# Runas

## Windows Credential Manager

**Windows Credential Manager** is a Windows built-in password manager that holds all the stored credentials. It can be access by visiting "Control Panel -> User Accounts -> Credential Manager". In command line, it can be accessed by the `cmdkey` command:

```powershell
cmdkey /list
```

If Administrator's stored credential is found, we can call `runas.exe` to get a SYSTEM shell.

## Runas

Call `runas.exe` to get a SYSTEM shell if Administrator's stored credential is found in Windows Credential Manager:

```powershell
C:\Windows\System32\runas.exe /savecred  /user:<username> /profile "C:\Windows\System32\cmd.exe"
```