runas — Run as Different User

What it is

runas is a built-in Windows command that launches a program in the security context of a different user account without logging off. It is the command-line equivalent of right-clicking → "Run as different user" in Explorer, and the ancestor of UAC elevation prompts. Use it to run an administrative tool under a privileged account when you are logged in as a standard user, to test application behavior under a restricted identity, or to automate a task that must run as a service account. For most interactive UAC elevation, the GUI prompt or PowerShell's Start-Process -Verb RunAs is more practical.

Availability

runas ships as C:\Windows\System32\runas.exe on Windows XP and later.

runas /?

Output:

RUNAS USAGE:

RUNAS [/noprofile | /profile] [/env] [/netonly] [/savecred | /smartcard]
      [/showtrustlevels] [/trustlevel] /user:<UserName> program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote access only.
   /savecred         to use credentials previously saved by the user.
   /smartcard        use if the credentials are to be supplied from a smartcard.
   /showtrustlevels  displays the trust levels that can be used as arguments
                     to /trustlevel.
   /trustlevel       <Level>   specifies the level at which application is to run.
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER.
   program           command for the exe. See below for examples.

Syntax

runas [/noprofile | /profile] [/env] [/netonly] [/savecred] /user:<domain\user> "<program [args]>"

Output: (prompts for password, then launches program)

Essential options

Basic elevation to Administrator

runas /user:Administrator opens a new command prompt running under the built-in Administrator account. You are prompted for the password interactively — runas cannot receive a password non-interactively except via /savecred.

runas /user:Administrator cmd.exe

Output:

Enter the password for Administrator:
Attempting to start cmd.exe as user "MYHOST\Administrator" ...

Running as a domain admin

Use the DOMAIN\user format for domain accounts. The new process opens in a separate window with the domain admin's token.

runas /user:CORP\alicedev "mmc.exe compmgmt.msc"

Output:

Enter the password for CORP\alicedev:
Attempting to start mmc.exe compmgmt.msc as user "CORP\alicedev" ...

Using saved credentials (/savecred)

/savecred stores the password in Windows Credential Manager after the first successful use, so subsequent invocations with the same /user and /savecred do not prompt for a password. This is how IT support tools automate elevation without embedding passwords in scripts.

rem First run — prompts for password and caches it
runas /savecred /user:CORP\alicedev "C:\Tools\AdminConsole.exe"

Output:

Enter the password for CORP\alicedev:
Attempting to start C:\Tools\AdminConsole.exe as user "CORP\alicedev" ...

rem Subsequent runs — no password prompt
runas /savecred /user:CORP\alicedev "C:\Tools\AdminConsole.exe"

Output:

Attempting to start C:\Tools\AdminConsole.exe as user "CORP\alicedev" ...

Running without loading the profile (/noprofile)

/noprofile skips loading HKCU registry hive and the user's profile folder. The process starts faster and is safer for service-like invocations where the target account does not have a pre-created profile.

runas /noprofile /user:svcbackup "C:\Scripts\backup.bat"

Output:

Enter the password for svcbackup:
Attempting to start C:\Scripts\backup.bat as user "MYHOST\svcbackup" ...

Network-only credentials (/netonly)

/netonly uses the supplied credentials only for network resource access — the local process still runs under your current token. Useful when you need to map a drive or access a share as a different identity without losing your local session context.

runas /netonly /user:CORP\alicedev "explorer.exe"

Output:

Enter the password for CORP\alicedev:
Attempting to start explorer.exe as user "CORP\alicedev" ...

Common pitfalls

1. runas cannot receive a password from a script non-interactively — it always prompts unless /savecred was used previously; for fully automated elevation, use a scheduled task with /RU SYSTEM or a service account.
2. /savecred stores credentials machine-wide in Credential Manager — any user who can invoke runas /savecred /user:admin can reuse cached creds without knowing the password; restrict who can log on interactively.
3. The new process opens in a separate window — stdout and stderr of the launched program are not visible in the original shell; redirect to a log file if you need output capture.
4. UAC virtual store applies per-user — a program launched under a different account sees a different virtualized file system and registry; writes to HKCU go to the target user's hive, not yours.
5. Built-in Administrator is disabled by default — runas /user:Administrator fails on a fresh Windows install until the built-in Administrator is enabled via net user Administrator /ACTIVE:YES.

Real-world recipes

Open an elevated command prompt as a specific admin account

runas /user:MYHOST\localadmin "cmd.exe /K title Admin Shell"

Output:

Enter the password for MYHOST\localadmin:
Attempting to start cmd.exe /K title Admin Shell as user "MYHOST\localadmin" ...

Launch a management console as a domain admin

runas /user:CORP\alicedev /noprofile "mmc.exe C:\Windows\System32\dnsmgmt.msc"

Output:

Enter the password for CORP\alicedev:
Attempting to start mmc.exe C:\Windows\System32\dnsmgmt.msc as user "CORP\alicedev" ...

Test an application under a restricted user

runas /user:MYHOST\testuser "C:\MyApp\myapp.exe"

Output:

Enter the password for MYHOST\testuser:
Attempting to start C:\MyApp\myapp.exe as user "MYHOST\testuser" ...

Trust levels and AppLocker (/trustlevel)

The /trustlevel switch runs a program under a Software Restriction Policy (SRP) trust level — a sandbox-like mechanism that restricts which DLLs, registry keys, and files the process can touch. Use /showtrustlevels to list the available levels on the current machine; SRP-defined levels appear only when SRP is configured in Group Policy or secpol.msc. On modern Windows, AppLocker and Windows Defender Application Control (WDAC) have superseded SRP for most enforcement, but /trustlevel remains useful for testing legacy SRP rules.

runas /showtrustlevels

Output:

The following trust levels are available on your system:
       0x20000 (Basic User)
       0x40000 (Unrestricted)

rem Run a program at the Basic User trust level
runas /trustlevel:0x20000 "C:\MyApp\myapp.exe"

Output:

Attempting to start C:\MyApp\myapp.exe as user "MYHOST\alicedev" with trust level "Basic User" ...

Smart card authentication (/smartcard)

/smartcard causes runas to prompt for a smart card PIN instead of a password. Required in environments that enforce smart card logon for administrative accounts (Common Access Card, PIV). The user must be associated with a smart card certificate in Active Directory; otherwise the prompt fails.

runas /smartcard /user:CORP\alicedev "mmc.exe"

Output:

Please insert a smart card and enter the PIN:
Attempting to start mmc.exe as user "CORP\alicedev" ...

When /user is omitted with /smartcard, the prompt asks which certificate to use if multiple are present on the card.

PowerShell equivalents

PowerShell offers richer process-launch primitives than runas.exe. They support pipelining, structured credential objects, and (for local elevation) the same UAC prompt that the Explorer shell uses. Reach for them in any scripted workflow — runas.exe is mainly useful for interactive one-shots and the /savecred feature.

Start-Process -Verb RunAs — UAC elevation prompt

Start-Process -Verb RunAs launches a new process and asks the UAC consent prompt. The new process runs under the same user account but with the elevated administrative token. This is the canonical replacement for "right-click → Run as administrator".

Start-Process pwsh -Verb RunAs

Output: (UAC prompt appears, then a new elevated PowerShell window opens)

# Pass arguments to the elevated process
Start-Process notepad.exe -Verb RunAs -ArgumentList "C:\Windows\System32\drivers\etc\hosts"

Output: (UAC prompt, then notepad opens with hosts file)

# Wait for the elevated process to finish before continuing
Start-Process msiexec.exe -Verb RunAs -ArgumentList "/i C:\Pkg\agent.msi /qb" -Wait

Output: (UAC prompt, install runs synchronously)

Start-Process -Credential — run as a different user

-Credential accepts a PSCredential and launches the process under that identity. Unlike runas.exe, the credential can come from Get-Credential (interactive prompt), Import-Clixml (encrypted file on disk), or a secret store — without going through the /savecred mechanism.

$cred = Get-Credential CORP\alicedev
Start-Process cmd.exe -Credential $cred

Output: (credential prompt, then a new cmd window opens under CORP\alicedev)

# Build credentials from a secure password (e.g. from Azure Key Vault)
$user = 'svcbackup'
$pwd  = ConvertTo-SecureString 'S3cureP@ss' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($user, $pwd)
Start-Process powershell.exe -Credential $cred -ArgumentList "-File C:\Scripts\backup.ps1"

Output: (no prompt — script runs under svcbackup)

-Credential cannot combine with -Verb RunAs in the same call. To run under a different user and elevate, log on first with the credential and elevate from inside that session, or use a scheduled task running as the target account.

Store credentials securely with Export-Clixml

Export-Clixml encrypts a PSCredential using DPAPI so only the same user on the same machine can decrypt it. Safer than embedding passwords in scripts; equivalent in spirit to /savecred but with explicit file paths and rotation.

# One-time: save the credential
Get-Credential CORP\svcbackup | Export-Clixml C:\Secure\svcbackup.xml

# In automation: load and use
$cred = Import-Clixml C:\Secure\svcbackup.xml
Start-Process powershell.exe -Credential $cred -ArgumentList "-File C:\Scripts\backup.ps1"

Output: (no prompt — runs under svcbackup)

For machine-wide secrets that any account on the box can read, use the SecretManagement PowerShell module with a vault backend (Windows Credential Manager, KeePass, Azure Key Vault).

Comparison with sudo and su

For developers coming from Linux, runas is the closest analogue to sudo and su, but the semantics differ in important ways. UAC elevation (Start-Process -Verb RunAs) is closer to sudo for the same user; runas /user:other is closer to su other -c.

Key distinction: sudo typically asks for your password to authorize an action; runas asks for the target user's password to log in as them. Windows has no built-in equivalent to passwordless sudo — the closest is a scheduled task running as SYSTEM or a service account, triggered on demand.

How runas actually works

Under the covers, runas.exe calls the CreateProcessWithLogonW Win32 API. This performs a Secondary Logon (seclogon service) — Windows authenticates the supplied credentials against the SAM (local) or domain controller (domain), creates a new logon session with a fresh access token, and starts the program under that token.

The new process is a separate logon session. It has its own:

• Access token (with the target user's SIDs and privileges)
• Environment block (unless /env is passed)
• User profile (loaded into HKCU of the target account, unless /noprofile)
• Desktop heap allocation (in the default interactive winsta0)

The Secondary Logon service (seclogon) must be running. On hardened machines where it is disabled, runas fails with error 1058 ("The service cannot be started"). Check with sc query seclogon.

sc query seclogon

Output:

SERVICE_NAME: seclogon
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
        ...

/savecred internals and security

/savecred stores the password in the Windows Credential Manager under the current user's profile, in the generic credential namespace. The cached entry is keyed by the target username and is encrypted with DPAPI tied to the invoking user's master key. Anyone else logging in under that account inherits access; root or anyone with the SYSTEM token can also decrypt it.

rem List cached credentials (including /savecred entries)
cmdkey /list

Output:

Currently stored credentials:

    Target: Domain:interactive=CORP\alicedev
    Type: Domain Password
    User: CORP\alicedev

rem Delete a cached credential
cmdkey /delete:Domain:interactive=CORP\alicedev

Output:

CRED: Credential deleted successfully.

Group Policy can disable /savecred entirely via Computer Configuration → Administrative Templates → System → Credentials Delegation → Allow Saved Credentials and the Network access: Do not allow storage of passwords and credentials for network authentication security option. Most security baselines (CIS, STIG, Microsoft Security Compliance Toolkit) enable this restriction by default — see gpresult & gpupdate for inspecting which baseline GPOs are applied.

Audit logging — Event 4648

Every runas invocation generates Security event 4648 ("A logon was attempted using explicit credentials") in the Windows Security event log. The event records the invoking subject, the target account, the source process, and the workstation. Useful for forensic timelines and for detecting credential abuse.

# Last 24 hours of explicit-credential logons
Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4648
    StartTime = (Get-Date).AddHours(-24)
} | Format-List TimeCreated, @{Name='Subject';Expression={$_.Properties[1].Value}}, @{Name='Target';Expression={$_.Properties[5].Value}}, @{Name='Process';Expression={$_.Properties[11].Value}}

Output:

TimeCreated : 5/24/2026 10:14:22 AM
Subject     : alicedev
Target      : Administrator
Process     : C:\Windows\System32\runas.exe

TimeCreated : 5/24/2026 09:55:11 AM
Subject     : alicedev
Target      : svcbackup
Process     : C:\Windows\System32\runas.exe

For long-term retention, forward Event 4648 to a SIEM via wevtutil subscriptions or Windows Event Forwarding. Anomalous patterns (a help-desk account using runas /user:Administrator outside business hours, or a workstation issuing many failed runas attempts) are worth alerting on.

Exit codes and error messages

runas.exe returns the exit code of the launched program, not the success of the logon itself, when the logon succeeds. When the logon fails, the typical error codes are:

When troubleshooting, also inspect Security event 4625 (failed logon) for the specific failure reason (sub-status code) and Application event log for seclogon service errors.

Common pitfalls (extended)

In addition to the basics above, watch for these gotchas in scripted or hardened environments:

6. runas does not inherit the parent's working directory in all cases — the new process starts in the target user's profile directory (or system32) by default. Wrap the command in cmd /K cd /D <path> && program if the working directory matters.
7. Drive mappings are per-logon-session — drives mapped under your interactive session are NOT visible to a runas process. Either map them again inside the launched shell or use UNC paths.
8. UAC linked-token confusion — when you are logged on as a user in the local Administrators group, you actually have two tokens (filtered standard + full admin). runas /user:<self> does not give you the elevated token; use Start-Process -Verb RunAs for that.
9. /netonly does not validate credentials at launch time — Windows defers authentication to the moment a network resource is accessed. A typo in the password silently runs the program; the network call fails later with a misleading "Access denied".
10. Antivirus and EDR can block runas — Microsoft Defender ASR rule "Block credential stealing from the Windows local security authority subsystem" and many third-party agents flag runas.exe calling CreateProcessWithLogonW. Whitelist the legitimate caller in your EDR console.
11. Scheduled task is the cleaner pattern for unattended elevation — for any non-interactive elevation, a scheduled task with /RU SYSTEM or a service account avoids storing credentials at all. Use schtasks /Create /SC ONCE /ST <time> /RL HIGHEST /RU SYSTEM ....
12. runas /user:NT AUTHORITY\SYSTEM does not work — you cannot directly launch SYSTEM with runas because there is no password. Use PsExec psexec -i -s cmd.exe or schedule a task running as SYSTEM.

Real-world recipes (extended)

Elevate the current PowerShell to admin in-place

if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Start-Process pwsh -Verb RunAs -ArgumentList "-NoExit -File `"$PSCommandPath`""
    exit
}
# ... admin-required code here ...

Output: (relaunches under UAC if not already elevated)

Run a script as SYSTEM from an admin shell (PsExec)

When you need SYSTEM-level access (e.g. to read HKEY_LOCAL_MACHINE\SAM), runas cannot reach it. Sysinternals PsExec can.

psexec -i -s -d cmd.exe

Output:

PsExec v2.43 - Execute processes remotely
...
(new cmd window opens; type 'whoami' → nt authority\system)

Tagged shell window per privilege level

Make it visually obvious when you're elevated. The title command sets the console title for the running session.

runas /user:CORP\alicedev "cmd.exe /K title === ELEVATED: CORP\alicedev === && color 4F"

Output:

(new cmd window opens with red background and a clear title)

Run a single PowerShell one-liner as Administrator without a script file

Start-Process pwsh -Verb RunAs -ArgumentList '-NoProfile','-Command',"& {Restart-Service Spooler -Force; Read-Host 'Done — press Enter'}"

Output: (UAC prompt; new pwsh window restarts the print spooler)

Capture output from a runas-launched process

runas opens a new window — stdout/stderr are not visible to the parent. Redirect inside the new shell.

runas /user:CORP\alicedev "cmd /C C:\Scripts\report.bat > C:\Logs\report.log 2>&1"

Output:

Enter the password for CORP\alicedev:
Attempting to start cmd /C C:\Scripts\report.bat ... as user "CORP\alicedev" ...

Then inspect C:\Logs\report.log from the parent shell after the new window closes.

Find every cached /savecred entry and audit it

$creds = cmdkey /list | Select-String 'Target:|User:' | ForEach-Object { $_.Line.Trim() }
$creds

Output:

Target: Domain:interactive=CORP\alicedev
User: CORP\alicedev
Target: LegacyGeneric:target=svcbackup
User: svcbackup

Remove any that should no longer be cached:

cmdkey /delete:LegacyGeneric:target=svcbackup

Output:

CRED: Credential deleted successfully.

Quick check: am I running elevated right now?

([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

Output:

True

rem cmd equivalent — exits 0 if elevated
net session >NUL 2>&1 && echo Elevated || echo Standard

Output:

Elevated

See also

• takeown — Take File Ownership — common follow-up after elevation
• icacls — ACL Editor — modify permissions on files you've taken ownership of
• net user — Local User Account Manager — manage the accounts you elevate to
• net localgroup — Local Group Manager — control who is in the Administrators group
• gpresult & gpupdate — check which GPOs control runas/UAC behavior
• whoami — confirm the identity of the current shell after elevation
• permissions — chmod, chown, umask, ACLs — Linux counterpart for sudo/su semantics

Sources

• Runas | Microsoft Learn (Windows Server) — canonical command reference and switch list
• Runas: Logon and Authentication | Microsoft Learn — Secondary Logon service and credential flow
• Group Policy not applied to RunAs.exe | Microsoft Learn — common scripted-elevation pitfall
• Access denied when using runas | Microsoft Learn — error 5 / 1326 diagnostics