Julian said:
Hi Jimmy,
In my case the access denied occurs on the Net Share command.
I appreciate the protection from things running things without my permission
but
1. I have runas in the batchfile and I must give it my password - that
should be enough
2. Even though it clearly isn't enough, when it gets to the Net Share, why
don't I get a UAC prompt? why does it just go ahead - and fail?
[I run with Admin rights all the time now as it makes no difference to UAC
for the reasons you outline but at least I can click to continue rather than
having to enter a password each time]
[Incidentally, when I accidentally "ranas" with the wrong user account
("Admin" instead of my username, but obviously an account with Admin rights)
I also got an access denied on running SyncToy (the next line in the batch
file) because it was Julian's app - I think - it doesn't make any sense to me
to block things like this]
I hope someone can answer mikeyhsd's Q about an appropriate switch for COMMAND
Thanks
I am confused - are you or are you not starting the batch file from task
scheduler?
There's no need to use runas when you're using task scheduler - you can
specify using task scheduler what user to run the batch file under - and
by checking the highest privilege box, it will allow the file to use the
admin power.
The reason entering a password into runas isn't good enough for
elevation is because other programs can run this command on your behalf
without your knowledge. The UAC prompt ensures that you are actually the
one performing the action, in such a way that programs can't fake.
The reason task scheduler can do this but runas cant is because task
scheduler is only accessible to administrator programs that have already
prompted, while runas can be used by any program.
Unfortunately, command-line programs don't prompt for admin power
on-demand when they are run (which would make this scenario possible).
They must be ran from a command prompt that you have started with admin
power by right-clicking it and clicking run as administrator. But even
in that case, runas wont work like you want it to (and I don't have a
good reason why this happens, either; one would think it would).
I'm not exactly sure why it was designed that way.
Using runas to run a program under a different account does not elevate
the program to administrator status, even if the user is an
administrator, nor is there any way to cause it to prompt for elevation
that I am aware of.
I highly recommend not using runas for this purpose and instead use the
task scheduler to run the batch file in the context of the account you want.
However, if you must have runas work as you expect it to, you can enable
the built-in administrator account from an elevated command prompt (net
user administrator /active:yes) and then set its password to something.
If you use the runas command to run something in the context of the
built-in administrator account, that program *will* have admin power and
it *will not prompt for permission*.
While this makes things easier, it is less secure than using the task
scheduler, because 1) the admin password is stored in plaintext and 2)
the access permissions on your batch files are less strict than the ones
on the task scheduler, unless you manually modify them.