Application launching using administrator account

Principles

Some applications or different tasks need to be performed with administrator account privileges. However if the current user does not belong to this group, this is impossible. To work around this problem, Microsoft has provided three tools:
The major problem posed by these tools is that the administrator must be present physically close to the computer of the user, in order to interactively enter its name and password (and if the administrator communicates this information, it is not suitable for the system security).

In particular, neither SU nor RUNAS do allow to integrate into a command administrator password, that must be entered dynamically (with the exception of RUNAS in Windows XP PRO, with the /savecred switch, which allows to remember this password for later execution).

The xrunas.vbs script I wrote overcomes this difficulty, but security is considerably compromised, since the administrator account password will appear clearly in the script.

This is why I developped SUPEREXEC, utility software (written in Delphi 7, then Delphi 2006), which avoids to enter password in real time, while improving the system security.

SUPEREXEC is running within following operating systems  :
  • Windows 2000 (Professional and Server)
  • Windows XP (Professional and Home Edition)
  • Windows 2003
  • Windows Vista
  • Windows 2008
  • Windows 7

It does not run within Windows NT4 because some functions (cryptography, process management, network management) are not available.

SUPEREXEC frees this constraint, preparing application launching.
It records in XML file (.XSE extent) following informations (fully encrypted) :

Application launching will be refused if:

On the other hand, SUPEREXEC works remotely, and can manage in the same manner as local any computers members of accessible domain or workgroup.
In this case, all necessary files (XSE files, softwares, certificate, shortcuts on the desktop, …) can be copied on remote computers with a single click .
It has even provided the case of disconnected from the network computers (eg "nomads" users).
All necessary files are automatically sent by email in the form of unique compressed and enclosed file.

Comments :

SUPEREXEC software contains following files :

SuperExec.exe main program, for administrators only, intended to plan applications.
RunSE.exe run time program, for any users, intended to launch applications.
InstSE.exe setup program for asynchronous mode (sent by email)
SuperExec.cer  authentication certificate.
CAPICOM.dll Microsoft redistribuable library, used by digital signatures (V 2.1.0.2)
<language code>\SuperExec.lib localized file. It contains all messages, texts ... in several languages.
<language code>\SuperExec.chm this help file.
SuperExec.rtf this document in RTF format
Licence.rtf license of this software

In order to guarantee their origin, all SuperExec executables (SuperExec.exe, RunSE.exe, InstSE.exe) are certified by a self-signed by the author certificate.
The first time that one of these programms is launched, this opens the following dialog box:

Numeric fingerprint (SHA1) of this certificate must be necessarily equal to :

 1494 3A78 05A3 1D30 2AD4 9635 01E0 79D9 826E 3421

This information can be found in the "Digital Signatures"  tab of properties of executable files.

Applications preparation (administrator mode)

SUPEREXEC works together locally and remotly, so it is possible to manage in the same way local computer  and any workgroup or domain computer. 

SuperExec main window is a dialog box, with a menu and buttons toolbar, and 3 areas (network, applications, log) :

See help compiled file SuperExec.chm
(this file is supplied with software)

Pay special attention  to applications choice!
As far as possible You must avoid authorize applications that launch other applications, because they will be launched too with administrator privileges.
For example if we authorize commands processor (%systemroot%\system32\CMD.EXE), user will be able to launch any software, script, snappin component, ..., with administrator power.

Applications launching (user mode)

The SuperExec client application (runtime) of SuperExec consists of a main dialogbox  :
 

Each icon represents an application will be run under an administrator account , and in case of Vista and beyond with active UAC (user account control), as an administrator (with elevated privileges).

Right click on one of the icons displays a popup menu with 3 items:

It is also possible to create a shortcut on the desktop by "drag and drop" on the icon.

Download and setup

SUPEREXEC is completely free.

It is installed (under an administrator account) from an auto extractable file : installSE.exe
(itself included in a compressed file : installSE43.zip)
All programs, including the Setup program, are currently bilingual french and english.

installSE43.zip 1938 kB

History

Call for translators

All SuperExec executables have been designed to be translated into any language.

All menu items, dialogbox, information or error messageboxes, ..., are stored in a single text file (superexec.lib) located in a subdirectory of one containing executables.

The name of this subdirectory is the corresponding language code in hexadecimal.
E.g. 0409 for English, 040C for French,...
There exists a list of these codes and their meaning in the key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts

The SuperExec.lib file has the following structure:

The content may contain one or more formal parameters that will be filled by the appropriate values.
These parameters are represented by %s (string) or %u (unsigned integer)

The SuperExec.lib file contains approximately 500 lines.

Currently there are only english and french versions..
I would therefore call for volunteers translators in other languages in order to improve SuperExec deployment.
Thanks in advance... (please contact me)