Introduction
Many times in the past I have had to use my domain machine on the client’s domain. Usually the client domain credentials can just be cached by Windows when you access a server via remote desktop or use a UNC share path. However sometimes you need to run a local application using the non-local domain credentials. A possbile example would be the client has a proxy that authenticates against the domain, and you need to run your Slack desktop client with authentication for the domain.
RunAs
Enter RunAs which is a CMD application to do just that. Using the /netonly switch you can run a local exe in the context of the non-local domain credentials.
The batch file could look something like this:
runas /netonly /user:domain\jonathan.counihan "C:\Users\jonathan.counihan\AppData\Local\slack\Update.exe --processStart slack.exe"Using the /netonly switch indicates we wish to only authenticate for remote access only, and this switch cannot be used with /savecred.
Therefore the only downside of RunAs (which is actually a security feature) is that you cannot cache your credentials, nor can you pipe them from a batch file or similar.
PowerShell to the rescue!
RunAsHelper
Since PowerShell is effectively just a shell wrapper for .NET classes, we have full access to all C# namespaces and functions. We can use this ability to write our own wrapper of CreateProcessWithLogonW Windows API function. This class can then be embedded in our PowerShell script and compiled on the fly using the Add-Type cmdlet.
The full PowerShell script (named startSlack.ps1) looks like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
<#
Script to run Slack using the RunAs Win API
#>
$Command = "C:\Users\jonathan.counihan\AppData\Local\slack\slack.exe"
$Domain = "domain"
$Username = "jonathan.counihan"
$password = "mypassword"
$source = @"
using System;
using System.Runtime.InteropServices;
namespace RunAsUtils
{
[Flags]
public enum LogonFlags
{
LOGON = 0,
LOGON_WITH_PROFILE = 1,
LOGON_NETCREDENTIALS_ONLY = 2
}
public class Utils
{
public const UInt32 Infinite = 0xffffffff;
public const Int32 Startf_UseStdHandles = 0x00000100;
public const Int32 StdOutputHandle = -11;
public const Int32 StdErrorHandle = -12;
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct StartupInfo
{
public int cb;
public String reserved;
public String desktop;
public String title;
public int x;
public int y;
public int xSize;
public int ySize;
public int xCountChars;
public int yCountChars;
public int fillAttribute;
public int flags;
public UInt16 showWindow;
public UInt16 reserved2;
public byte reserved3;
public IntPtr stdInput;
public IntPtr stdOutput;
public IntPtr stdError;
}
public struct ProcessInformation
{
public IntPtr process;
public IntPtr thread;
public int processId;
public int threadId;
}
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern bool CreateProcessWithLogonW(
String userName,
String domain,
String password,
UInt32 logonFlags,
String applicationName,
String commandLine,
UInt32 creationFlags,
UInt32 environment,
String currentDirectory,
ref StartupInfo startupInfo,
out ProcessInformation processInformation);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool GetExitCodeProcess(IntPtr process, ref UInt32 exitCode);
[DllImport("Kernel32.dll", SetLastError = true)]
public static extern UInt32 WaitForSingleObject(IntPtr handle, UInt32 milliseconds);
[DllImport("Kernel32.dll", SetLastError = true)]
public static extern IntPtr GetStdHandle(IntPtr handle);
[DllImport("Kernel32.dll", SetLastError = true)]
public static extern bool CloseHandle(IntPtr handle);
}
public static class RunAsHelper
{
private static bool logToConsole = false;
public static bool LogToConsole
{
get
{
return logToConsole;
}
set
{
logToConsole = value;
}
}
public static void RunApplication(string command, string domain, string user, string password,
LogonFlags logonFlag = LogonFlags.LOGON, string currentDirectory = "")
{
Utils.StartupInfo startupInfo = new Utils.StartupInfo();
startupInfo.reserved = null;
startupInfo.flags &= Utils.Startf_UseStdHandles;
startupInfo.stdOutput = (IntPtr)Utils.StdOutputHandle;
startupInfo.stdError = (IntPtr)Utils.StdErrorHandle;
UInt32 exitCode = 1000;
Utils.ProcessInformation ProcessInfo = new Utils.ProcessInformation();
if (string.IsNullOrEmpty(currentDirectory))
{
currentDirectory = System.IO.Directory.GetCurrentDirectory();
}
try
{
Utils.CreateProcessWithLogonW(
user,
domain,
password,
(UInt32)logonFlag,
command,
command,
(UInt32)0,
(UInt32)0,
currentDirectory,
ref startupInfo,
out ProcessInfo);
}
catch (Exception e)
{
if (LogToConsole)
{
Console.WriteLine(e.ToString());
}
}
if (LogToConsole)
{
Console.WriteLine("Running {0} as {1}\\{2} in {3}...", command, domain, user, currentDirectory);
}
Utils.WaitForSingleObject(ProcessInfo.process, Utils.Infinite);
Utils.GetExitCodeProcess(ProcessInfo.process, ref exitCode);
if (LogToConsole)
{
Console.WriteLine("Exit code: {0}", exitCode);
}
Utils.CloseHandle(ProcessInfo.process);
Utils.CloseHandle(ProcessInfo.thread);
}
}
}
"@;
$Assem = ("System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a?)
Add-Type -ReferencedAssemblies $Assem -TypeDefinition $Source -Language CSharp
[RunAsUtils.RunAsHelper]::RunApplication($Command, $Domain, $Username, $Password, [RunAsUtils.LogonFlags]::LOGON_NETCREDENTIALS_ONLY)
The important bit is the use of the LOGON_NETCREDENTIALS_ONLY value for the LogonFlags parameter which mimics the /netonly switch of RunAs.
As explained in the documentation, the key point is:
This value can be used to create a process that uses a different set of credentials locally than it does remotely. This is useful in inter-domain scenarios where there is no trust relationship.
If you find that you need this class frequently you can add this definition to your PowerShell profile, and it will be added each time you start the ISE or a shell. Note that due to the way .Net loads assemblies it will not be unloaded until you restart the shell or ISE session, which can make re-compilation tricky.
Making it easy
In Windows, double clicking a shortcut or an exe is much easier than firing up a shell each time you need to access an application. And the batch file for RunAs was just as easy.
Therefore we need to make our PowerShell solution just as easy. Fortunately the PowerShell.exe supports a number of command line parameters:
@ECHO OFF
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -NonInteractive -WindowStyle Hidden -File "startSlack.ps1"Double clicking the batch file now pop-ups a CMD window which disappears as the application is launched.
For the eagle eyed (and more security conscious) reader, you will have noticed that the password is stored in clear text in the script. PowerShell also offers the ability to cache encrypted credentials in a text file or similar, allowing the benefit of using RunAs without compromising security.
As an exercise to the reader, you can try to implement this feature.
Happy Scripting!
References
- RunAs
- CreateProcessWithLogonW function
- How to call CreateProcessWithLogonW & CreateProcessAsUser in .NET
- Add-Type
- PowerShell.exe Command-Line Help
- How to Use a Batch File to Make PowerShell Scripts Easier to Run
This post was originally published on Entelect’s internal Tech Blog, Yoda.
