Windows Client OS

Disable the RunAs Command

Can I disable the RunAs command?

You sure can!

The RunAs command was first introduced in Windows 2000 (in NT 4.0 you could use a tool called SU.EXE from the Resource Kit), and enables administrators to use alternate logons, also known as secondary logons.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

As a security best practice, it is recommended that you do not log on to your computer with administrative credentials. Running your computer as a member of the Administrators group makes the system vulnerable to Trojan horses attacks and other security risks.

It is recommended that you use a regular, non-administrative user account to perform routine tasks, including running programs and visiting Internet sites. When it becomes necessary to perform administrative tasks on the local computer or in Active Directory, use RunAs to start a program using administrative credentials.

RunAs allows you to accomplish administrative tasks without exposing your computer or data stored in Active Directory to unnecessary risk. While the RunAs feature can help administrators do their jobs more securely, you may not want ordinary users to have access to this feature.

To invoke RunAs, the user can use one of two methods:

Graphic User Interface – Right-click and shortcut and select "Runas" (In W2K and XP you sometimes might need to hold down the SHIFT key while right-clicking):

This article deals with disabling the GUI RunAs interface.

Command Line – use the RunAs command from the CMD or Run commands. For example, to run Active Directory Users and Computers you’d enter:

​runas /user: dpetri'administrator "mmc dsa.msc"

and then enter the correct password.

To disable the RunAs GUI interface follow these steps:

  1. Open Registry Editor.

  2. In Registry Editor, navigate to the following registry key:

  1. Create the following value (DWORD):


and give it a value of 1

Note: As always, before making changes to your registry you should always make sure you have a valid backup. In cases where you’re supposed to delete or modify keys or values from the registry it is possible to first export that key or value(s) to a .REG file before performing the changes.

  1. Close Registry Editor and reboot the computer.

Note: If you have Active Directory in your network you could use GPO to prevent users from using RunAs, by either stopping the Secondary Logon service at a GPO level, or by using Software Restrictions at the GPO level and blocking the RunAs.exe file.

Related articles

You might also want to read the following related articles:


Rename or Delete Special Folders

Related Topics:

Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: