Application launching using administrator account

• Principles
• Administrator mode
• User mode
• Download and setup
• History
• Call for translators

Principles

• SU.EXE in the Resource Kit NT
• RUNAS.EXE (integrated in Windows since Windows 2000).
• The contextual command "Run as Administrator"

The major problem posed by these tools is that the administrator must be present physically close to the computer of the user, in order to interactively enter its name and password (and if the administrator communicates this information, it is not suitable for the system security).

In particular, neither SU nor RUNAS do allow to integrate into a command administrator password, that must be entered dynamically (with the exception of RUNAS in Windows XP PRO, with the /savecred switch, which allows to remember this password for later execution).

The xrunas.vbs script I wrote overcomes this difficulty, but security is considerably compromised, since the administrator account password will appear clearly in the script.

This is why I developped SUPEREXEC, utility software (written in Delphi 7, then Delphi 2006), which avoids to enter password in real time, while improving the system security.

SUPEREXEC frees this constraint, preparing application launching.
It records in XML file (.XSE extent) following informations (fully encrypted) :

• User account (or users group) – local or global (domain)
• Application name
• Parameters passed to application
• Working folder
• Administrator account and password
• Extra optional parameters :
  • Launching deadline
  • Launching counter

Application launching will be refused if:

• Application is not authorized to user or a group where user is a member.
• A deadline has been defined, and the current date is no longer valid.
• A counter has been defined, and the count is exceeded.

It has even provided the case of disconnected from the network computers (eg "nomads" users). All necessary files are automatically sent by email in the form of unique compressed and enclosed file.

Comments :

• Because of intrinsic network restrictions within Window XP Home Edition, SUPEREXEC is able to work locally only and not remotely within a computer using this system.
• Another workgroup or domain browsing needs some time.
  So it is possible to define network area :
  • local computer only
  • network manual building
  • automatic network building (domain or group local) from a given IP address range.
• • It is possible to select users group account instead of single user account. So allowed applications to this group will be authorized to any account member of this group.
• Selected applications must be located on current computer.
• SUPEREXEC is fully compatible with UAC (User Account Control) in Windows Vista, Windows 7 (and beyond).
• In case of console application (ipconfig, nbtstat, net xxxx, ...), it will be launched using a dynamically created script in order to keep opened window until user closes it.
• With regard to remote computers, SUPEREXEC enables remotely:
  • registry access service
  • administrative shares

SUPEREXEC software contains following files :

SuperExec.exe	main program, for administrators only, intended to plan applications.
RunSE.exe	run time program, for any users, intended to launch applications.
InstSE.exe	setup program for asynchronous mode (sent by email)
SuperExec.cer	authentication certificate.
CAPICOM.dll	Microsoft redistribuable library, used by digital signatures (V 2.1.0.2)
<language code>\SuperExec.lib	localized file. It contains all messages, texts ... in several languages.
<language code>\SuperExec.chm	this help file.
SuperExec.rtf	this document in RTF format
Licence.rtf	license of this software

In order to guarantee their origin, all SuperExec executables (SuperExec.exe, RunSE.exe, InstSE.exe) are certified by a self-signed by the author certificate.
The first time that one of these programms is launched, this opens the following dialog box:

This information can be found in the "Digital Signatures"  tab of properties of executable files.

Applications preparation (administrator mode)

SUPEREXEC works together locally and remotly, so it is possible to manage in the same way local computer  and any workgroup or domain computer. 

SuperExec main window is a dialog box, with a menu and buttons toolbar, and 3 areas (network, applications, log) :

See help compiled file SuperExec.chm
(this file is supplied with software)

Pay special attention  to applications choice! As far as possible You must avoid authorize applications that launch other applications, because they will be launched too with administrator privileges. For example if we authorize commands processor (%systemroot%\system32\CMD.EXE), user will be able to launch any software, script, snappin component, ..., with administrator power.

Applications launching (user mode)

The SuperExec client application (runtime) of SuperExec consists of a main dialogbox  :
 

Each icon represents an application will be run under an administrator account , and in case of Vista and beyond with active UAC (user account control), as an administrator (with elevated privileges).

Right click on one of the icons displays a popup menu with 3 items:

• run
  its action is identical to double-clicking the icon.
  • the application is running as an administrator
• create a shortcut
  • an application shortcut is created:
    • on the current user desktop if user account concerned by SuperExec is an individual account
    • on all users common desktop if account concerned by SuperExec is a users group.
• properties
  Displays a list of the application properties :
  • file path
  • associated executable name (optionally)
  • optional parameters
  • application type (console or windowed application)
  • description
  • working folder
  • optional limitations (deadline and/or launching executions number)
  • administrator account name
  • optional comments

It is also possible to create a shortcut on the desktop by "drag and drop" on the icon.