4

Is it possible to detect if an application is opened with the runas command?

And how can I detect which user is used?

runas /netonly /user:DOM\usr "C:\App.exe"
Jason Aller
  • 3,475
  • 28
  • 40
  • 37
Tim
  • 131
  • 1
  • 1
  • 4
  • Check if this work for you [Run AS](http://stackoverflow.com/questions/11660184/c-sharp-check-if-run-as-administrator) – Nitesh Shaw Jul 15 '16 at 07:57

1 Answers1

3

You can check for the user that is running the application, using

System.Security.Principal.WindowsIdentity.GetCurrent()

Note that using /netonly, there is no way to get the supplied credentials on a local process. The LSA takes care of that, and as far as I know, you just can't do it from your local process.

There are some good explanations on why on this link , but the why basically comes down to: while the credentials you supply are stored, they are not even checked until you do any kind of remote authentication (using SSPI), and those are checked only on the actual remote computer.

You can even do:

runas /netonly /user:FAKE\fake something.exe

And the credentials will not even be checked... so you basically don't get an auth token till you do the remote auth

Only solution I can see is trying to run a remote process which will return the user credentials.

Jcl
  • 26,466
  • 5
  • 58
  • 85
  • No, this gives not the user DOM\usr. – Tim Jul 15 '16 at 08:04
  • @Tim yep, i missed the `/netonly`, see my update... I don't think there's a way to do it – Jcl Jul 15 '16 at 08:05
  • Still this must be possible. In my application i tested it with ServerManager.OpenRemote(ServerName). This method is capable to detect the user. – Tim Jul 15 '16 at 08:27
  • Yes, if it uses SSPI it'll request a token on the remote computer using the credentials you supplied: you could then figure out the user on the remote computer and return it back to the local, but this needs to be done on the remote computer, not on the local process (again, as far as I know) – Jcl Jul 15 '16 at 08:30