runAs tool
The runAs tool provides the ability to run a Windows process under a specified Windows user account.
| Argument | Description | Mandatory | Default value |
|---|---|---|---|
| -u: | "user" or "domain\user" or "user@domain" | ◾ | |
| -p: | user's password | empty | |
| -w: | working directory | empty | |
| -b: | base number for exit code | -100000 | |
| -e: | set an environment variable in the format "name=value" | ||
| -l: | logging level (debug|normal|errors|off) | normal | |
| -il: | integrity level (auto|untrusted|low|medium|medium_plus|high) | auto | |
| -s: | show mode for the created process hide or normal or show | hide | |
| -t | self-testing, returns exit codes: 32 - ready to work in the 32-bit mode 64 - ready to work in the 64-bit mode 1 - invoker has no administrative privileges when running under the Windows service 2 - invoker has no SeAssignPrimaryTokenPrivilege privilege (replace a process-level token) when running under the Windows service 3 - invoker has no SeTcbPrivilege privilege (act as part of the operating system) when running under the Windows service |
||
| -i: |
off - when environment variables should not be inherited from the parent process on - when the environment variables should be inherited from the parent process auto - when some environment variables should be inherited from the parent process |
auto | |
| -c: | text file, containing any configuration arguments | ||
| executable | executable file | ◾ | |
| command_line_args | command line arguments, the maximum total length of executable and command_line_args is 1024 characters | empty |
For example:
JetBrains.runAs.exe -p:MyPassword -u:SomeDomain\SomeUserName WhoAmI.exe /ALL
Or another example that does the same thing:
JetBrains.runAs.exe -p:MyPassword -c:MyConfig.txt
where MyConfig.txt is a text file containing the following lines:
-u:SomeDomain\SomeUserName
WhoAmI.exe
/ALL
The runAs tool uses one of the three ways provided by the Windows API to create a process:
-
The Windows API call CreateProcessAsUser to create a process as a specified user directly; the integrity level can be elevated.
-
The Windows API call CreateProcessWithLogonW to create a process as a specified user via a dedicated logon service; the integrity level cannot be elevated.
-
The Windows API call CreateProcessWithTokenW to create process as a specified user via a dedicated logon service and try changing the integrity level.
To use (1), the caller needs SE_ASSIGNPRIMARYTOKEN_NAME privilege to replace a filtered (by Windows core) security access token with a primary (not filtered) security access token with the full set of privileges ( the "High" integrity leve). Also the caller needs the SE_TCB_NAME privilege to act as a part of the operating system. See this page. The runAs tool uses it when working under a Windows service.
To use (2), the caller needs a logon SID. See this page. CreateProcessWithLogonW cannot be called from a process that is running under the "LocalSystem" account, because the function uses the logon SID in the caller token, and the token for the "LocalSystem" account does not contain this SID. The runAs tool uses this approach when working in the user session.
