Bypass administrator rights with "Runasinvoker"

[nocturnus]

Heya lads,

I installed Windows 10 on my wee cousin's new computer and forgot to make an administrator account for him. So he asked me to change it for him and when I was about to do that, I saw he had already installed Steam, Game Maker Studio 2, Photoshop and a whole bunch of other applications.

I asked him how he had done that with a regular user account and he showed me this .bat file he made with the following string inside:

Code:

cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "%1""

He drags whatever .exe that requires admin rights and this basically circumvents authentication.

I had no idea it was so easy to bypass security. How does one impede others from installing unwanted software on e.g. public computers or whatever? Not that I will ever make use of such functions, but I'm just curious.

My cousin is 10 by the way. That little rascal is getting smarter by the day.

[Amorac]

AFAIK COMPAT_LAYER=RUNASINVOKER does not give admin rights it just prevents the UA prompt. It will not let you install for instance drivers.

My guess; steam etc is installed in the user directory or another place (not in "program files") that does not need admin rights to write to. Not much that can be done about that, unless you want to restrict the user for only allowing him/her to run certain apps, that can be done with policies or reg edits

https://www.howtogeek.com/howto/8739...-in-windows-7/​

[nocturnus]

AFAIK COMPAT_LAYER=RUNASINVOKER does not give admin rights it just prevents the UA prompt. It will not let you install for instance drivers.

My guess; steam etc is installed in the user directory or another place (not in "program files") that does not need admin rights to write to. Not much that can be done about that, unless you want to restrict the user for only allowing him/her to run certain apps, that can be done with policies or reg edits

https://www.howtogeek.com/howto/8739...-in-windows-7/​

You can install anything anywhere with this .bat file. Seems pretty sloppy to me; there's no way you can do that on a secured Mac, for instance.

[Selastan]

Runas the Invoker sounds like it would make a great WoW NPC

[Amorac]

You can install anything anywhere with this .bat file. Seems pretty sloppy to me; there's no way you can do that on a secured Mac, for instance.

You don't need the bat file for that, nor can you install drivers or AV programs for instance. Nor uninstall them. (or anything installed in c:\program files\ or similar)

Run the installer for Chrome for instance as a normal user. It asks for admin rights, cancel it and it then asks to install in the user directory.

Pretty much, only programs that don't need access to windows files/kernel space/drivers/etc can be installed.

Look at it this way, now you don't have to go over to your family just to install whatever program they want.. They can do it without causing damage to the OS. At worse they damage the user profile.

How is it difference then say anything from http://portableapps.com ?

[nocturnus]

You don't need the bat file for that, nor can you install drivers or AV programs for instance. Nor uninstall them. (or anything installed in c:\program files\ or similar)

Run the installer for Chrome for instance as a normal user. It asks for admin rights, cancel it and it then asks to install in the user directory.

Pretty much, only programs that don't need access to windows files/kernel space/drivers/etc can be installed.

Look at it this way, now you don't have to go over to your family just to install whatever program they want.. They can do it without causing damage to the OS. At worse they damage the user profile.

How is it difference then say anything from http://portableapps.com ?

Oh, I was just curious. The kid's perfectly capable of installing anything he needs. I just brought the Windows 10 licence.

I just tried it though and you can install apps on the C: drive. How do companies keep their Windows PCs clean? What if you don't want users to install things? There surely is a way to impede this, right?

[Amorac]

Oh, I was just curious. The kid's perfectly capable of installing anything he needs. I just brought the Windows 10 licence.

I just tried it though and you can install apps on the C: drive.

Now try uninstalling a program that is installed by an admin.

How do companies keep their Windows PCs clean? What if you don't want users to install things? There surely is a way to impede this, right?

Yes, by setting policies mostly. We used to set it that only apps we approved could run. Took a lot off effort tho, esp if new programs were needed that were a bit more complex. What harm does it really do if they install chrome or notepadd++.

A lot of paranoia really. We used to restrict access to internet as well. For what purpose? So people don't surf the web under the boss his time? Good luck these days with everybody having a smart phone. For preventing viruses? Non admin users are pretty safe from that, and blocking access doesnt prevent infection either (found that out the "hard" way).

These days we just don't bother. As long as users are not admins they cannot harm the machine. It is not allowed to install software off course so if needed we can point that out to users and in a worse case their manager.

As said, they can't install stuff that is harmful to the pc, nor remove programs or disable services for that matter.

And really, if they want to do something illegal (or something that can harm the company) restricting them is not going to stop them, esp with "bring your own device" mantra becoming a bigger thing slowly.

[Deleted]

I asked him how he had done that with a regular user account and he showed me this .bat file he made with the following string inside:

Code:

cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" "%1""

He drags whatever .exe that requires admin rights and this basically circumvents authentication.

I had no idea it was so easy to bypass security. How does one impede others from installing unwanted software on e.g. public computers or whatever? Not that I will ever make use of such functions, but I'm just curious.

Here's what Microsoft has to say about that:
https://blogs.msdn.microsoft.com/old...17-00/?p=94735


Actually, RunAsInvoker is a secret, even lower UAC setting.

What RunAsInvoker does is to ignore any elevation request in the application's manifest and treat the manifest as if it had said

<requestedExecutionLevel level="asInvoker" uiAccess="false" />
which is the default behavior. The program simply runs with the same privileges as the code that launched it. There is no attempt to elevate.

This means that if you run the program from an elevated command prompt, then the program stays elevated. If you run the program from a non-elevated command prompt, then the program stays non-elevated.

Try it. Make sure RegEdit is not already running, then open a non-elevated command prompt and set __COMPAT_LAYER=RunAsInvoker, and then run regedit from that command prompt. The resulting copy of RegEdit is running without administrator privileges. You can see this by trying to edit something in HKLM.

While it's true that RunAsInvoker suppresses UAC prompts, that's true because RunAsInvoker doesn't perform any elevation. If you aren't performing any elevation, then naturally you don't need an elevation prompt. If the resulting process is elevated, then it means that the calling process was already elevated. You were already on the other side of the airtight hatchway.


So no elevation done here, although it's hard to restrict someone with physical access to the machine from getting there.

[Selastan]

We already had a Runas ;_; Don't you 'member?

We have two Hakars!

[Colmadero]

We already had a Runas ;_; Don't you 'member?

Never forget Runas.

2016-2016

Good night, Sweet Prince
You were taken too soon.

[nocturnus]

Now try uninstalling a program that is installed by an admin.



Yes, by setting policies mostly. We used to set it that only apps we approved could run. Took a lot off effort tho, esp if new programs were needed that were a bit more complex. What harm does it really do if they install chrome or notepadd++.

A lot of paranoia really. We used to restrict access to internet as well. For what purpose? So people don't surf the web under the boss his time? Good luck these days with everybody having a smart phone. For preventing viruses? Non admin users are pretty safe from that, and blocking access doesnt prevent infection either (found that out the "hard" way).

These days we just don't bother. As long as users are not admins they cannot harm the machine. It is not allowed to install software off course so if needed we can point that out to users and in a worse case their manager.

As said, they can't install stuff that is harmful to the pc, nor remove programs or disable services for that matter.

And really, if they want to do something illegal (or something that can harm the company) restricting them is not going to stop them, esp with "bring your own device" mantra becoming a bigger thing slowly.

You make very good points. It just doesn't make any sense that you can't easily impede regular users to do stuff like installing applications without spending a week on setting up policies.

[Amorac]

Well, it could be "easily" done by blocking programs named install or setup etc. However, if it is only name based, renaming them circumvents it. Best would be hash based but you would need every installer hash to be known, and update for every new version. Good luck with that

And sometimes you want users to be able to run (a) setup program(s). Some installed programs run a setup when the user starts it for the first time, or logon.

To be honest, it has been a "problem" since developers noticed you can install in c:\documents and settings\ or c:\users (mostly used I guess is appdata) and portable apps became a thing. Setting up rights on those directories could be a way to prevent it, and/or setting registry rights, even for HKCU. But then you run into things like Virtual Appliances as well.

But if you look at it, most programs don't even need to be installed anyway. (Look at WoW, just copy the game folder from one PC to another and it works).

Blocking installers is just not going to stop people from running programs. Programs that don't work like that either copy DLL files to places they shouldn't in the first place or set up registry keys (WoW does as well but does not rely on those).

The biggest problem really tho is programs with big license costs, but those, afaik, only allow to be installed in c:\program files.

[nocturnus]

The biggest problem really tho is programs with big license costs, but those, afaik, only allow to be installed in c:\program files.

You can install anything (except drivers and apps that actually require admin rights) in c:\program files with invoker rights though.

I would probably just set everyone up with admin rights and have the pc load up a fresh image every time it's turned on. This is what they used to do at the VU. It's funny that Mac manages to do things so easily where Windows struggles.

[Deleted]

Im more confused that your cousin can make that sort of batch file but cant setup a windows account?

[Amorac]

You can install anything (except drivers and apps that actually require admin rights) in c:\program files with invoker rights though.

That's something new then, users should not have write/modify rights on c:\program files. Or something is wrong with the setup.

Anyway, I don't think the OSX is safe here either. There is no difference in installing an app then running it, opposed to running portable apps or a Virtual Appliance. So being able to install something is pretty much a non issue these days.

[nocturnus]

Im more confused that your cousin can make that sort of batch file but cant setup a windows account?

Who said he can't?

That's something new then, users should not have write/modify rights on c:\program files. Or something is wrong with the setup.

Anyway, I don't think the OSX is safe here either. There is no difference in installing an app then running it, opposed to running portable apps or a Virtual Appliance. So being able to install something is pretty much a non issue these days.

Well, I'm not an expert. I'm just the physician that calls IT whenever he can't get in his mail

On a more serious note; I like to fiddle around as a hobby, but have very shallow OS knowledge especially when it boils down to security or advanced administration. I don't get past gpedit.msc

Thanks for your insight mate!

[wowaccounttom]

wait wait wait...


if only one account was created during the installation process, then that account technically becomes the admin account and there is no way around that.


or am i incorrect??? it has been ages since i installed an OS.

[nocturnus]

wait wait wait...


if only one account was created during the installation process, then that account technically becomes the admin account and there is no way around that.


or am i incorrect??? it has been ages since i installed an OS.

You're correct.

[wowaccounttom]

You're correct.

so your cousin's account is the admin one and he is not bypassing anything

[Amorac]

so your cousin's account is the admin one and he is not bypassing anything

Or, the first user account is admin (for himself) and Nocturnus made a second non admin user account and forgot to make a third account for his cousin with admin rights. Like he said "and forgot to make an administrator account for him"

(Never log on to a computer with a full admin account for day to day tasks is the basis for better security)