SU Topics | Next
Su.exe
Default Assumptions
If no command line is specified, the command line specified by the %comspec% environment variable is executed.
- If no domain is specified, default account search logic is used.
- If no windowstation and desktop is specified, the new process runs on the same windowstation and desktop that was used to launch SU.
- The new process has an environment block similar to that generated for a standard interactive logon. This feature is disabled by using the -e option.
- The new process has the user registry hive loaded, if available. This behavior is disabled by using -l option.
- The logon type is Interactive, which requires that the target user have SeInteractiveLogonRight. The logon type can be changed to batch or service by using the -b or -s switches, respectively.
Syntax Listing
su user ["cmdline"] [domain] [[winstation\]desktop] [options] [{-b | -i | -n | -s}]
- user
- specifies the user name for the new process. Must be the first non-switch argument. This is the only required argument.
- "cmdline"
- specifies the command line to execute as user. Must be the second non-switch argument. This argument is optional. If it contains spaces, it must be surrounded by quotation marks.
If "cmdline" is not specified, the default command processor specified in the environment variable %comspec% is executed.
- domain
- specifies the domain name for the target user. Must be the third non-switch argument. This argument is optional.
If it is not specified, default domain lookup will occur. In this case the domain lookup is executed in the following order, until the domain for the target user is found:
Well-known, built-in, local accounts, primary domain, trusted domains.
Specifying "." as the domain limits the search for the user account to the local computer.
- [winstation\]desktop
- specifies the target windowstation and desktop for the new process. Must be the fourth non-switch argument. This argument is optional.
Winsta0\Default is the user default interactive windowstation and desktop. This argument can be specified with only the desktop name. Not specifying a windowstation name causes the process to run on the current windowstation in the supplied desktop. When specifying a windowstation, the windowstation and desktop pair must be ordered as follows: windowstationname\desktopname. Not specifying any desktop for the new process causes the process to run on the same windowstation and desktop from which SU was launched, launching a child on the current winstation\desktop.
- options
- are one or more option switches, also called flags, that can be specified in any order anywhere on the command line. All switches are optional.
- -cb
- does not create a new console.
If the new process is a console process, it inherits the console of the caller.
This option should not be combined with -w when starting console applications. Furthermore, the password should not be supplied when redirecting passwords when starting console applications.
This switch should not be used with redirected passwords.
- -dn
- does not switch to a new desktop, if one was specified.
If the new process is set to run on a desktop which differs from the current desktop, the default behavior is to switch to the new desktop, making the new desktop active and bringing it to the foreground. This option overrides the default and prevents switching to the new desktop.
Note that SU does not return until the new process exits, unless the -w switch is specified.
- -e
- disables environment preparation. The parent environment is inherited.
This option prevents preparation of the user environment for the new process, instead causing the environment to be inherited from SU.
- -g
- Forces GUI option prompting with supplied command-line arguments.
- -l
- disables loading of the user registry hive. Default is used instead.
This option prevents loading of the user registry hive for the target user. If the hive happens to be loaded for the target user, the new process behaves the same way with HKEY_CURRENT_USER that it would if -l were not specified. If -l is specified without -e, a user-default environment is created for the new process, as opposed to creating a user-specific environment for the new process.
- -v
- displays verbose output to STDOUT (standard output).
This option displays details related to the creation of the new process.
- -w
- Do not wait on child. The registry hive remains loaded.
When this option is specified, SU does not wait for the new process to exit before returning to the caller. This means that SU cannot unload the user registry hive for the target user if a hive was loaded on behalf of that user. This flag should not be combined with the -cb flag when starting a console-based application; if it is, console output is intermixed.
- {-b | -i | -n | -s}
- One of the following logon types may also be specified as an option. The default type is interactive.
- -b
- batch
The target user must possess the SeBatchLogonRight logon type. This logon type is not used by Microsoft, but is available for use in custom applications.
- -i
- interactive
The target user must possess the SeInteractiveLogonRight logon type (the default logon type for SU).
This is the same logon type that occurs when a user physically logs onto a computer running Windows 2000.
- -n
- network
The target user must possess the SeNetworkLogonRight logon type.
- -s
- service
The target user must possess the SeServiceLogonRight logon type.