated below.

While logged on as a normal user:
 * 1) Use Windows Explorer to copy the file COMPMGMT.MSC to your desktop. COMPMGMT.MSC can be found in the \%WINDIR%\SYSTEM32 directory. By default, this is the \WINNT\SYSTEM32 directory, located on the boot partition.
 * 2) Highlight the compmgmt icon on your desktop by using a single left-click.
 * 3) Hold down the Shift key and right-click on the compmgmt icon on the desktop.
 * 4) Select the Run as... command. You will be prompted with the "Run program as other user" dialog box.
 * 5) Type the name and password for the administrator account in the appropriate fields. Click OK.

A new MMC console will now appear with the Computer Management snap-in loaded. This snap-in is now running in the administrative context. In a similar fashion, a system administrator can create custom Microsoft Management Consoles containing frequently used administrative snap-ins and run them in administrative context using secondary logon.

Running the Windows Explorer Shell in Administrative Security Context
While logged on as a normal user:
 * 1) Start Task Manager. Right-click the Task bar and select Task Manager.
 * 2) Click the Processes tab.
 * 3) Select explorer.exe. Click End Process. Click YES on the warning pop-up message. The entire desktop will disappear. You will still have any programs that you started including Task Manager.
 * 4) Click the Programs tab.
 * 5) Click New Task.
 * 6) Type runas /user:machine/domain name\administrator explorer.exe. Click OK.
 * 7) A Console window will appear and prompt for the password. Minimize Task Manager, type the password and press Enter. The desktop will return including the task bar, shortcuts, Startup folder items, etc.
 * 8) Perform necessary administrative tasks. For example: clicking Start, Settings and Control Panel will bring up control panel in administrative context.
 * 9) When finished, log off Administrator. A new shell will automatically start, running in the originating user context.

Running in Other Security Contexts
The above examples show the use of secondary logon running in administrative context. However, this does not preclude the ability to utilize this feature to run in other security contexts. Generally, this feature will allow running any program or tool in any security context provided:
 * You can provide valid account credential for the alternate context.
 * The alternate context is able to log on locally to the system.
 * The program or tool is available on the system and is accessible to the alternate context.

Limitations and Troubleshooting

 * Secondary Logon Service is not started on the Windows 2000 system. Right-click My Computer, and then click Manage. In Computer Management, select System Tools, click Services, and then determine if Secondary Logon Service is started.
 * Credentials supplied are incorrect. Verify credentials by logging on to the system from the initial Windows Logon screen.
 * You may be attempting to start and EXE from a network path and the credentials used to connect to that path are not the same as the one being used to start the EXE. The credentials used to start the EXE may not have access to the network path. Start Windows Command prompt using runas, reconnect to the network path with net use, and then start the EXE.
 * Certain programs are started indirectly by the Windows Explorer Shell. These include, Control Panel, Printers folder, etc. Since the shell is started in the primary security context during initial logon, any process started from the shell remains in that security context. You can workaround this by starting a tool using Run as... or killing the existing shell and restarting Explorer Shell in the administrative context.

Keywords: kbenv kbhowto KB225035

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.