What you should do, is block the following executables from running in a hardened (shared with multiple users) system by creating a New Hash Rule….

* cmd.exe
* regedit.exe AND regedt32.exe
* runas.exe

There's one thing I change in the Registry. So use the Registry Editior…
=> Go to this: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
=> Add this DWORD: HideRunAsVerb
=> Set it to the value of 1

This disables Run as… when you right-click or Shift + Right-click on an executable or application file.

By doing the above, we have removed the ability to use runas.

I also recommend with SRP to set all users except local administrators. Then create Limited User Accounts for each person who is going to use the system. This will instill a new habit of not being randomly running things without consideration.

It also means Didier Stevens's bpmtk.exe isn't able to run; as you have cut off the ability to run foreign executables.

Now all you need to do is develop computer security aware policies or rules as to how new programs need to be checked and verified, so they can trusted to be installed onto your system.

This bypasses it

Disallowing runas.exe is necessary to limited account control. I'm not aware of what, if any, conscequence would occur in an environment where the Secondary Logon service were running and runas.exe disallowed. Secondary Logon is disabled in my environment. I do know the trustlevel switch functions without Secondary Logon and the user switch does not.

Thank you for confirming it for your readers. It is good information to have.

The conclusion: there are many ways to circumvent SRP (including the manipulation of the process memory), but using Microsoft's own tools seems the most elegant 🙂

Thank you again for bringing this to my attention.

Unrestricted, disallowed, basic user, restriced, or untrusted.

The sintax is precisely:

runas /trustlevel:"Unrestricted" c:example.exe
(Include quotation marks)

And, unfortunately, the switch does not require admin priviligde.

– the /trustlevel switch seems to be new in Vista/7 and the article talks about XP (even though many of the things can be applied to newer/older versions of Windows)

– the given command doesn't seem to work (tested it under Windows 7). BTW, I didn't really find any documentation about what the given switch does.

While I realize you offer runas.exe as a convenient means of adjusting SRP settings, leaving runas.exe unrestricted leaves everything unrestricted.