I'm having a mystery.
I have a Windows 7 PC, I am an administrator on it. But, I have a software tool that still requires me to run it with "Run as Administrator" to work properly. Why isn't it enough just to be the admin and just run it with double-click?
The thing gets complicated - I have another PC with a user that is an administrator also, and the tool runs there just with double-click properly.
What could be the difference between the PCs? In both of them, the user is an administrator!
Thanks for any help,
This is the impact of the User Account control (UAC), which assigned 2 tokens to admin accounts and runs the shell (explorer) and all started programs by default with the filtered token which represents standard user rights. To request admin rights, you have to right click and select “Run as administrator”.
Related
i am developing a desktop application.
how can i make it to always run as admin for non-admin user without UAC and admin password by making change in windows registry.
windows change registry option would be preferred but if there is any other option please tell.
any help will be appreciated
thanks
There is no such feature. The point of UAC is to ensure the user is aware that the program being started will have access to admin privileges. If there were a way to turn that off, then malware would do it.
The user can disable the UAC prompts via a control panel setting, but not for a particular program.
If your program always requires admin privileges to do what it needs to do, you should have an entry in its manifest. Modern versions of Visual Studio have options in the project settings for the executable for setting common items like this in the manifest automatically.
My school has blocked literally everything on my windows laptop, I can't access cmd, gpedit.msc, regedit, setting/control panel and pretty much anything else you could think of that could disable admin restrictions. So how would i disable admin restrictions, i'm uses windows 10 (can find edition as info is blocked).i just need to be able to access one of the above mentioned things
You can not disable "admin restrictions" if you are not part of the admins group.
The Administrator is the account who can change any configuration in your computer.
There is a group called "Administrators" those accounts can change any configuration in your computer too if they have the administrator role asigned to that group.
By default the first account in your PC is the administrator.
Check this link for a better explanation.
try opening cmd using powershell by typing
"start cmd"
I would like to run an executable as a different user in ant on Windows. I was thinking of invoking PsExec to run on the same machine and passing in a username and password. Is there a better way to do this? The answers I have found so far are for running ant on Linux/Unix.
Thanks.
You can use the runas utility to run an executable as a different user.
Allows a user to run specific tools and programs with different permissions than the user's current logon provides.
In windows versions previous to Windows 7, you should be able to simply right click on the executable and select "Run As". You can then select the user from a drop down list of available users.. In Windows 7, this option has been replaced with the "Run as Administrator" option.
From the windows pages at Microsoft:
http://windows.microsoft.com/en-us/windows-vista/What-happened-to-the-Run-as-command
If you are logged on as a standard user, you can also use the Run as administrator command to run a program as another user, even if the user does not have an administrator account. To do this, click Run as administrator, and then select the user account. If you are logged on as an administrator, you will need to type runas.exe /user name in the Command Prompt window if you want to run a program as another user.
I have a Windows 7 development machine and I am constantly encountering the "you do not have enough permissions" when running certain programs or trying to access log files. I am the only user on the machine and my account is part of the administrators group. Is this part of Microsoft's UAC "protection"? If so, is there a way to remove it so that an administrator account has full admin rights.
Usually, you can right click and select "Run as Administrator" to elevate the privilege. I believe, You can also turn it off from control panel (search for "User access control" in control panel). I would not recommend it though. If you have applications to start up with that privilege, you might want to modify the shortcut to have "Run as Administrator" set so that it will challenge you as soon as it starts.
I've read several questions regarding UAC and privilege elevation but I've not found a satisfactory/comprehensive answer.
I have this scenario: on Windows 6 or above, when the user opens a configuration window I have to show the shield (BCM_SETSHIELD) on the OK button only if privilege elevation will be required to complete the task. -- I do know that in the Windows UI the shield is always visualized for "administrative tasks", even if UAC is disabled, but the customer had this specific request.
I have draft this condition in order to show the icon:
The user has not administrative rightsOR
The current process has TOKEN_ELEVATION_TYPE == TokenElevationTypeLimited
The condition #1 is simple: if the user hasn't administrative rights elevation is always required regardless of UAC. The #2 implies that the user has administrative rights, and any other value of TOKEN_ELEVATION_TYPE means that elevation is not needed.
Is really that simple? I am missing something? And - there's a documented or well-known pattern regarding this topic?
You are right. Most people just put the shield on if the button will be running elevated, but the right thing to do is to put the shield on if the button will cause elevation (ie suppress it if you are already elevated, since everything you launch will remain elevated unless you go to some trouble to launch a non elevated process, and suppress it if UAC is off.)
The good news is that if someone in the Administrators group runs (under UAC) an application non-elevated, you'll get back false when you ask if they are an admin or not. So I think you might be ok with just that one test.
I see that there is a lot of confusion about this topic and the answer from Kate here is not correct and incomplete.
Since Vista an Admin may be logged in but his processes do not run elevated automatically. An Admin has a so called "Split Token". This means that there may be processes running for the SAME admin user, and some of them run elevated and other do NOT run elevated. When an Admin runs a not elevated process, some of the privileges of his token have been removed. It is not anymore as in XP where ALL processes run either elevated or not elevated.
Install Process Explorer from www.sysinternals.com and enable the column "Integrity Level". If you see there "Medium" this process does not run elevated. If you see there "High" the process runs elevated. If the process runs with Integrity level "High" no UAC prompt is required to start another process elevated.
When UAC is completely turned off, ALL processes run "High", so no elevation is required never. UAC can be turned off under
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
setting the key "EnableLUA". Changing this setting requires reboot.
But there is another point that was not yet mentioned here.
In Control panel it is possible to configure "Elevate without prompting". And in this case an Admin user can start an elevated process from another not elevated process and NO UAC prompt will show up.
This setting is stored under the same registry path in the key "ConsentPromptBehaviorAdmin" for admin users.
For all non-admin users there is the key "ConsentPromptBehaviorUser" but this changes only the bahavior, but elevation cannot be turned off. Non-admins will always get an UAC prompt. (if UAC is not completely off)
How do you know if your process runs elevated:
Call OpenProcess(), then OpenProcessToken(), then GetTokenInformation(TokenElevation).
And to get the Integrity Level call GetTokenInformation(TokenIntegrityLevel) and then GetSidSubAuthority()
So if you want to show your icon only if elevation is really required you must check if your process runs elevated and additionally check these registry keys and you must know if the user is an admin or not. This involes several lines of code and I would consider to show this icon always when elevation may be required to keep it simple.
Please note that the API IsUserAnAdmin() is deprecated. It must not be used anymore since Vista. Checking if a user belongs to the administrators group is much more code now.