RunAsRob command line arguments, registry values, Group Policy options and the differences to RunAsSpc

RunAsSpc is on the market since 2005 and RunAsRob is a further development, on the market since 2012.
RunAsSpc is very popular with its option to run an application as different user. Application and user login information can pass in plain text or encrypted. RunAsSpc is portable including the file with encrypted credentials.

RunAsRob can do much more with its 4 program parts and different possibilities to run a specific program with special rights. Depend on the solution you need, each option has its advantages.

1. The part RunAsAdmin login as administrator run an application as administrator from a standard user account with own profile of the user.
   Because the user will be a temporary member with its own account of the group administrators for the start of the authorized program, he keeps his setting in the application.
2. The possibility RunAsAdmin login as system run an application under system account. This specific local system account with no user profile has more privileges than an administrator.
   By this option you can also bypass the UAC and you have got access to system resources you don't have with an administrator account.
3. The part RunAsService run a program as service automatically with the highest privileges without a user must be logged on and without any user interaction.
4. RunAsRob the part for encrypted files can call a specific application under another user account from an encrypted file and is portable.

Comparison table with characteristics of RunAsSpc and the four parts RunAsRob

---

RunAsSpc

• run program as different user
• portable
• can directly use on command line like the command runas, but with credentials as an argument
• encrypted credentials can used. AES 256
• encrypted file can created by command line or graphical user interface

Recommended use:
Sending an encrypted file with credential of an administrator and the task you must delegate to a user which has no administrator rights
or you need a second login session for a program as administrator or any other user account on the same desktop, without entering credentials.

---

RunAsRob the part with encrypted file

• run program as another user
• portable
• encrypted credentials are used. AES 256
• encrypted file is created by graphical user interface
• can also run a program under system account (not portable option because the service of RunAsRob must be installed)
• can also run a program with own account of a standard user as a member of the group administrators (not portable option because the service of RunAsRob must be installed)

Recommended use:
Sending an encrypted file with credential of an administrator and the task you must delegate to a user which has no administrator rights
or you need a second login session for a program as administrator or any other user account on the same desktop, without entering credentials.

---

RunAsRob part RunAsService

• run program as service under system account with highest privileges, even more rights than an administrator
• application start with each system boot without a user is logged in
• application running in background as service, so interaction of the program with the user isn't possible.
• no saved credentials needed because system account is used and authorization is managed by registry
• Bypass the UAC
• Not portable option because RunAsRob Service must be installed
• System account is not a full user account, it has no password, no profile and no user registry for application settings

Recommended use:
Regularly background jobs like monitoring, backup, file scans, copy jobs, computer and software checks.

---

RunAsRob part RunAsAdmin logon as system

• start a program from user under system account with highest privileges, even more rights than an administrator
• complete folders and files with wildcard asterisk * can be authorized if necessary
• no saved credentials needed because system account is used and authorization is managed by registry
• Bypass the UAC dialog
• Not portable option because RunAsRob Service must be installed
• System account is not a full user account, it has no password, no profile and no user registry for application settings

Recommended use:
Installation of applications, patches, drivers, updates from a standard user account with no administrator rights.
Allow a limited user to do settings on the system for network, hardware, software,... normally you must be an administrator.

---

RunAsRob part RunAsAdmin logon as administrator

• run program as administrator with own account and its environment of the standard user. The user will be a temporarily member of the group administrators, only for this authorized application
• complete folders and files with wildcard asterisk * can be authorized if necessary
• no saved credentials needed own user account is used and authorization is managed by registry
• Not portable option because RunAsRob Service must be installed

Recommended use:
If own settings of the user are needed in the program. In the launched application the user keeps his enviromnent of his printers, mapped drives, application settings, NTFS and network rights.

---

Command line arguments of RunasRob:

• Installation commands
  >> runasrob.exe /install <<
  >> runasrob.exe /uninstall <<
  
• To create an encrypted file.
  Open the configuration window of RunAsRob for encrypted files by double click to runasrob.exe or call it with option /configure
  >> runasrob.exe /configure <<
• To run a encrypted file over runasrob.exe use the option /cryptfile
  >> runasrob.exe /cryptfile: “c:\path\yourcryptfile.xus”<<
  or drag and drop the encrypted file over runasrob.exe.
• For a call without status messages use the switch /quiet
  >> runasrob.exe /install /quiet <<
  >> runasrob.exe /cryptfile: “c:\path\yourcryptfile.xus” /quiet <<
• To set folders, its applications can be launch with administrator rights or allow only a specific application.
  Install runasrob with option /allowedpath, followed by the allowed folders or applications. Semicolon separated to allow more than one folder or application.
  >> runasrob.exe /install /allowedpath:c:\program files\folder1\;\\server\share\folder2\;c:\windows\system32\regedt32.exe <<
• To run applications from this allowed folder
  drag and drop the application.exe over runasrob.exe
  or use the following call >> runasrob.exe c:\allowedFolder\applicaton.exe <<
  This can be done by command line, batch file, shortcut or any other way.
• An advanced optional switch are /assystem or /asadmin.
  /assystem -> The allowed application is running under service account with elevated admin rights.
  /asadmin -> After the user enter his credentials he will be member of the local administrator group for this application which is running under his own account.
  >> runasrob.exe /install /allowedpath:"\\server\share1\setup.exe;\\server\share2\;C:\windows\system32\regedt32.exe /asadmin;C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /assystem" <<
• To configure an application or script to start it permanently as service use the option /servicemode: followed by the application
  >> runasrob.exe /install /servicemode:c:\test\yourScript.cmd <<
• You can combine the arguments of RunasRob like the following example
  >> runasrob.exe /install /quiet /servicemode:"c:\system\monitoring.exe" /allowedpath:"\\server\share\folder2\;c:\windows\system32\regedt32.exe /asadmin" <<
• Create encrypted files by command line are possible with RunAsSpc.exe. This files are also readable with RunAsRob.exe
  runasspc.exe /cryptfile:"crypt.spc" /program:"C:\WINDOWS\system32\calc.exe" /domain:"localhost" /user:"administrator" /password:"password"

---

Registry values and Group Policy options:

Edit the Registry Key of RunAsRob:
HKEY_LOCAL_MACHINE\SOFTWARE\RunasRob

Here you configure the values AllowedPath, ServiceMode, LogonFlag directly or over central group policy in a domain.
Changes will take effect after restart of service RunasRob
Warning, serious problems might occur if you change the registry incorrectly.

By Group Policy in a domain you can manage this settings central.
runasadminen.html#Bygrouppolicy > > >

---

FAQ:

• Tools running from Windows XP to Windows 11, Windows Server 2012 to 2022.
• 64 Bit and 32 Bit Version included.
• The restriction of the free version for private use is the start-up window with the license information,
  which appears at random intervals, even if you set the switch /quiet.
• Bypass the UAC dialog is possible by the logon option as system in RunAsAdmin
  or via the default built in account >> administrator << in an encrypted file and the logon option as another user.
• Program is not run as administrator.
  Your application, command, batch file or script doesn't request elevated privileges on an UAC activated system.
  The solution is to request elevated privileges for a non-privileged application
  like an older program, any command, a batch file or any other script
  is possible
  - by using the logon option as system in RunAsAdmin,
  - using my free tool RunElevated,
  - using the built in account >> administrator <<
  - or by changing the settings of the UAC.
• Open File security warning for files from network disappear after you accept RunAsSpc as known application by uncheck the box:
  >> Always ask before opening this file <<
  or go to file properties and set Unblock in security area
  >> this file came from another computer... <<
• Environment variables are supported. Example windir >> %windir%\system32\regedt32.exe\CompMgmtLauncher.exe <<
• Wildcards can set as authorized path. Example: >> *\updates\powershellversion*.exe <<.
• Authorize only a specific user or group to run a an application.
  This can be achieved over folder permissions to the program file, encrypted file or the folder.
• Program arguments are working. If passing arguments are not working, because quotation marks or complex arguments are not accepted in RunasRob.
  Workaround of this problem is a one line batch file with your call of the application.exe include all arguments.
  Run this one line batch file over RunasRob.
  
• Errors Codes.
  The most errors are system errors forwarded and returned from RunAsRob to user.
  This system error codes are explained by Microsoft on
  https://msdn.microsoft.com/en-us/library/ms681381.aspx

---

Contact:

For any suggestions, errors, questions, specific requirements or adjustments please contact:
runas@robotronic.net

---

License:

RunAsRob is only free for private use.
For companies and other organisations we deliver a licensed version, registered to the organisation name.
Order RunasRob >>>

Download RunasRob >>>

---

Date: 2023-02-09

Data protection

Imprint