And so this is Vista…

re: And so this is Vista…

abqbill (Bill Stewart) — Thu, 08 Apr 2010 15:47:55 GMT

It is not currently possible to run Windows Explorer elevated in Windows 7. See:

http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/1798a1a7-bd2e-4e42-8e98-0bc715e7f641/

My answer is to use Explorer++ (http://www.explorerplusplus.com/) -- it even has a privilege level display option.

HTH, Bill

re: And so this is Vista…

Bob L — Sat, 05 Sep 2009 17:29:41 GMT

Unfortunately Windows 7 seems to have changed the rules a bit. Nothing I have found and tried so far seems to get Windows Explorer to run with administrator rights turned on.

Has anyone figured out a way to get Windows Explorer in Windows 7 to run with admin rights?

Thanks!

re: And so this is Vista…

Patrick Rynhart — Wed, 24 Dec 2008 13:00:49 GMT

Hi Aaron,

I think that Vista actually encourages people to add their account to the "Administrators" group - albeit constrained by UAC - because (AFAIK) it is not possible to obtain an elevated instance of Windows explorer from a Standard user account.

I am aware that OTS authentication is built in to Windows explorer, when logged on as a Standard user, but for users such as myself this is not practical (as it results in entering the credentials of an administrator repeatedly with every system-wide change). What is needed is an administrative instance of explorer that "sticks" (when required) for a Standard user.

I am aware that an elevated instance of a Command prompt can be started from a Standard user account but an elevated instance of explorer cannot be started from this prompt (because it is running under the credentials of a different user which is not supported under Vista).

From this point of view, therefore, true Limited User accounts are actually "better" under Windows XP than in Windows Vista because, with Windows XP, a Limited User can use runas or MakeMeAdmin to invoke an Administrative instance of explorer.

I'm not convinced that the approach taken with UAC was the best, i.e. "constraining administrators" as opposed to getting people to be members of only the Users group (i.e. a true Standard User).

I note that your post above includes the statement:

"If you are a member of the Administrators group on Vista, it's effectively the same as being a standard user...."

This reinforces my point. Windows Vista *encourages* people into the Administrators group. This should be turned around, i.e. "If you're a Standard User you can escalate to an Administrative context when required by..."

I thought that the point of "least privilege" was to get users out of the Administrators group. In this sense, IMHO, UAC has become an enormous "tangent" on the road of least privilege for Windows users.

Regards,

Patrick

re: And so this is Vista…

Vince Mancini — Sat, 13 Sep 2008 18:54:02 GMT

OK thank you again.

Since there is no security boundary between a low process and an elevated one on the same desktop, it’s clear that the safest way to run is to not elevate the standard user account, but instead to use Fast User Switching to open an admin account to do admin tasks when they come up. But sometimes the user has gone through 3 or 4 steps in a process and then is presented with the elevation prompt. If the user then switches to the admin account he must go through all those steps again to reach the same point where admin rights were necessary. Or is there a way to switch to the admin account and have it continue from the point where the standard account left off?

Thanks

re: And so this is Vista…

Vince Mancini — Fri, 12 Sep 2008 18:49:00 GMT

OK thanks for the info.

In my reading I've come across references to file system and registry virtualization in the standard user accounts. Does this do anything to increase security/block malware for the standard user?

Thanks

[Aaron Margosis] No -- file/registry virtualization is an application compatibility technology. What file/registry virtualization do is that when a "legacy" app tries to write to protected areas (e.g., %ProgramFiles%, %windir%, HKLM\Software), Windows silently redirects that access to a "virtual store" in the user's profile, where the user has permission to write. The modifications are then visible to that user but not to others on the same machine.

re: And so this is Vista…

Vince Mancini — Thu, 11 Sep 2008 18:01:53 GMT

I’ve been running Vista Home Premium as a Standard User, and it seems to be perfectly usable. My initial thought was that the only difference between a standard user account and an administrator account (the regular admin account, not the hidden admin account) is that when it is necessary to elevate the rights for the task at hand, the standard account needs to input an admin username and password, while the regular admin account only needs to click Continue in the UAC dialog. But then I started to notice a few other subtle differences, so I decided to run a few limited tests of my own. I've found that an unelevated standard user account is definitely NOT the same as an unelevated (regular) administrator account.

This can be seen if you open either regedit or services.msc. The admin is presented with the UAC elevation prompt, and can then make changes. On the other hand, the standard user is NOT presented with a UAC prompt, and the standard user is only able to view the settings, and is unable to change them. If the standard user instead right clicks and selects Run As Administrator, then he is able to make changes.

So since it is clear that this difference exists, I am wondering what other differences there are between an unelevated standard user and an unelevated administrator. Of particular interest is whether malware that gets installed on a standard account (whether when elevated or not) is limited in the harm it can do.

Are there any pages from Microsoft that detail the differences, or can you share what you know?

Thanks

[Aaron Margosis] Great observations and questions. So, first of all... there are various mechanisms that determine whether an app prompts for elevation when it starts. The vast majority of apps will be either "runAsInvoker" (app run in the same context as the app that started it), or "requireAdministrator" (prompt for elevation if the app that started it wasn't already elevated). There is one more marking, "highestAvailable", which acts like "runAsInvoker" for standard user and "requireAdministrator" for admin accounts. Both regedit.exe and mmc.exe are marked "highestAvailable". It's not ideal, and it's a rare app where such a marking can even be considered appropriate. Note that they aren't strictly read-only for std user -- anything that the std user is allowed to change can still be changed. For regedit that would mostly be HKCU; for services.msc (which is actually run by mmc.exe) the user would be able to start/stop any services that granted the user those rights. (Off the top of my head I don't remember any.)

Other main differences between Vista std user and admin, particularly as pertains to security and defense against malware... As long as you never run anything elevated, risk of unauthorized elevation of privilege through your user session is about the same. The risk is probably higher for admin than for std user, because the admin's profile information (preferences etc) is generally writable before elevation and may be consumed by apps that are elevated. When using a std user account, the elevated app is looking at a different user profile.

That said, as Mark Russinovich has pointed out, UAC/elevation is not a watertight security boundary, so there is always some risk regardless of whether you're using a std user or admin account.

re: And so this is Vista…

Kyle Hamilton — Fri, 21 Mar 2008 12:53:40 GMT

Okay. I'm on Vista Home Premium. I need to run chkdsk on my drive, and I'm most comfortable doing that from the command prompt.

How can I do this? runas /showtrustlevels shows me that:

0x20000 (Basic User)

is the only trust level that is available on my system.

I'm the computer owner account, I can set things to run with high integrity, I can run things with high integrity, I can get the UAC prompt and just click 'accept'.

So what do I do? How do I do this?

And what can I do so that I don't need to upgrade to Business just to be able to do my machine maintenance the way I'm used to?

[Aaron Margosis] RunAs.exe will let you run things at the same integrity level, but not higher. Can't you just elevate a command prompt and run it from there?

re: And so this is Vista…

Jack — Thu, 03 Jan 2008 07:58:03 GMT

"This can be addressed by changing the elevation behavior for administrators from "prompt for consent" to "prompt for credentials". "

How do I do this?

[Aaron Margosis] Administrative Tools, Local Security Policy (secpol.msc): Local Policies, Security Options, "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode."

re: And so this is Vista…

Gordon — Sat, 20 Oct 2007 00:37:28 GMT

Great post Aaron,

I've been doing a lot of work trying to design a Vista environment that is useable for our users while still trying to keep UAC enabled. I have to say that it has been a challenge. I'm not certain that it will be possible to keep it enabled in the end.

For our administrative type users, the inability for Explorer.exe to run with the elevated token has caused a lot of heart-ache. It's been fun teaching some of the younger chaps how to work in an elevated DOS CMD prompt since that is about the only place they can actually get any of their work done when UAC is doing its thing. Forcing our admin scripts to launch HTML and VBS files by first opening an elevated CMD window instead of an elevated Explorer window has made things very ugly indeed.

Currently my answer for everything is "run it from an elevated CMD window". I wish I had a better answer. I was hoping to use your tricks published above to get an Explorer window to elevate, but to no avail. I guess those loopholes have been closed. Since a few months have passed, I was wondering if you have found any other ways of getting Explorer to go?

At the moment I'm thinking it might be time to go back to those old 3rd party explorer tools we used in the Win NT days since I should be able to spawn them in their own process. They should let me copy files and open html type extensions.

re: And so this is Vista…

TheJag — Tue, 02 Oct 2007 02:49:56 GMT

Sorry jumped the gun in posting a reply... I missed that bit about IE and explorer entertaining multiple accounts on the same desktop. switch user helps but you gotta open up everything once again...