Configure and troubleshoot Secondary Logon service

Secondary Logon can be hidden from the GUI, so one doesn't see the option "Run as different user" when starting a program with this DWORD value:

[HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Policies \Explorer]
HideRunAsVerb = 1

More Info MS KB830568

Note with Win2k SP4 a new policy was created making it possible to configure what accounts(Default:Administrators and SYSTEM), which are allowed to impersonate other accounts:
  1. Open Control Panel and open Administrative Tools and double click Local Security Policy
  2. Expand Local Policies and click User Rights Assignment
  3. In the right pane double click Impersonate a client after authentication
  4. Press Add... to enable other users to impersonate other accounts
More Info MS KB821546

Note one can also run applications as another user from the command line using "RUNAS", though in Win2k it will prompt for password unless using Sanur, CPUA, LSrunas or Steel Run-As. WinXP Professional (Not Home) extends "RUNAS" with the /savecred option where one is only prompted for the password once. To see all options available:

runas /?

More Info MS KB294676
More Info MS KB893677

Note in WinNT4 one can use the Super User Service Starter SUSS.EXE and the tool SU.EXE (Found in the NT reskit):

SUSS.EXE -install

ECHO Password | SU.EXE Username UserMgr.exe

SU_USERNAME - Environment variable for default user name to SU.
SU_PASSWORD - Environment variable for password to SU. Avoids password prompting.
SU_DOMAIN - Environment variable for domain name referenced by SU.
SU_COMMANDLINE - Environment variable for command line run by SU.
SU_DESKTOP - Environment variable for windowstation and desktop targeted by SU.

More Info MS KB829640

Note another way of running an application as another user is to create a scheduled task where it is possible to specify username and password.

Updated: 2 October 2008

Leave a Reply

Your email address will not be published. Required fields are marked *