Windows CMD line admin escalation

[Base10]

Hi there,

Firstly I hope this question is in the right section.  Sorry if its not.  Its in regards to the cmd line in cmd prompt not powershell.  When I type

runas /user:<localmachinename>\administrator cmd

  I get the password prompt and input my password and it comes up

RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

I locked the screen and tried my password just to make sure and it works but the above won't for some reason.  I'm doing this at home on my own machine.  I don't know why this is.  When I go to cmd prompt and right click on it and select run as admin it works fine. 

Just to say I am putting the name as my own machine name in the above section <localmachinename>

Any ideas?

Thanks in advance

[DaveLembke]

Thinking your issue isnt that its wrong password but that your invoking it with incorrect syntax. Here is the help for runas and between what you have and what is in help you can see some differences. If you conform to proper syntax I think your issue will go away and it will work. The message about incorrect password I believe is because your syntax is incorrect and its the default message for that syntax problem.

This is from example in help. Help is below to show all as quoted from my Windows 7 64-bit system:
runas /noprofile /user:mymachine\administrator cmd

C:\Users\AX4>runas /?
RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/savecred | /netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/savecred] ]
        /smartcard [/user:<UserName>] program

RUNAS /trustlevel:<TrustLevel> program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows 7 Home or Windows 7
 Starter Editions
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
                     smartcard.
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   /showtrustlevels  displays the trust levels that can be used as arguments
                     to /trustlevel.
   /trustlevel       <Level> should be one of levels enumerated
                     in /showtrustlevels.
   program         command line for EXE.  See below for examples

Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:[email protected] "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  /profile is not compatible with /netonly.
NOTE:  /savecred is not compatible with /smartcard.

[Base10]

Thanks for getting back to me Dave. 

When I run

runas /noprofile /user:mymachine\administrator cmd

I still get

RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

I know the password is 100% correct, so I think your idea about the syntax but be the way forward.  Just trying to get it to work. 

I'm just using it in a batch file for running ipconfig/flushdns and netsh commands but need admin priv for the later of the two.  I know it sounds a bit lazy but its just so that I can double click it without having to right click and run as admin.  It also means without right clicking I can give this the batch file to run as extra privacy/security to someone else not as computer literate.  Just so they can just double click it like a normal file.

Anyhoo any other ideas?  I'm going to keep trying anyway.  If I get it working before I hear from yourself or anyone else I'll post here the correct working syntax.

Cheers

Thanks Dave!!

[patio]

NOTE:  Enter user's password only when prompted.

[BC_Programmer]

The administrator account is locked by default.

Aside from that, runas cannot be used to run software with an elevated access token anyway.

[Base10]

Hey BC,

Its a win7 machine that was upgraded to win10 pro when I bought it.

When trying to run the malicious software removal tool it says that it has been disabled by the administrator.  I right click on it to run as admin and it still won't let me dispite me being admin.

Can you explain why it can be used for elevated access.  Why is the syntax there for access to admin through cli if it won't work?  I'm just trying to use it to open up a cmd prompt with admin for a batch file I'm creating (as earlier post).

I was going to reset the admin password in computer management and just reset it to mine.  Would this be a bad idea??  If that worked BC as you still saying that I can't use it in cmd promt syntax to make it open a cmd window with admin rights?

Thanks

Thanks

[BC_Programmer]

When trying to run the malicious software removal tool it says that it has been disabled by the administrator.  I right click on it to run as admin and it still won't let me dispite me being admin.

Disabled by an administrator means that a group policy is in effect or some other domain restriction. It doesn't mean that it will work if you run as admin. This is a separate issue and could mean the system is infected.

Can you explain why it can be used for elevated access.  Why is the syntax there for access to admin through cli if it won't work?

runas is from Windows 2000, it was not updated to handle token elevation via UAC. The best case scenario if all the passwords are correct and the accounts are set to be able to be logged in would be an error that the requested operation requires elevation.

While the older runas command prompt utility doesn't work for this, PowerShell does have this capability.

running:

Code: [Select]

powershell Start-Process cmd.exe -Verb runAs
in a non-elevated command prompt will show the UAC elevation prompt and then run cmd with full permissions.

Slightly worthwhile sidebar: "Run As Administrator" implies that it is running under the "Administrator" account, which can cause some confusion (eg. but my user is an admin account!) but if your user is already an administrator, it actually means "Run with my full security token". For example if I run a program normally, it is being run by the user BC_Programming. if I run it as administrator, it's still running by the user BC_Programming. The difference is that when running normally, the process isn't given full permissions- it cannot write to the program files or Windows directories, for example. And when running as admin it doesn't strip the security token and gets all the same permissions as my full user account, which is a local admin.

[Base10]

Thanks Guys!

I see what you mean BC. I can see the difference in profiles.  (Don't know where my head was at with this one lol)  However, I still can't access the MRT.  I've rans scans and I'm not infected.

Is there any other way that I can get this to work?  I know my profile password won't work as the real admin password.  But I don't know what the administrator profile password is.

As I was saying I bought this from a site that sells ex work machines that have been refurbished. 

Have you ever reset the password for the actual administrator profile through comuter management console.

OFF TOPIC - In Win10 if you create a folder on your desktop called Everything.{ED7BA470-8E54-465E-825C-99712043E01C}  It creates an icon on the desktop that has all of the menues for everything in one place.  Not sure if works on other win versions but just wanted to quickly mention it in case anyone reading doesn't know about it.

Cheers!

[DaveLembke]

I bought this from a site that sells ex work machines that have been refurbished.

Looks like your option at this point might be to clean build that system yourself possibly and ditch whatever group policy and other junk came along with the refurb image that they likely built this from before they sold it. Use the key that the system has which should have come with the system, if not known, you can use magical jelly bean to find it. Then install the OS clean and use the key that you see with www.magicaljellybean.com I had to assist a client with a refurb clean build where the key was unknown and magical jellybean showed it to write it down before wiping the drive.

You would need a Windows 10 installation media to install the OS clean to the drive and then use your key, and hopefully its a legit version of Windows 10 and not a cracked version. If its cracked then it wont work and you will need to buy a new key.

[Base10]

Hey there,

Thanks guys for all the help on this one, that turned out to be me going off on one and becoming more than one.  Cheers Dave, BC!

I think you might be right on this one Dave.  I stripped off the admin pwrd then booted in and reset, restarted and accessed the actual Administrators account.  Even the actual admin account, not my own user profile with admin rights, could not even open the MRT. 

I've been looking at the group policy and the entried between my profile and admin profile seem different.  I checked online and there was a forum on link https://www.tenforums.com/antivirus-firewalls-system-security/89924-malicious-removal-tool-mrt-blocked-system-administrator.html

It was going on about the same MRT probs and it was group policy.  I think it may possibly have to be rebuild to fix the errors.  Might be that it would have to be attached to whatever domain controller passed through gpupdates or something.

Is there anyway that it could be that an update to win10 pro over 7 could mess with the group profiles?  Like if it was disconnected and changed from domain to workgroup then Win 10 updated over the 7 installation, and possibly a corruption has happened.

We could go on lol.  Anyway thanks guys for all the input. 

Oh Dave I downloaded that link to the magical jelly bean, thanks!

I can live with it just now though.  This all started after trying to write a simple batch file that would open with elevated privileges haha.  How to open a can of worms eh.  I've got another two laptops sitting here, so if any issues I can use them, if I have to do a rebuild on this one.

Thanks again!!