Windows runas command is a CLI utility in Microsoft Windows that runs programs under a different user account without elevation. It supports /user, /savecred, /netonly, and /env flags but cannot produce an elevated token without UAC.
runas /user:administrator cmdTested on Windows Server 2022 (build 20348) and Windows 11 Pro (build 22621) with Secondary Logon service running.
What is runas and when to use it?
Runas is the built-in Windows command for executing a process under credentials other than the currently logged-on user. It relies on the Secondary Logon service (seclogon) and appears in all NT-based Windows releases from Windows 2000 through Windows Server 2025 and Windows 11. In enterprise environments it is commonly used to launch MMC consoles (dsa.msc, services.msc) as a domain admin while the desktop session runs under a standard user account. The command is comparable to sudo -u on Linux, though it lacks the ability to inherit a fully elevated token; a process launched via runas still respects UAC and runs at the same integrity level as the calling shell. An alternative for elevation is Start-Process with -Verb RunAs in PowerShell, which triggers a UAC prompt and can produce a high-integrity token when the user is a member of the local Administrators group.
Syntax
RUNAS [ [/noprofile | /profile] [/env] [/savecred | /netonly] ] /user:UserName program
RUNAS [ [/noprofile | /profile] [/env] [/savecred] ] /smartcard [/user:UserName] program
RUNAS /showtrustlevels
RUNAS /trustlevel:<TrustLevel> programRunas Command Cheat Sheet
| Action | CLI Command | Key Flag | Description |
|---|---|---|---|
| Run cmd as local admin | runas /user:administrator cmd |
/user |
Opens a new command prompt under the local Administrator account. |
| Run MMC console as domain admin | runas /user:DOMAINadmin "mmc dsa.msc" |
/user |
Launches Active Directory Users and Computers with domain credentials. |
| Run program without loading profile | runas /noprofile /user:user "notepad.exe" |
/noprofile |
Faster startup; user registry hive is not loaded. |
| Run with network-only credentials | runas /netonly /user:FABRIKAMjdoe "outlook.exe" |
/netonly |
Outlook authenticates to Exchange; local runs as current user. |
| Cache credentials for repeat use | runas /savecred /user:admin "cmd" |
/savecred |
First run prompts for password; subsequent runs use cached creds. |
| Use smart card for authentication | runas /smartcard /user:admin "cmd" |
/smartcard |
Requires inserted smart card and PIN entry. |
Options and Flags
| Flag | Type | Default | Description |
|---|---|---|---|
/noprofile |
Switch | Off | Do not load the target user’s profile; speeds launch but may break per-user settings. |
/profile |
Switch | On | Load the target user’s profile. Required for applications that read registry hive HKEY_CURRENT_USER. |
/env |
Switch | Off | Use the current user’s environment variables instead of the target user’s. |
/savecred |
Switch | Off | Cache the password in Windows Credential Manager so the user is not prompted again for that target. |
/netonly |
Switch | Off | Credentials are used for network access only; the process runs under the current local user identity. |
/smartcard |
Switch | Off | Supply credentials via a smart card reader. Cannot be combined with /netonly. |
/user:UserName |
Parameter | Required | Target user in formats: Administrator, DOMAINUser, or user@domain.contoso.com. |
/showtrustlevels |
Command | N/A | Display available trust levels on the local machine. |
/trustlevel:<TrustLevel> |
Parameter | N/A | Launch with a specific trust level (e.g., 0x20000). Primarily used in legacy deployments. |
Usage Examples
Example 1: Launch a command prompt as local Administrator
runas /user:administrator cmdPrompts for the local Administrator password. The resulting cmd.exe runs under the Administrator account but at the same UAC integrity level as the parent shell — it is not elevated. To confirm, run whoami inside the new prompt; it returns DESKTOPAdministrator, but net session will fail if UAC is enabled.
Example 2: Open an MMC console with domain admin credentials
runas /user:CONTOSOjdoe "mmc %windir%system32dsa.msc"Launches Active Directory Users and Computers under the domain account CONTOSOjdoe. The console runs with the privileges of that user, enabling object creation and attribute modification. Requires the user to have the necessary AD permissions. The profile is loaded by default, so custom MMC console settings are applied.
Example 3: Run a browser with network-only authentication
runas /netonly /user:CONTOSOwebapp "C:Program FilesGoogleChromeApplicationchrome.exe"Chrome runs as the current local user, but all NTLM/Kerberos network authentication (e.g., internal SharePoint sites) uses the credentials CONTOSOwebapp. This is useful for testing per-user access without switching the entire desktop session. The password is prompted once; no profile is loaded because /netonly disables profile loading.
Example 4: Use saved credentials for automated script execution
runas /savecred /user:DOMAINbatchuser "c:scriptsbackup.cmd"First execution prompts for the password and caches it via /savecred. Subsequent runs of the same command skip the password prompt, making this useful for scheduled tasks that require a specific identity. Security risk: any process running under the same user context can reuse the cached credential without re-authentication.
Troubleshooting & Common Errors
| Error Message | Root Cause | Resolution Command |
|---|---|---|
RUNAS ERROR: Unable to run - cmd |
Secondary Logon service (seclogon) is stopped or disabled. |
|
Access is denied |
The target user lacks the “Log on locally” right (SeInteractiveLogonRight) on the workstation. | Open Local Security Policy → User Rights Assignment → “Allow log on locally” and add the target user. |
The password does not match |
Incorrect credentials supplied for the target user. | Verify password with runas /user:DOMAINuser cmd in a fresh console. If domain account, ensure domain controller is reachable (nltest /dsgetdc:DOMAIN). |
The requested operation requires elevation |
The target program requires a high-integrity token; runas cannot provide it. |
Use PowerShell instead:
|
No credentials are available in the security package |
/netonly used but the target application attempts local resource access using the supplied credentials. |
Remove /netonly and supply actual credentials, or ensure the application only requires network access. |
Frequently Asked Questions
What is the difference between /profile and /noprofile flags in runas?
Answer: /profile loads the user’s registry and environment; /noprofile skips this.
The /profile flag (default) loads the target user’s profile, including registry hive (NTUSER.DAT), environment variables, and user-specific paths like AppData. /noprofile does not load the profile, reducing memory overhead and bypassing potential profile corruption issues. For sysadmin scripts that only need network access, /noprofile is faster and more reliable. Example:
runas /noprofile /user:DOMAINAdmin "cmd /c whoami"When should I use the /netonly flag in runas?
Answer: Use /netonly to authenticate to remote network resources with specified credentials while retaining the local user context.
The /netonly flag means credentials are used only for network authentication, not for local logon. The running process inherits the local user’s security context (token) but uses the supplied credentials when connecting to remote services (e.g., SMB, SQL Server via Windows Auth). This avoids the “access denied” error when local token lacks domain rights. Example:
runas /netonly /user:DOMAINUser "mmc compmgmt.msc"How do I fix “RUNAS ERROR: Unable to run – logon failure: unknown user name or bad password” (error 1326)?
Answer: Verify credentials in correct format (DOMAINUser), ensure user has “Log on as batch job” right, and test network connectivity.
Error 1326 (STATUS_LOGON_FAILURE) typically indicates wrong username/password or insufficient rights. The user must hold the “Log on as a batch job” privilege (default for administrators). Check with secedit or Group Policy. For local accounts, prefix with .. For domain, use FQDN: DOMAINuser or user@domain.com. Test credentials first:
net use \targetshare /user:DOMAINUser *If successful, verify runas syntax:
runas /user:DOMAINUser "cmd"Does the runas command work on Windows Server Core editions (non-GUI)?
Answer: Yes, runas works on Server Core; however, the /savecred flag is unsupported because the credential manager GUI is absent.
Server Core lacks the Credential Manager UI required to initially cache credentials via /savecred. Attempting it returns an error. For interactive sessions, /profile and /noprofile work. For automation, use Start-Process -Credential in PowerShell or scheduled tasks with stored credentials. Example on Server Core:
runas /user:DOMAINUser "powershell.exe -Command Get-Service"Password prompt works on console or via SSH.
What is the fastest way to run a command as a different user without being prompted for a password every time?
Answer: Use “/savecred” once to cache the password in Credential Manager, then subsequent runas calls skip prompts.
The /savecred flag stores the password securely in the current user’s Credential Manager vault. After first use with runas /savecred /user:DOMAINUser "cmd", all future runas calls with the same user will not prompt. This is the fastest for repeated interactive use. For unattended scripts, prefer Start-Process -Credential (Get-Credential) or schtasks /create /ru DOMAINUser /rp * /SC ONCE /tn TaskName /tr "command" which avoids password caching overhead. Example:
runas /savecred /user:DOMAINUser "notepad.exe"