runas is a special command which is used to run or execute applications with different permissions and users. The application will be executed differently from the current user or login user. Runas first provided with the Windows Vista operating system and later adopted to all modern Windows operating systems like Windows XP, Windows 7, Windows 8, Windows 10, Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019.
While using the runas try to use less privieleged accounts in order to restrict permission to prevent security vulnerabilities. One of the most popular use case for the runas command is running commands and tools with Administrator privileges for a regular users.
runas Command Syntax
The runas command has the following syntax where the OPTION, USER and APPLICATION is used.
runas OPTION USER APPLICATION
- OPTIONS are used to provide different behavior for the runas command. The OPTION is explained in detail below.
- USER is the user account and privilege where the APPLICATION will be executed. USER parameter is provided as
- APPLICATION is the application that will be executed with the provided USER privileges and given OPTIONS. This application can be a binary, executable, command, or script.
runas Command Options
The runas command provides following options or parameters to change usage.
|/profile||Load user profile. This parameter cannot be used with the /netonly parameter.|
|/noprofile||Do not load the user profile. Makes faster execution.|
|/env||Specify the network environment differently than the user.|
|/netonly||Indicates that the user information specified is for remote access only. This parameter cannot be used with the /profile parameter.|
|/savecred||Save provided user credentials. This parameter cannot be used with the /smartcard parameter.|
|/smartcard||Provide credentials from a smartcard. This parameter cannot be used with the /savecred parameter.|
|/showtrustlevels||Displays the trust levels that can be used as arguments to /trustlevel.|
|/trustlevel||Set trustlevel for application. Use /showtrustlevels to see the trust levels available.|
|/user:<UserAccountName> “<ProgramName> <PathToProgramFile>“||Specify the user name|
|/?||Displays help information|
Display runas Help Information
Help information about the runas command can be diplayed with the
/? option like below. This help information also provides some usage examples.
C:\Users\ismail>runas /? RUNAS USAGE: RUNAS [ [/noprofile | /profile] [/env] [/savecred | /netonly] ] /user:<UserName> program RUNAS [ [/noprofile | /profile] [/env] [/savecred] ] /smartcard [/user:<UserName>] program RUNAS /trustlevel:<TrustLevel> program /noprofile specifies that the user's profile should not be loaded. This causes the application to load more quickly, but can cause some applications to malfunction. /profile specifies that the user's profile should be loaded. This is the default. /env to use current environment instead of user's. /netonly use if the credentials specified are for remote access only. /savecred to use credentials previously saved by the user. /smartcard use if the credentials are to be supplied from a smartcard. /user <UserName> should be in form [email protected] or DOMAIN\USER /showtrustlevels displays the trust levels that can be used as arguments to /trustlevel. /trustlevel <Level> should be one of levels enumerated in /showtrustlevels. program command line for EXE. See below for examples Examples: > runas /noprofile /user:mymachine\administrator cmd > runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc" > runas /env /user:[email protected] "notepad \"my file.txt\"" NOTE: Enter user's password only when prompted. NOTE: /profile is not compatible with /netonly. NOTE: /savecred is not compatible with /smartcard.
Run Application with Different User Account
We will start with a simple example where we will run or execute applications with a different user. We will provide the /user option for the user ismail . We will also specify the application or executable we want to run. Also, scripts can be executed as the same.
> runas /user:ismail cmd.exe
When we executed this command we will be asked for the password for the specified user which is ismail in this example. By the way, everything will be in the command line and the provided password does not display which is a security measure. Also, complete information about the user is provided like the user domain which is a local account.
C:\>runas /user:ismail cmd.exe Enter the password for ismail: Attempting to start cmd.exe as user "DESKTOP-HQVAMA3\ismail" ...
Below you can find different examples about runas command. Using a double quote is very useful for commands with multiple spaces and extra parameters.
> runas /user:ahmet cmd.exe > runas /user:ismail C:\Users\ismail\Downloads\python-3.8.5-amd64 > runas /user:ismail " C:\Users\ismail\Downloads\python-3.8.5-amd64" > runas /user:ismail "C:\Windows\System32\cmd.exe" > runas /user:ismail "notepad.exe C:\Users\ismail\Desktop\file.txt"
If you are using the runas command frequently for the same users again and again typing credentials or passwords is a trivial task. You can save credentials or passwords one time and use these credentials multiple times without typing again and again. You need to provide the /savecred option which will save credentials or passwords for the current user and later it won’t request the password for this user.
> runas /user:ahmet /savecred cmd.exe
Runas Without User Profile
By default, the user profile specified for the runas will be loaded to execute the provided command. The user profile simply the user configuration, environment variables, etc. This creates some workload which makes the runas command a bit slower. By using the /noprofile option this can be disabled and the user profile will not be loaded and the current user profile will be used.
> runas /user:ahmet /noprofile cmd.exe
Use Current User Environment
The /env option can be used to use the current user environment even the command will be executed with the specified user privileges.
> runas /user:ahmet /env cmd.exe
Run Application with Domain Account
We can also use the runas command in a domain or active directory environment. We can run an executable or application with a different domain account. We will just add the domain name and domain account name. In the following example, we will run the
cmd.exe with the
windowstect domain and user
C:\>runas /user:windowstect\ismail cmd.exe Enter the password for ismail: Attempting to start cmd.exe as user "windowstect\ismail" ...
It can be also used to run applications with other domain user privileges without logging out and logging in with different domain users. Just provides other domain and the user name as a current domain account information.
Run Application Local Administrator Account
The administrator account is the highest level account with all privileges in the current system. A local administrator account is the administrator account of the local system which is not related to a domain. A local administrator account can be used to install applications and change configuration by using the runas command.
C:\>runas /user:Administrator Chrome.exe Enter the password for Administrator: Attempting to start Chrome.exe as user "Administrator" ...
Run Application Domain Administrator Account
Domain Administrator account is used to administrate and manage the domain with the highest level privileges. The domain administrator account can be used to install applications and change the local and domain-wide configuration. The domain administrator account consists of a domain name and
C:\>runas /user:windowstect\Administrator Chrome.exe Enter the password for Administrator: Attempting to start Chrome.exe as user "windowstect\Administrator" ...
RunAs From File Explorer or GUI
runas the mechanism can be also used from the graphical user interface from file explorer. We can run different applications and executables with different user privileges and accounts. This can be especially useful to install applications with an administrator account without logging in to The administrator user account. In order to runas right-click to the executable while pressing the SHIFT key which will open the menu like below. Click the
Run as different user to specify the user account we want to execute in.
We will see the following screen where it requests the user privileges like username and password to run the specified executable.
Popular Run As Command Examples
In this part, we will provide some useful and popular commands which can be used with the runas.
# Start the cmd.exe or MS-DOS with administrator privileges > runas /noprofile /user:mypc\administrator cmd .exe # Open the MMC without logging as Administrator > runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc" # Open the myfile.txt as different user with notepad.exe > runas /user:[email protected] "notepad C:\myfile.txt" # Open Registery or regedit > runas /user:administrator regedit # Shutdown the system > runas /user:administrator /savecred "shutdown /i"
Runas Command Errors
While using the runas command some errors can occur. For example, if the provided password is wrong or provided the user account does not exist the “1326: The user name or password is incorrect.”.
C:\>runas /user:Administrator cmd.exe Enter the password for Administrator: Attempting to start cmd.exe as user "DESKTOP-HQVAMA3\Administrator" ... RUNAS ERROR: Unable to run - cmd.exe 1326: The user name or password is incorrect.
Also, the runas command does not work with empty passwords. So the user should have a password that is not empty. If the user has an empty password you will get the “1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced” error. As you can see that this error can occur for logon hour restrictions, or policy restrictions, etc.
C:\>runas /user:ismail cmd .exe Enter the password for ismail: Attempting to start cmd as user "ABC\ismail" … RUNAS ERROR: Unable to run – cmd 1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.