JSI Tip 7258. CPAU freeware is a RunAs replacement that lets you specify the password on the command-line.

NOTE: CPAU defaults to network logon, just like runas /netonly, so it won't verify the password until you connect.

When you type cpau /?, you receive:

CPAU V01.06.00cpp Joe Richards ([email protected]) May 2004

 CPAU -u user \[-p password\] -ex "WhatToRun" \[switches\]

   user       User to log on as. Ex: user or domain\user
   password   User's password
   WhatToRun  What to execute

  Switches: (designated by - or /)
   -profile   Do local logon with profile instead of net logon
   -k         Prefix command with cmd /k to leave window open
   -pipepwd   Special method allows you to pipe password in
   -enc       Encrypt a job file for later user
   -dec       Use an ecrypted job file
   -file      Specify job file to execute or create
   -wait      Wait for process completion before returning.
   -cwd x     Start at working directory x.
   -crc file\[,file,file\]   This option allows you to encode
              CRC info for files in the job file. When decoded
              the CRC have to match or the program bombs. Note that
              it will not chase paths looking for the file, you must
              specify the exact path.

    cpau -u joehome\joe -p logon -ex "perl cleanup.pl"
      Runs perl script cleanup.pl as joehomejoe

    cpau -u joehome\joe -p logon -ex "perl cleanup.pl" -enc -file cleanup.job
      Creates job file called cleanup.job to run perl script cleanup.pl as joehomejoe

    cpau -dec -file cleanup.job
      Execute job file cleanup.job

    cpau -u joehome\joe -p logon -ex "perl cleanup.pl" -wait
      Runs perl script cleanup.pl as joehomejoe and waits for process to end

    cpau -u joe -p logon -ex notepad.exe
      Runs notepad as user joe

    cpau -u joehome\joe -p logon -ex logonscript.cmd -profile
      Runs logon script in current directory as user joe (see note below)

    cpau -u joehome\joe -p logon -ex logonscript.cmd -profile -cwd c:\temp
      Runs logon script in/from c:\temp as user joe (see note below)

    cpau -u joe -p logon -ex logonscript.cmd -enc -file logon.job -crc logonscript.cmd
      Encodes logon.job file and CRC protects the batch file

  I had to add some protection to this. It seems people were running this with
  a networked drive for the current working directory. Microsoft prevents cross-
  security context access of network drives on purpose, this causes CPAU
  to not be able to fire the process up. To correct for that, if CPAU realizes
  your current working directory is a network drive it will change the CWD to the
  default local path (usually c:\windows\system32). To override this functionality
  you must specify the CWD option, note that if you set it to a network
  drive you most likely will not function properly. Also note that this is
  not a bug in CPAU, this is purposeful functionality from MS. You can see this
  out of anything that changes your local security context.

  Also note that if you are using this for a logon script or something else where
  you need the permissions to take affect locally, you need to specify the
  -profile switch. By default the process spawned has the current user's security
  context locally and the new security context remotely. Also keep in mind
  the note above concerning network drives, logon scripts run from network
  drives, you will need to set the CWD to a local machine (c:\temp maybe) and
  copy whatever files are necessary locally and then run cpau.

 This software is Freeware. Use it as you wish at your own risk.
 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at [email protected]

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.