An “Encrypted RunAs” implementation solves a critical Windows security flaw: the built-in runas /savecred command stores passwords insecurely in the Windows Credential Manager, allowing standard users to hijack those credentials for unauthorized tools. An Encrypted RunAs tool seals target credentials and the authorized application into a secure, encrypted shortcut or data file, ensuring users can execute a specific program with elevated rights without ever knowing or abusing the password.
This guide details how to implement Encrypted RunAs natively via PowerShell or using dedicated administrative utilities like Robotronic RunAsSpc. Option 1: Native Windows Implementation via PowerShell
You can natively create an encrypted credential file that only your specific script can read on that designated computer. Step 1: Generate the Encrypted Password File
Log into the target machine as an Administrator, open PowerShell, and run the following commands to export the password securely: powershell
# Prompt for the target execution account credentials \(Credential = Get-Credential # Convert and export the password into a standard AES-encrypted text file \)Credential.Password | ConvertFrom-SecureString | Out-File “C:\ProgramData\AppLauncher\encrypted_pass.txt” Use code with caution.
Note: The file is tied to the local machine’s system API (DPAPI), meaning it cannot be decrypted if copied to a different computer. Step 2: Build the Secure Launch Script
Create a launcher script (e.g., LaunchApp.ps1). It reads the encrypted string, rebuilds the credential object, and opens the program: powershell
# Define the runtime parameters \(Username = "WORKGROUP\AdminAccount" # Or "DOMAIN\AdminAccount" \)EncryptedPassPath = “C:\ProgramData\AppLauncher\encrypted_pass.txt” \(TargetProgram = "C:\Path\To\YourApplication.exe" # Reconstruct the secure credential object \)EncryptedPass = Get-Content \(EncryptedPassPath | ConvertTo-SecureString \)BespokeCred = New-Object System.Management.Automation.PSCredential(\(Username, \)EncryptedPass) # Spawn the process securely Start-Process -FilePath \(TargetProgram -Credential \)BespokeCred -LoadUserProfile Use code with caution. Step 3: Package into an Executable (Optional)
Standard users can still read the LaunchApp.ps1 script to see what application it points to. To prevent them from tampering with the file path, convert the .ps1 file into a compiled .exe using tools like the native IExpress utility or the PS2EXE module. Option 2: Third-Party Utility Implementation (RunAsSpc)
If you require advanced security safeguards—such as CRC/Checksum checking to ensure a user hasn’t replaced your authorized program with a malicious file—using a professional utility like RunAsSpc is recommended.
[Admin Interface] ──(Encrypts Creds + App Path)──> [.spc Cryptfile] ──> [Standard User Clicks Shortcut] ──> [App Runs Elevated] Step 1: Configure the Cryptfile
Download and open RunAsSpcAdmin.exe on your administrative machine.
In the Application field, specify the absolute path of the executable the user needs to run.
Input the Username, Domain, and Password of the elevated account.
Enable Check Checksum / CRC to prevent binary swapping attacks.
Click Save Crypt File to generate an encrypted .spc data file (e.g., launch.spc). Step 2: Deploy to Client Machines
Copy both the client runtime engine (runasspc.exe) and your encrypted configuration file (launch.spc) onto the user’s computer. Step 3: Create the User Shortcut
Create a standard Windows shortcut on the user’s desktop pointing to the engine and the cryptfile:
C:\Path\To\runasspc.exe /cryptfile:“C:\Path\To\launch.spc” /quiet Use code with caution.
The /quiet switch hides the console window, giving the standard user a seamless startup experience. Critical Security Checklist
Lock Down File Permissions: Restrict write access to your encrypted password text or .spc configuration files. Standard users must only have Read & Execute permissions to prevent them from deleting or corrupting the configuration.
Avoid Network Shares: Always run the encrypted file locally. Network connections are vulnerable to Man-in-the-Middle (MitM) alterations.
Audit Target Applications: Never use an Encrypted RunAs tool to launch programs that feature built-in “Open” or “Save As” file dialogs (such as Notepad or Command Prompt). Standard users can easily abuse those elevated dialog windows to browse the file system with full administrative privileges. If you want to refine this deployment, let me know:
Will this run on standalone local computers or an Active Directory domain?
What specific application needs to be launched with elevated rights?
Are you planning to deploy this across multiple machines using GPO or Intune?
I can provide tailored scripts or deployment configs based on your architecture. Wingnut Software – Useful tools for administrators
Leave a Reply