Tuesday, March 3, 2009

Add RunAs Functionality to Windows Server 2008 for All Users

You may be aware that Windows Server 2008 does not allow you to "Run As a Different User", only "Run As Administrator."

You may also be aware of ShellRunAs, by Sysinternals. ShellRunAs adds command-line RunAs funtionality to the context menu of executable programs. Once installed using the command "ShellRunAs /reg", you can right-click on any program, select "Run as a different user," and enter the credentials of the user you want to run the program as.

This RunAs functionality allows you to logon to a server with low level permissions and still run programs that require higher permissions, thereby keeping your server safe and happy.

The only problem with ShellRunAs is that it is a per user installation. That means that it needs to be "installed" for each user on the server. This is because "ShellRunAs /reg" actually updates the registry for the current user (HKCU) hive. This can be a real problem for servers where a lot of different people logon, such as a Terminal Server.

So how do you provide this functionality for all users on the server? Read on to find out how.

  • Download ShellRunAs from Sysinternals and extract ShellRunAs.exe to %SystemRoot%\System32

  • Use Notepad to create a reg file called ShellRunAs.reg with the following content:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" "%1\"%*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

  • Finally, double-click the ShellRunAs.reg file to import it into the registry.

Now right-click an application or program and you will see the new "Run as a different user" menu option. Best of all, it will work for all users on the server without having to register it for each user.

Note: When a user selects Run as a different user for the first time, they will have to accept the end user license agreement. This only happens once because the EULA acceptance is written to the HKCU hive for each user.

By the way, this Run as a different user and Run as Administrator functionality is native in Windows Server 2008 R2.

8:51 PM