Runas in another Windows terminal session

Solution 1

Like Harry Johnston suggested in a comment you can do this using the psexec tool available on TechNet. I've tried it using a Windows 2008 Server running Terminal Services and managed to start various applications in another users session (although not calc.exe - it started but minimized and the window refused to restore), among them cmd.exe.

The command I used was psexec.exe -i 3 cmd.exe where 3 is the session number (that you can get from qwinsta.exe).

Example: Remote session, logged on as Administrator; using qwinsta to enumerate sessions and psexec to start cmd.exe on another session.

Another session: logged on as Patrick, with the cmd.exe window on the desktop opened by Administrator (which the window title reveals too).

Solution 2

There is a commandline tool and it’s called RunInSession. You need to specify at least the SessionId in which you want to launch the process and which process you want to launch. Optional is servername if you want to launch on a remote server. If you run it without parameters a dialog with possible parameters is shown:

Currently supported OS versions are Windows XP, 2003, Vista and 2008.

The program needs to run in the context of the Localsystem user, therefore it temporarily installs itself as service and start itself. With the WTSQueryUserToken it obtains the Primary User token of the requested Terminal Session. Finally the process is launched with CreateProcessAsUser and the service deletes itself.

More details:

• How to launch a process in a Terminal Session
• Launching an interactive process from Windows Service in Windows Vista and later

Solution 3

Its kind of an hack, but its very useful to me. Way more faster than psexec.exe in my environment.

Just create a temporary task in a remote computer, for a specific user or group, run it, than delete the task.

I created a powershell script for it:

param (
    [string]$Computer = ($env:computername),
    [string]$User = "",    
    [string]$Command,
    [string]$Args
 )

$script_task = 
{

    param (
        [string]$User = "",
        [string]$Command,
        [string]$Args
     )

    #Action
    $Action = New-ScheduledTaskAction –Execute $Command
    if($Args.Length > 0) { $Action = New-ScheduledTaskAction –Execute $Command -Argument $Args}

    #Principal
    $P = New-ScheduledTaskPrincipal -UserId $User -LogonType Interactive -ErrorAction Ignore

    #Settings
    $S = New-ScheduledTaskSettingsSet -MultipleInstances Parallel -Hidden

    #Create TEMPTASK
    $TASK = New-ScheduledTask -Action $Action -Settings $S -Principal $P

    #Unregister old TEMPTASK
    Unregister-ScheduledTask -TaskName 'TEMPTASK' -ErrorAction Ignore -Confirm:$false

    #Register TEMPTASK
    Register-ScheduledTask -InputObject $TASK -TaskPath '\KD\' -TaskName 'TEMPTASK'

    #Execute TEMPTASK
    Get-ScheduledTask -TaskName 'TEMPTASK' -TaskPath '\KD\' | Start-ScheduledTask

    #Unregister TEMPTASK
    Unregister-ScheduledTask -TaskName 'TEMPTASK' -ErrorAction Ignore -Confirm:$false

}

#The scriptblock get the same parameters of the .ps1
Invoke-Command -ComputerName $Computer -ScriptBlock $script_task -ArgumentList $User, $Command, $Args

Usage example:

file.ps1 -User USER_NAME -Command notepad.exe -Computer REMOTE_COMPUTER

#To run a command on single computer remotly
psexec \\RemoteComputerName Path_Of_Executable_On_Remote_Computer Argument_list

#To run a command on list of computers remotely.
psexec @Remote_Computer_list Path_Of_Executable_On_Remote_Computer Argument_list /AcceptEULA

#To run list of commands on list of remote computer. make sure you copy batch file before you run command below.
psexec @Remote_Computer_List Path_Of_Batch_On_Remote_Computer Argument_list

Author by

bodacydo

My name is Boda Cydo. I am from Africa but now live in Washington DC.

Updated on July 22, 2022