4

background:

In my org there is an application that we use for some critical functions, but it only works best when run as a particular user.

The reason for this is that the application stores lots of its configuration as the local user session, and so it becomes a multiuser nightmare, meaning we had to duplicate lots of work.

We have assigned a user to run the application, and found a solution by setting a runas desktop shortcut. The issue is that we have discovered that the application is not able to be run more that once concurrently. It only allows 1 running instance per concurrent user.

The shortcut code I use for the application:

C:\Windows\System32\runas.exe /user:mydomain\runas_user /savecreds "C:\Program Files\MyApp\MyApp.exe"

As such, I've been trying to determine how I can see who is currently using the "runas" application, so I can get them to close it gracefully. Task Manager only shows the "runas_user" in User Name, but I figure there must be some way to determine who ran it or which users session is looking at it.

Question:

Is there some way I can find out (preferably using powershell or some other script) who is currently running the application?

Kareem
  • 454
  • 1
  • 4
  • 15
  • Maybe save the username (with a batch script) before running the runas command (in a common location where anybody can write a file)? `echo %username% > c:\runas_user.txt` – fedterzi May 26 '16 at 15:07
  • I feel like that's a good idea, apart from the fact that most people will not know that the application is already running, and will just open the runas icon anyway. This would mean that the common file would be updated by the new person trying to run the app, and may see its running and bail. Enter a 3rd person, who now wants to know, opens the common file to see names of user 1 and 2 in there. If multiple people do this it would get tedious quickly. – Kareem May 26 '16 at 15:12
  • There is a way to check if a certain process is running, with a batch script. See: http://stackoverflow.com/questions/162291/how-to-check-if-a-process-is-running-via-a-batch-script – fedterzi May 26 '16 at 15:15
  • Thanks @fedterzi I managed to determine which Session name is running it as `RDP-Tcp#2`, by running `tasklist /FI "USERNAME eq runas_user" /FI "IMAGENAME eq myapp.exe"`. I can see in Task Manager which Username corresponds to `RDP-Tcp#2`. Next I just need to find a useful way to resolve `"RDP-Tcp#2 is user X"` – Kareem May 26 '16 at 15:37
  • @Kareem `quser.exe` – beatcracker May 26 '16 at 16:41
  • Thanks all for your help, @fedterzi, I think I managed to figure out the conversion. – Kareem May 30 '16 at 11:46
  • Thanks all for your help, @beatcracker, I found another took called qwinsta and I worked it into a PowerShell file. I'll come back and update an answer with it. – Kareem May 30 '16 at 11:49

1 Answers1

1

The Windows security event log should show this. All Windows 2008+ authentication events are Event ID 4624 (pass) or 4625 (fail). Combining that with the Logon Type should get you what you want.

Lots of details about Logon Types from this PDF on sans.org (starting on about page 10). I think the section you would be most interested in is "3.7 NewCredentials":

Using RunAs command to start a program under a different user account with the /netonly switch, Windows records a logon/logoff event with logon type 9. When starting a program with RunAs using /netonly, the program executes on the local computer as the user currently logged on as but for any connections to other computers on the network, Windows connects to those computers using the account specified on the RunAs command. Without /netonly Windows runs the program on the local computer and on the network as the specified user and records the logon event with logon type 2

Quick and dirty way to get the Event ID and Logon Type with PowerShell:

$recentSecLog = 
Get-EventLog -LogName Security -Newest 1000 | Where {$_.EventID -match "4624|4625"}

$recentSecLog | Where {$_.message -match "Logon\sType:\s+9"}
Local Needs
  • 467
  • 3
  • 5
  • 18