Elevated Right = Administrator rights?

Eeriol · 9. Feb 2011

Hello Kay,

Maybe I doesn't fully understand the purpose of SuRun or it isn't working for my test machines. I main goal is to give the ability to a selected non-admin user to change the bitlocker pin code on the computer (manage-bde.exe -changepin c:). But it looks like, I can't run any program with Administrator privileges with a non-admin user.

I tested in 2 different computer with the same results. I join my domain user to the SuRunners local group. It appears in the SuRun setup panel as well (the install new hardware option is greyed out). This user is not a member of the local Administrators group (standard, non-admin user). I logged in with this non-admin domain user and I tried the "Start as Administrator" option on notepad.exe. SuRun is asked for the user password then notepad is started. But I cannot manage to save text files to any location, where this user has not have the rights to write.
Then I try to run process explorer with the "Start as Administrator" option (I ticked the option to not ask me for pwd for this app) and as you can see in the linked image, SuRun tells me that the program is started with elevated rights, but as you can see it is not.

I tried 1.2.0.9 and 1.2.1.0 beta as well.
Is there a problem on my computers, or I misunderstand the concept of SuRun (I can give the ability to non-admin users to run apps with admin rights through the SYSTEM local user)?

Thanks!

KKay · 12. Feb 2011

Usually ProcExp should be started with real Administrator rights.
I just tested that on my laptop and it works in Win7 x32 with a UAC Admin account and a limited account.

I guess a HIPS/Antivir (McAffee?) is blocking SuRun from using CreateProcessAsUser.

Eeriol · 15. Feb 2011

I tried it on a clean Win7 x32 install (no McAfee), without joining it to our domain, and it works just fine. After joining it to the domain it only work with user accounts joined to the administrators local group. With a non-admin user it is still not working. There is no error, or warning in the event viewer, only 7 info (attached the full log file):
- A member was added to a security-enabled local group.
- A logon was attempted using explicit credentials.
- An account was successfully logged on.
- An account was successfully logged on. (Logon GUID 0000... - zero characters)
- Special privileges assigned to new logon.
- An account was logged off.
- A member was removed from a security-enabled local group.

These infos revealed the method what SuRun uses to give admin right to a user, but I have no idea what could be the problem. Maybe SuRun doesn't reset the kerberos ticket for the user: http://www.petri.co.il/forums/showthread.php?t=35112
But SuRun logged in with a new session id, so it should be reseted.

Do you have any idea how can i debug this problem?
I try to deactivate the group policys we have on this machine for further testing.

Thanks!

KKay · 16. Feb 2011

I just tried SuRun with a Win7 x32 with Win2003 server as PDC in a VM Domain and that works here.

I have no idea what could be the problem.
If you use a SuRun Beta, DebugView would show SuRun's error log.
Maybe this shows something more.
If you could me get to a point where I could reproduce your scenario, I could fix that behavior.

Eeriol · 16. Feb 2011

I figured it out!

I don't know why our administrator configured this policy like this... but if a user (or user's sec.group) is added to the "Act as part of the operating system" group policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment) then SuRun fails to run programs for this user with administrator right.

Thanks for the support!
This program is just great! =)