I have a problem with runas /savecred ... and cmdkey /add....
I have a batch file contains this line:
runas /profile /savecred /user:MyDomain\MyUserName "MyProgram.exe"
I'm logging to my computer as Administrator and I want to execute MyProgram.exe with another user: MyUserName.
When I launch my batch file the firt time, it prompts for password for MyUserName, I type the password and it works nice !!!
For second time, it don't ask for password because /savecred has saved MyUserName and password in Windows Credential. cool !!
The information in Credential Manager
Internet or network adress: MyDomain\MyUserName (Interactive logon)
User name: MyDomain\MyUserName
Password: ............
Persistence: Logon Session
Now, I would like to avoid to type the password asked for the first time. For this I have used cmdkey.exe to add credential myself without /savecred by this line
cmdkey /add:domain:interactive=MyDomain\MyUserName /user:MyDomain\MyUserName /pass:***********
and i have removed /savecred from line runas
The information in Credential Manager
Internet or network adress: MyDomain\MyUserName
User name: MyDomain\MyUserName
Password: ............
Persistence: Logon Session
Look there is no (Interactive logon) in the first line. The poblem is when I launch the batch file, it prompt always to type password, it seems like the runas disacard the informaion saved by cmdkey !
So What I have missed? Or what other things that /savecred save in the Windows Credentials?
Under windows 7, the runas/savecred (interactive logon) credential is saved in a HIDDEN file in the directory c:\users\username\appdata\roaming\microsoft\credentials.
If you move this file out of this directory, the credential is not displayed in the Windows credential manager. Move the file back into the referenced directory, and the credential reappears. No other manipulation or tweaking is necessary.
You should save the interactive logon by running the runas /savecred command once and then moving the hidden encrypted file in and out as needed.
You probably do not want to use the /savecred option, anyhow, as this saves your password (encrypted) to the profile globally and unconditionally, for the user to run any time, with any command that they can start with "runas", not just the command you intended. Saving your password in a CMDKey alias is not a good idea, either. If you need to be able to run a command using alternate or elevated credentials, the preferred (and more secure) method is creating a Scheduled Task to run the command with alternate/elevated credentials. See my answer here https://superuser.com/a/903881/229612 for the details on how to do this, and other information.
来源:https://stackoverflow.com/questions/21172761/runas-savecred-dont-accept-cmdkey-add-credentials