Runas - DOS/Command Prompt Reference
[Windows 2000 or later] Launches a program with a different user.
Syntax
runas[.exe] [[/noprofile | /profile] [/env] [/savecred | /netonly]]
/user:<user-name> <program>
runas[.exe] [[/noprofile | /profile] [/env] [/savecred]]
/smartcard [/user:<user-name>] <program>
runas[.exe] /trustlevel:<level> <program>
runas[.exe] /showtrustlevels
Options
| /noprofile | [Windows Vista or later] Prevents the loading of the specified user's profile. If the profile is not loaded, the startup time may be shortened, but not loading the profile means that, for example, the HKEY_CURRENT_USER registry defaults will be used. As a result, programs dependent on user settings may exhibit unintended behavior. | ||||||||||||
| /profile |
Launches the program by loading the profile of the specified user. [Windows Vista or later] If not specifying /noprofile, the user's profile will be loaded (default behavior), so specifying /profile is not necessary. [Windows XP or earlier] If not specifying /profile, the user's profile will not be loaded. Please refer to the notes mentioned in the /noprofile section as well. |
||||||||||||
| /env | Executes by inheriting the execution environment (environment variables) from the current environment. By default, a new environment corresponding to the user is created and launched. This is useful when you want to inherit environment variables set in the current environment. However, caution is needed when launching programs that depend on variables such as USERPROFILE, as user-specific settings in those variables will also be inherited. | ||||||||||||
| /savecred | [Windows Vista or later] Attempts user login using stored credentials (information necessary for login, such as passwords) on the system. If credentials are not saved or if /savecred is not specified, it will prompt for password input similar to when /savecred is not used. However, if authentication is successful, the credentials are saved, and the input can be omitted the next time /savecred is used. | ||||||||||||
| /netonly |
Uses the credentials of the specified user for network access (remote access) rather than for the program itself. When using /netonly, it does not perform a login with the specified user locally, so you can launch the program with a username that cannot log in locally. However, since the credentials are used when performing operations on network files, it is necessary to use a user whose credentials are valid for network access. Note that /netonly cannot be used in conjunction with /profile and /savecred. |
||||||||||||
| /user:<user-name> | Specifies the username. <user-name> will be the format ‘Domain\Username’ or ‘Username@Domain’. If the ‘Domain’ is omitted in the first format, the user in the local system is used. | ||||||||||||
| /smartcard | [Windows Vista or later] Specifies when reading user credentials from a smart card. If this option is specified, the /user option can be omitted. | ||||||||||||
| <program> |
Specifies the name of the program to be executed or the command line. When specifying a command line, it must be enclosed in double quotation marks (" ") (if you want to include double quotation marks in the command line, use ‘\"’). * Unlike Start command, it is necessary to specify the executable file at the beginning. |
||||||||||||
| /trustlevel:<level> <program> |
[Windows Vista or later] Launches the program at the specified trust level. The <level> can be the following values (numeric values starting with 0x).
* The above values correspond to the Level IDs that can be specified for the Safer API. Therefore, specifying values like ‘0’ (DISALLOWED) or ‘0x1000’ (UNTRUSTED) is possible, but the restrictions may be too severe, making it impossible for the program to run. |
||||||||||||
| /showtrustlevels | [Windows Vista or later] Outputs a list of values that can be specified with /trustlevel. However, in practice, the values mentioned above can be used. |
Details
By using Runas, you can run a program with a user different from the login user. In most cases, it is used to launch a program using a user with higher privileges than the login user, such as an administrator.
When specifying a user, you cannot provide the password from the command line. Using redirection or pipes will not allow you to provide input, and if input is required, you must enter it interactively on the prompt.
[Windows Vista or later] While Runas allows you to run a program with a different user, it does not perform elevation of privileges through UAC. Therefore, specifying a user with administrator privileges in Runas may not work correctly due to insufficient permissions (See Sample 2 for reference).
Samples
Sample 1
runas /user:myoperator "myprog.exe C:\Users\myoperator\Documents\note.txt"
Executes ‘myprog.exe’ with the user ‘myoperator’ and the parameter ‘C:\Users\myoperator\Documents\note.txt’.
Sample 2
runas /user:Administrator "powershell Start-Process cmd.exe -Verb runas"
[Windows Vista or later] Launch the Command Prompt as the ‘Administrator’ user (equivalent to the command-line version of ‘Run as Administrator’), ensuring elevation of privileges through UAC during this process. (In PowerShell, ‘Start-Process’ allows specifying a Verb, and by executing the ‘runas’ Verb for an EXE file, you can perform privilege elevation.) Since Runas alone cannot elevate privileges, elevation is achieved by combining Runas with a PowerShell command.
Sample 3
runas /trustlevel:0x20000 UnsafeApp.exe
[Windows Vista or later] Run ‘UnsafeApp.exe’ with the current user's permissions set to the standard user level. This is useful when the current user has administrator privileges, but you want to run a program without utilizing administrator privileges for that specific program.