Solved

Security change in XP sp3 and windows 7

Posted on 2010-09-15
14
257 Views
Last Modified: 2012-05-10
This was brought to my attention today by one of our helpdesk staff. In the past using windows xp sp2 we used to be able to select the internet explorer icon from the quick launch bar right click and select run as. This would allow you to enter alternate credentials, say those of an administrator. '

At this point you would be running internet explorer as the admin user account. I have confirmed that this part still works. Using the run as on internet explorer you can still open an ie window as admin user.

Now here is the tricky part. In service pack 2 what you used to be able to do was type C:\ in the admin internet explorer session and you would then get an explorer window that appeared that was also running in an admin context. From this explorer window you could do pretty much anything you wanted add/delete files, add printers, etc.

It appears that in xp sp3 and windows 7 there was some kind of security modification made that no longer allows you to do this. You can launch the admin IE session but when you type C:\ and hit enter you are present with an explorer window using the currently logged on username. Tested this by running the echo %username% command.

Furthermore even directly right clicking and selecting run as on a cmd.exe in windows/system32 will allow it to open as the user you enter credentials for but when you attempt to run explorer.exe nothing will happen.

Its almost as if MS disabled the running of explorer.exe as anyone but the logged on user account. Does anyone know if this is true and if so is there a way around this? Is there any documentation as to why this might have been done?
0
Comment
Question by:Joseph Daly
  • 7
  • 5
  • 2
14 Comments
 
LVL 35

Author Comment

by:Joseph Daly
ID: 33684674
An example of the steps I am referring to can be seem here as option 1
http://blogs.msdn.com/b/aaron_margosis/archive/0001/01/01/175488.aspx

This is an MS page so at some point this had to be an accepted method of doing this. Not sure when or why this changed.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 33685019
You can do 95% of admin like "stuff" by doing a Run-As on cmd.exe in XP.  Anything launched from this command shell will be ran with admin credentials (doesn't work with explorer.exe: that's the exception).  This works great for MMC snap-ins like COMPMGMT.MSC  If you right-click in the white space of the printers folder and hold down the left-shift key, you should get a "Run-as" option.  
File security can be set use cacls...is it a GUI?  No.  Does it do the same thing?  Yes.
You will need to know command line pretty good.  The only thing I've found that is impossible to Run-As administator are the settings for networking components.
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 33685048
I know all of this and have used some of this in the past. But I know for certain and the MS article confirms it that at one point you could do a run as internet explorer and then switch to explorer.exe to do pretty much any administrative actions.

It looks like this feature is now gone.
0
 
LVL 22

Assisted Solution

by:Adam Leinss
Adam Leinss earned 250 total points
ID: 33685252
This part at least works (I tried it on Windows XP SP3):
runas.exe /u:administrator "explorer.exe /separate"
From: http://www.krunk4ever.com/blog/2006/12/01/how-to-run-explorerexe-as-another-user/
But I don't know how that really helps you, unless you are trying to copy files to protected folders or want a GUI for setting security permissions.  How would you add a printer from this explorer window?
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 33685358
Once you open switch from internet explorer to explorer by entering c:\ in the address bar you get a new explorer window. From here you can type control panel and you will be taken to the control panel as an administrative user. From here you can change anything you like.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 33685448
Ah, OK.  So this trick above does work (at least on XP) and I just learned something new today.  You can pick off the Control Panel in this new admin explorer.  You can just create a batch file on a network drive up the above command and that will let them do the run-as trick on explorer without typing it out each time.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 33685593
Seems work on Windows 7 x86 as well, although I had to type out "Control Panel" and since the account I logged into was not an admin, I got presented with an UAC box each time.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 35

Author Comment

by:Joseph Daly
ID: 33686036
Yes but the original steps I posted in my question and the ones in the MS article no longer work. Have you tested those and confirmed?
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 33686216
I didn't test all the functions listed on the MSDN blog: just networking, printers and file permissions from the Control Panel from the elevated explorer window.
I logged in as a normal user and used the command line above to launch another explorer.exe.  When I look at taskmgr, 1 explorer is under the normal user and other is under administrator.
 
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 33686255
The original steps you listed in your question do not work anymore on XP/Windows 7. The command line Runas version seems to have the same functionality you listed as having in Internet Explorer 6 and doing a right-click runas on iexplore.exe.
0
 
LVL 35

Author Comment

by:Joseph Daly
ID: 33686293
I understand they do not work any longer the original question was when/how/why ms decided to remove this functionality. Im sure there has to be something out there on their reasoning.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 33686383
Yes, you asked two questions and I only answered one:
Does anyone know if this is true and if so is there a way around this? - True: use the runas command line to spawn explorer.exe as a separate process
Is there any documentation as to why this might have been done?
I'm not even going to pretend to guess why Microsoft did this, however, if you search "internet explorer 7 run-as" in Google, it appears that the functionality of being able to run-as explorer changed between Internet Explorer 6 and Internet Explorer 7, and it really is not a difference between SP2 and SP3 for Windows XP.  In fact, when I run explorer.exe using /separate, I get the Internet Explorer banner: Local Disk (C:) - Windows Internet Explorer provided by ... in the title bar of the newly spawned explorer process.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33688579
SP2 and SP3 work fine using runas, it was the change to IE7/8 that removed the "feature" you are referring to. Steps above using cmd.exe work great for MOST things, but if you want a GUI, you would need to.....

Launch cmd.exe as an alternate user (RunAs)
taskkill /f /im explorer.exe
then start explorer.exe from the command shell...

Takes a few more steps, but still gets you the same functionality of the GUI/Explorer......I have tested this many times on XP SP2/3, regardless of browser version....
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 250 total points
ID: 33688588
ALso, to get more to your original Q, I remember reading an article that the RunAs of IExplore.exe, the way you could navigate the filesystem/control panel etc..., was not intended. It was determined to be a security risk, but at the same time, it was a welcomed side effect from the userbase point of view. Wasnt until IE7 came out where they decided to close the risk for good.....

Im sorry, I dont have any documentation, but just going off memory....
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now