No matter how I open it, cmd.exe always opens with admin privileges. How can I open it without? Is there some registry setting missing? Even if I open it directly from the run dialog or by double clicking in the system32 folder it still opens with admin privs.
Thanks.
Found out I was missing a registry key. In HKEY_CLASSES_ROOT\Directory\shell\cmd I was missing the String Value "Extended". Added this back in and restarted the machine got rid of the defaulting to admin privileges.
EDIT: I had UAC turned off for my profile (to stop incessant "are you sure you want to open this .exe" warnings), and turning that back on has stopped cmd always running with greater privileges.
After some unclear actions (switch UAC on/off ?) I ended up in the same situation as described above:
Cmd.exe always starts in Adminstration mode.
Linking in VS failed with the message:
Project : error PRJ0003 : Error spawning 'C:\windows\system32\cmd.exe'.
The Properties | Compatibility tab is greyed out, so switching this off seems impossible (Compatibility modes cannot be set on this program because it is part of this version of Windows).
To recover from this situation you have to edit the registry to remove the RUNASADMIN preferences that is associated with cmd.exe.
The 'RUNASADMIN' preference is stored in these registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Delete the values named c:\windows\system32\cmd.exe and you are back in business !
Kees
Right click on the cmd.exe, select properties and check the compatibility tab. Is the Run this program as an administrator checkbox checked?
This is only happening because you're logged in as a user with administrative privileges.
Since doing so defeats the entire Windows security model, you shouldn't be doing that in the first place. Create a standard user account and log in with that, instead. The command prompt should then not open with administrative privileges since you don't have administrative privileges.
If, as a standard user, you need to open a command prompt with administrative privileges, you'll need to right-click on the shortcut and select the "Run as Administrator" option (just look for the UAC shield). You'll need to provide sufficient credentials to authenticate yourself as an administrator, and then you'll have the authority to wreak whatever havoc you wish.
Found a way to run as a specific user even when UAC is turned off from http://www.sevenforums.com/general-discussion/235987-run-cmd-exe-given-user-administrator-command-line.html
This is the way to start cmd.exe as any user. Replace "username" with the correct one:
cmd.exe> runas /user:username "cmd.exe"
Right click on the cmd shortcut, navigate to properties, select advanced options and uncheck the 'Run as admin' option.
Check this video for better understanding - https://www.youtube.com/watch?v=3Mxh5TNSIl8&list=PLg8CURsOKswrzPs9fMhnmdy9TP7AkOOX1&index=1
Related
I have VS2015 set up so that it always runs as administrator (a la something like this https://superuser.com/a/468056/48346).
Now I want to create an AHK script to launch Visual Studio and run a few UI / Keyboard commands to get it ready for me - I want this script to run at login but that's a later problem.
The Null solution is obviously to turn UAC off, but I don't want to do that.
So far I'm stuck on the way the UAC prompt always grabs the whole screen and I can't use AHK to click the "yes" button or send any keyboard commands to press enter or something like that. I guess this is the whole point of the UAC prompt, not to allow anything to do it for me.
Is there no way to open VS without the UAC prompt showing? I'd need to open a specific solution file, so if it's possible from the command line, the solution file would need to be included in the command so that it opens.
So far I've tried the AHK command RunAs, but I couldn't get that to work - my personal user is a domain user that's a member of the admin group on my local machine. I tried creating a specific runner account with admin privileges and use the RunAs command with that, but that didn't work. I get an access is denied when I run this AHK code:
RunAs, runner, password, LocalComputer-Name
Run, %comspec% /k "start c:\Users\myacc\Documents\path\solution.sln"
The runner account is in the Administrators group on my local machine, which has full access to the folder where the solution file is stored including the file itself - so I don't understand why access is denied.
Is this not possible?
Ps. I'd ask this question on the AHK forum, but registering there seems to not send any confirmation email at all (no, it's not in my spam folder), so I can't post it there.
The answer is to schedule a task that runs with the highest privileges to run the script at logon. The problem I was really having was to construct and debug the script - running a task each time was cumbersome. So to debug the script, just right-click the script and select "Run as administrator". Then the UAC prompt will pop up before the script starts running but not during the script. Then when the script is ready, just schedule a task to run at logon and check the "Run with highest privileges" option for the task. Then you can try the task by right-clicking the newly created task and selecting run, then you will see it run without the UAC prompt.
My final version of the script just opens the solution file using Run, no RunAs required - the scheduled task is set to run as my user, with the highest privileges.
Run, %comspec% /c "start c:\Users\myacc\path\solution.sln"
I'm having a mystery.
I have a Windows 7 PC, I am an administrator on it. But, I have a software tool that still requires me to run it with "Run as Administrator" to work properly. Why isn't it enough just to be the admin and just run it with double-click?
The thing gets complicated - I have another PC with a user that is an administrator also, and the tool runs there just with double-click properly.
What could be the difference between the PCs? In both of them, the user is an administrator!
Thanks for any help,
This is the impact of the User Account control (UAC), which assigned 2 tokens to admin accounts and runs the shell (explorer) and all started programs by default with the filtered token which represents standard user rights. To request admin rights, you have to right click and select “Run as administrator”.
Suppose I have a script that needs to read information from places that normal user is not permitted to read (e.g. other users' folders).
Currently all I can do is complain about not being run as a "superuser" and quit, but I would rather like the script to ask for elevation itself.
According to MSDN and PerlMonks, you can try:
Win32::FileOp::ShellExecute( runas => 'yourprogram.exe' )
or
Win32::FileOp::ShellExecute( runasuser => 'yourprogram.exe' )
These should (not tested) ask you for elevation when it is needed. (Works on Windows 7 only).
Related: Requesting Administrator privileges during runtime
If you're ok with launching through a shortcut, you can use the following:
Create a shortcut to perl.exe
Edit the shortcut.
On the Shortcut tab, change "Target" to
"c:...\bin\perl.exe" "c:...\script.pl"
[Optional] On the Shortcut tab, change "Start in" to the path of the directory in which your script resides.
On the Shortcut tab, click "Advanced", then check "Run as Administrator".
There's a tool called "runas", but I can't seem to get it to work without asking you for Administrator's password.
Tired of having no good answer to this question in my own work, I wrote Win32::RunAsAdmin. All it does is call the Windows Shell via OLE with "runas" as the verb, but it packages it conveniently so all you have to do is stick the following at the beginning of your code:
use Win32::RunAsAdmin qw(force);
During the import step, it will check for elevated privileges, and return silently if you're already running in elevated mode. Otherwise, it restarts the script in elevated mode with a UAC popup.
Running the very nice BGInfo tool to uniquely identify various computers. However, in trying to run on Windows 2008 Server R2, I am getting following error:
"An error occured opening the Default Desktop registry key. Please ensure the current user has rights to change the Logon Desktop settings: Access is denied."
The program is started via a shortcut placed in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup", and that shortcut is specifying a .BGI configuration file (versus reading settings from the Registry). Thoughts on why the error happens for user other than the Administrator?
On a more in-depth level, I am curious if anyone knows why BGInfo must open the "default desktop registry key" and what it is updating in the "logon desktop settings" (phrase in quotes taken from the original error message)?
BGInfo needs to update the registry to set a default login desktop for all RDP users.
You need to run BGInfo with elevated privileges initially. That can be done as described by creed929 or by right-clicking on bginfo.exe and running as administrator. Once the settings are saved, subsequent user logins will not need the elevated privilege to see the BGInfo background.
From an administrator account. I was able to right click on bginfo.exe. Go to Compatibility tab and check the Run this program as an administrator. This seemed to then allow me to apply the settings without the Default Desktop registry key error.
I'm trying to document a work flow with a series of screen shots. At one point in the flow, a UAC prompt appears, and I'd like to grab a bitmap of it to make my storyboard complete. Because UAC prompts are on a virtual desktop (or something like that), the usual Alt+PrintScreen doesn't work. Any suggestions?
This method using the group policy editor should do the job:
1) Run gpedit.msc 2) Under Computer
Configuration\Windows
Settings\Security Settings\Local
Policies\SecurityOptions:
Change “User Account Control: Switch
to the secure desktop when prompting
for elevation” to disabled
Undo this change after the screenshot, because it makes the system less secure!
Change your UAC settings to disable the secure desktop, and then you can take the screenshot. In Windows 7, this is one of the options on the UAC slider, in Vista, I believe you need to configure the Security Policy.
Alternatively, run Windows in a VM and take a screenshot of that.
You can also remote desktop to the Windows 7 machine and run the screenshotter (or video capture) on the other machine. I've used this very successfully.
A step by step Guide
Step 1. Right click on the Program that you want to install and choose 'Run as administrator'.
Step 2. Now when the UAC Prompt appears, click on 'Change when these notifications appear'.
Step 3. Take the security Bar one-step down. Be sure to find that 'do not dim my desktop' is in the description. Now click on 'OK'.
Click on 'yes' when the UAC ask for permission.
Step 4. Now close all UAC Prompt dialog box. Again start from the beginning. You are now able to take a screenshot of the UAC Prompt dialog box with keyboard's print screen button or ms snipping tool.
Note that it will make your system less secure. So, make the security level as previous after the completion of your need.
Alternative to Michael Goldshteyns answer
You can more quickly achieve the same by copying the first registry command below and pasting it into an elevated command prompt, then hit enter.
To turn off PromptOnSecureDesktop:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /V "PromptOnSecureDesktop" /T "REG_DWORD" /D "0x00000000" /F 1>NUL
This will turn off SecureDesktop, leaving the computer vulnerable, but you will be able to screenshot the UAC prompts.
All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
To turn on PromptOnSecureDesktop:
This will turn on SecureDesktop.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /V "PromptOnSecureDesktop" /T "REG_DWORD" /D "0x00000001" /F 1>NUL
All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
⚠ Important: After you are done, make sure you revert the command by turning PromptOnSecureDesktop off.
Simple method: Use windows accessory SnippingTool from MS. It just works!