Board index » Visual Studio » runas sending a pwd using a file

Visual Studio134
Hi

i need to use a bat file to run a program as administrator but i dont want

to let know the administrator password. i'd likw to create a .bat file:



echo off

runas /profile /user:administrator\peterpan cmd



i did that but it ask me the password, how can i send it by the .bat file???

thanks

...... any other suggestion are appreciate

carlo


-

It can't be done with the "runas" command. It is never a good idea to put

passwords in a file.

Perhaps if you explain what you are trying to accomplish we can suggest a

method that works without a password.



--

Jim Vierra

msdn.microsoft.com/theshow/Episode048/default.asp">msdn.microsoft.com/theshow/Episode048/default.asp

"Carlo" <carletto.mNOSPAM@gmail.com>wrote in message



-

i send a previous message: this is the old message

********************************************************

hi, yesterday i posted this mail, no answer for now.

i see that the problem disappear if i login as administrator with no

limitation, because i'm not the administrator of the server i'd like to ear

any suggest to the source of the problem

any idea???

thanks again

carlo



i wrote code in VB to connect and use a MSSQL db, it runs well on my develop

machine (winXP sp2) when i use it on a Win2003 server i have got a

problem....

i wrote:



On Error GoTo ErrorHandler

...

open and close recordset on the same connection

....

connectio.Execute strQuery



and it stops the program and doesnt get the error exception , just open a

msgBox with:



error overflow, 6



WHere is the problem???

why on my machine there isnt any problems???

thanks a lot

carlo



********************************************************



this is my problem...

i try to solve it launcing my application using runas ... administrator

in this way everything runs fine

i hope you can help me to solve the real problem or just tell me how to

solve the second one

thanks a lot

carlo







"Jim Vierra" <jvierra@msn.com>ha scritto nel messaggio



-

This is a multi-part message in MIME format.



------=_NextPart_000_00E0_01C54517.DCF38B80

Content-Type: text/plain;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



Carlo=20



Not correct in scripting. On Error GoTo ErrorHandler



Only use "On Error Resume Next"



and



Set rs =3D connectio.Execute( strQuery )



And more but you didn't send the whole script.

--=20

Jim Vierra

msdn.microsoft.com/theshow/Episode048/default.asp">msdn.microsoft.com/theshow/Episode048/default.asp

"Carlo" <carletto.mNOSPAM@gmail.com>wrote in message =

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD>

<META http-equiv=3DContent-Type content=3D"text/html; =

charset=3Diso-8859-1">

<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>

<STYLE></STYLE>

</HEAD>

<BODY>

<DIV><FONT face=3DArial size=3D2>Carlo </FONT></DIV>

<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>

<DIV><FONT face=3DArial size=3D2>Not correct in scripting. </FONT><FONT =

face=3DArial=20

size=3D2><STRONG>On Error GoTo ErrorHandler</STRONG></FONT></DIV>

<DIV><FONT face=3DArial size=3D2><STRONG></STRONG></FONT>&nbsp;</DIV>

<DIV><FONT face=3DArial size=3D2>Only use "On Error Resume Next"</DIV>

<DIV><BR>and</DIV>

<DIV>&nbsp;</DIV>

<DIV>Set rs =3D&nbsp; connectio.Execute( strQuery )</DIV>

<DIV>&nbsp;</DIV>

<DIV>And more but you didn't send the whole script.<BR>-- <BR>Jim=20

Vierra<BR></FONT><A=20

href=3D"msdn.microsoft.com/theshow/Episode048/default.asp"><FONT">msdn.microsoft.com/theshow/Episode048/default.asp"><FONT =

face=3DArial=20

size=3D2>msdn.microsoft.com/theshow/Episode048/default.asp</FONT><=">msdn.microsoft.com/theshow/Episode048/default.asp</FONT><=

/A></DIV>

<DIV><FONT face=3DArial size=3D2>"Carlo" &lt;</FONT><A=20

href=3D"mailto:carletto.mNOSPAM@gmail.com"><FONT face=3DArial=20

size=3D2>carletto.mNOSPAM@gmail.com</FONT></A><FONT face=3DArial =

size=3D2>&gt; wrote=20

in message </FONT><A =

href=3D"news:uaG2cQTRFHA.2680@TK2MSFTNGP09.phx.gbl"><FONT=20

face=3DArial =

size=3D2>news:uaG2cQTRFHA.2680@TK2MSFTNGP09.phx.gbl</FONT></A><FONT=20

face=3DArial size=3D2>...</FONT></DIV><FONT face=3DArial size=3D2>&gt;i =

send a previous=20

message: this is the old message<BR>&gt;=20

********************************************************<BR>&gt; hi, =

yesterday i=20

posted this mail, no answer for now.<BR>&gt; i see that the problem =

disappear if=20

i login as administrator with no<BR>&gt; limitation, because i'm not the =



administrator of the server i'd like to ear<BR>&gt; any suggest to the =

source of=20

the problem<BR>&gt; any idea???<BR>&gt; thanks again<BR>&gt; =

carlo<BR>&gt;=20

<BR>&gt; i wrote code in VB to connect and use a MSSQL db, it runs well =

on my=20

develop<BR>&gt; machine (winXP sp2) when i use it on a Win2003 server i =

have got=20

a<BR>&gt; problem....<BR>&gt; i wrote:<BR>&gt; <BR>&gt; On Error GoTo=20

ErrorHandler<BR>&gt; ...<BR>&gt; open and close recordset on the same=20

connection<BR>&gt; ....<BR>&gt; connectio.Execute strQuery<BR>&gt; =

<BR>&gt; and=20

it stops the program and doesnt get the error exception , just open =

a<BR>&gt;=20

msgBox with:<BR>&gt; <BR>&gt; error overflow, 6<BR>&gt; <BR>&gt; WHere =

is the=20

problem???<BR>&gt; why on my machine there isnt any problems???<BR>&gt; =

thanks a=20

lot<BR>&gt; carlo<BR>&gt; <BR>&gt;=20

********************************************************<BR>&gt; =

<BR>&gt; this=20

is my problem...<BR>&gt; i try to solve it launcing my application using =

runas=20

... administrator<BR>&gt; in this way everything runs fine<BR>&gt; i =

hope you=20

can help me to solve the real problem or just tell me how to <BR>&gt; =

solve the=20

second one<BR>&gt; thanks a lot<BR>&gt; carlo<BR>&gt; <BR>&gt; <BR>&gt; =

<BR>&gt;=20

"Jim Vierra" &lt;</FONT><A href=3D"mailto:jvierra@msn.com"><FONT =

face=3DArial=20

size=3D2>jvierra@msn.com</FONT></A><FONT face=3DArial size=3D2>&gt; ha =

scritto nel=20

messaggio <BR>&gt; </FONT><A=20

href=3D"news:%23wbVw$SRFHA.508@TK2MSFTNGP12.phx.gbl"><FONT face=3DArial=20

size=3D2>news:%23wbVw$SRFHA.508@TK2MSFTNGP12.phx.gbl</FONT></A><FONT =

face=3DArial=20

size=3D2>...<BR>&gt;&gt; It can't be done with the "runas" command. It =

is never a=20

good idea to put <BR>&gt;&gt; passwords in a file.<BR>&gt;&gt; Perhaps =

if you=20

explain what you are trying to accomplish we can suggest a <BR>&gt;&gt; =

method=20

that works without a password.<BR>&gt;&gt;<BR>&gt;&gt; -- <BR>&gt;&gt; =

Jim=20

Vierra<BR>&gt;&gt; </FONT><A=20

href=3D"msdn.microsoft.com/theshow/Episode048/default.asp"><FONT">msdn.microsoft.com/theshow/Episode048/default.asp"><FONT =

face=3DArial=20

size=3D2>msdn.microsoft.com/theshow/Episode048/default.asp</FONT><=">msdn.microsoft.com/theshow/Episode048/default.asp</FONT><=

/A><BR><FONT=20

face=3DArial size=3D2>&gt;&gt; "Carlo" &lt;</FONT><A=20

href=3D"mailto:carletto.mNOSPAM@gmail.com"><FONT face=3DArial=20

size=3D2>carletto.mNOSPAM@gmail.com</FONT></A><FONT face=3DArial =

size=3D2>&gt; wrote=20

in message <BR>&gt;&gt; </FONT><A=20

href=3D"news:uDQWJ4SRFHA.688@TK2MSFTNGP10.phx.gbl"><FONT face=3DArial=20

size=3D2>news:uDQWJ4SRFHA.688@TK2MSFTNGP10.phx.gbl</FONT></A><FONT =

face=3DArial=20

size=3D2>...<BR>&gt;&gt;&gt; Hi<BR>&gt;&gt;&gt; i need to use a bat file =

to run a=20

program as administrator but i dont <BR>&gt;&gt;&gt; want to let know =

the=20

administrator password. i'd likw to create a .bat <BR>&gt;&gt;&gt;=20

file:<BR>&gt;&gt;&gt;<BR>&gt;&gt;&gt; echo off<BR>&gt;&gt;&gt; runas =

/profile=20

/user:administrator\peterpan cmd<BR>&gt;&gt;&gt;<BR>&gt;&gt;&gt; i did =

that but=20

it ask me the password, how can i send it by the .bat <BR>&gt;&gt;&gt;=20

file???<BR>&gt;&gt;&gt; thanks<BR>&gt;&gt;&gt; ...... any other =

suggestion are=20

appreciate<BR>&gt;&gt;&gt; carlo<BR>&gt;&gt;&gt;<BR>&gt;&gt;<BR>&gt;&gt; =



<BR>&gt; <BR>&gt;</FONT></BODY></HTML>



------=_NextPart_000_00E0_01C54517.DCF38B80--



-

i tried but the problem is there the same just the application doesnt crash

the problem is that when i execute te query there is an error... this error

doesnt exist if i run the app as root

can you tell me how can i pass the password using a file???

if you want i can sent the code

carlo





-

Can't be done. Your syntax won't work in a script even if you run as an

admin. I don't know why you think it's working unless there are things you

are not showing.



Send code.



--

Jim Vierra

msdn.microsoft.com/theshow/Episode048/default.asp">msdn.microsoft.com/theshow/Episode048/default.asp

"Carlo" <carletto.mNOSPAM@gmail.com>wrote in message



-

The must-have for this particular scenario is cpau.exe form joeware

(www.joeware.net/win/free/tools/cpau.htm).">www.joeware.net/win/free/tools/cpau.htm).



This tool produces just what you're looking for.



The best way to hide the logon/password is to follow the instructions

for creating a job file (which will bundle the credentials in a text

file of scrambled alphanumeric soup).



When working this type of solution into a logon script there are two

approaches you can use as to where cpau.exe and the supporting text

file will reside.



1. An additional segment in your logon script

that creates a folder on the user's machine

and then copies the two files to each PC

before running your executable (works faster).



- or -



2. Storing the two files on a server share and

have the logon script point to this location

(works a little slower but ensures you only

have one job file to fool with in the event

you want to make changes).



I created a separate account for running the installation so if I

needed to disable it or change the password I wouldn't have to worry

about its impact on other dependencies.



Either way let me know of your outcome.



-

A far safer approach is to delegate the needed resource to the user needing

to run it. This doesn't require elevation of a process in the user session.



There is no documentation on the hash used for encrypting the file so be

careful.



In nearly every case I have seen where an admin has needed to do this it was

an issue of delegation. Delegation can be controlled at the resource level

so an elevated session is not required. Cute methods for bypassing security

are always good targets for hackers and Trojans.



--

Jim Vierra



"Alan" <Alan.Kincer@med.va.gov>wrote in message



-

How is the install delegated? By application name? Does the end user

perform the install or is it still left in the logon script?



-

If you are trying to install software you should use Group Policy. It will

install at the proper level and with or without the users interaction.



--

Jim Vierra



"Alan" <Alan.Kincer@med.va.gov>wrote in message



-

I've done this with Office 2003, Adobe Reader 7, and Java 1.5.1 which

all work well (especially since they come with good support for the

requisite .msi build). What I'm curious about is your earlier statement

regarding delegation. The logon script include I mentioned earlier is

useful for smaller applications or updates that will not take long to

install, can be installed in some sort of "silent" mode, and do not

come with low-headache .msi support (high-headache approach being the

"snapshot" method). If there is a delegation-based approach that does

not involve user interaction I would be very interested to learn how

this is done.



-

It all depends on what software you are distributing. Some software just

can't be automated. Almost all software based on MSI can be automated.

"Silent" is a function of the vendors installation design and out of our

control. GP can distribute to users and allow interaction yet still install

with admin level privileges.



--

Jim Vierra



"Alan" <Alan.Kincer@med.va.gov>wrote in message



-

"Carlo" <carletto.mNOSPAM@gmail.com>wrote in message news:<uDQWJ4SRFHA.688@TK2MSFTNGP10.phx.gbl>...

Hi



take a look to runasspc on

www.robotronic.de\runasspc.html



a standard user or guest can run a program with admin level privliges.

The admin write the information (adminaccount,passwort,programname) in

a crypt file.

And the user can run the program with the information in this file

without knowing the password.

The site is in german but the tool is english and very simple to use.

Try runasspc -h to see instructions or take a look on the start.bat to

see commandline sample to use runasspc



bye

-

"Marc Foster" <newsletter2@robotronic.de>wrote in message

Other options include:



CPAU from www.joeware.net/win/free/tools/cpau.htm">www.joeware.net/win/free/tools/cpau.htm



RunAs Pro from www.gold-software.com/download2346.html">www.gold-software.com/download2346.html





/Al





-

"Marc Foster" <newsletter2@robotronic.de>wrote in message

An interesting alternative. But, not speaking German (and not fully trusting

a google translation), I would like more information on the nature of the

encryption used, plus any other features that have been developed to prevent

the use of the stored credentials for any purposes other than running the

applications they were created for.



/Al





-

On 4/24/2005 12:37, Al Dunbar [MS-MVP] wrote:



Right at the top of the page I see "AES 256Bit".

<csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf>">csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf>



~Jason



--

-

Has anyone looked into the secure password extensions to WSH 5.6.



--

Jim Vierra



"Jason Gurtz" <jason@NOSPAMtommyk.com>wrote in message



-

"Jason Gurtz" <jason@NOSPAMtommyk.com>wrote in message

Let me rephrase... "I would like A *BIT* more information...", though

perhaps somewhat less than 45 pages of it ;-)



But how encryption is used is likely as important as the algorithm on which

it is based. I forget the details, but some time ago an implementation of a

fairly strong algorithm was found to be easily cracked. The fact that it was

128bit-based (or whatever) was outweighed by the way they seeded it such

that someone saw a pattern and deduced its source.



In this case, is there anything about the implementation that would tend to

arbitrarily limit the range of possible password values?



/Al





-

If the password was of great complexity and a 256 bit hash were used and the

password were changed every 14 days and security is monitored very closely

then that 256 encryption algorithm would be sufficient. Fail in any one of

the above and I guarantee it is crackable. In fact there are, doubtlessly,

web site that you can submit the encrypted password to and get a decrypted

version within a reasonable amount of time.



There has been a hacker attempt at build a super virtual computer just for

cracking passwords quickly. If you have anything to protect then be

careful.





--

Jim Vierra



"Al Dunbar [MS-MVP]" <alan-no-drub-spam@hotmail.com>wrote in message



-

On 4/26/2005 22:33, Jim Vierra wrote:

Yup, you are storing a password on disk in a file that is readable by a

plain user (anyone). It's just not going to be perfect, but it can be

pretty good. I guess the real question is how badly you think someone

would want to crack it and is AES-256 at least a little more than they'd

want to spend.



Cheers,



~Jason



--

-

Depends on what you are storing on your network. If it is a bank, insurance

company, gov office any of these and others then someone would want to have

it.





--

Jim Vierra



"Jason Gurtz" <jason@NOSPAMtommyk.com>wrote in message



-