[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

Security change in XP sp3 and windows 7

This was brought to my attention today by one of our helpdesk staff. In the past using windows xp sp2 we used to be able to select the internet explorer icon from the quick launch bar right click and select run as. This would allow you to enter alternate credentials, say those of an administrator. '

At this point you would be running internet explorer as the admin user account. I have confirmed that this part still works. Using the run as on internet explorer you can still open an ie window as admin user.

Now here is the tricky part. In service pack 2 what you used to be able to do was type C:\ in the admin internet explorer session and you would then get an explorer window that appeared that was also running in an admin context. From this explorer window you could do pretty much anything you wanted add/delete files, add printers, etc.

It appears that in xp sp3 and windows 7 there was some kind of security modification made that no longer allows you to do this. You can launch the admin IE session but when you type C:\ and hit enter you are present with an explorer window using the currently logged on username. Tested this by running the echo %username% command.

Furthermore even directly right clicking and selecting run as on a cmd.exe in windows/system32 will allow it to open as the user you enter credentials for but when you attempt to run explorer.exe nothing will happen.

Its almost as if MS disabled the running of explorer.exe as anyone but the logged on user account. Does anyone know if this is true and if so is there a way around this? Is there any documentation as to why this might have been done?
0
Joseph Daly
Asked:
Joseph Daly
  • 7
  • 5
  • 2
2 Solutions
 
Joseph DalyAuthor Commented:
An example of the steps I am referring to can be seem here as option 1
http://blogs.msdn.com/b/aaron_margosis/archive/0001/01/01/175488.aspx

This is an MS page so at some point this had to be an accepted method of doing this. Not sure when or why this changed.
0
 
Adam LeinssCommented:
You can do 95% of admin like "stuff" by doing a Run-As on cmd.exe in XP.  Anything launched from this command shell will be ran with admin credentials (doesn't work with explorer.exe: that's the exception).  This works great for MMC snap-ins like COMPMGMT.MSC  If you right-click in the white space of the printers folder and hold down the left-shift key, you should get a "Run-as" option.  
File security can be set use cacls...is it a GUI?  No.  Does it do the same thing?  Yes.
You will need to know command line pretty good.  The only thing I've found that is impossible to Run-As administator are the settings for networking components.
0
 
Joseph DalyAuthor Commented:
I know all of this and have used some of this in the past. But I know for certain and the MS article confirms it that at one point you could do a run as internet explorer and then switch to explorer.exe to do pretty much any administrative actions.

It looks like this feature is now gone.
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
Adam LeinssCommented:
This part at least works (I tried it on Windows XP SP3):
runas.exe /u:administrator "explorer.exe /separate"
From: http://www.krunk4ever.com/blog/2006/12/01/how-to-run-explorerexe-as-another-user/
But I don't know how that really helps you, unless you are trying to copy files to protected folders or want a GUI for setting security permissions.  How would you add a printer from this explorer window?
0
 
Joseph DalyAuthor Commented:
Once you open switch from internet explorer to explorer by entering c:\ in the address bar you get a new explorer window. From here you can type control panel and you will be taken to the control panel as an administrative user. From here you can change anything you like.
0
 
Adam LeinssCommented:
Ah, OK.  So this trick above does work (at least on XP) and I just learned something new today.  You can pick off the Control Panel in this new admin explorer.  You can just create a batch file on a network drive up the above command and that will let them do the run-as trick on explorer without typing it out each time.
0
 
Adam LeinssCommented:
Seems work on Windows 7 x86 as well, although I had to type out "Control Panel" and since the account I logged into was not an admin, I got presented with an UAC box each time.
0
 
Joseph DalyAuthor Commented:
Yes but the original steps I posted in my question and the ones in the MS article no longer work. Have you tested those and confirmed?
0
 
Adam LeinssCommented:
I didn't test all the functions listed on the MSDN blog: just networking, printers and file permissions from the Control Panel from the elevated explorer window.
I logged in as a normal user and used the command line above to launch another explorer.exe.  When I look at taskmgr, 1 explorer is under the normal user and other is under administrator.
 
0
 
Adam LeinssCommented:
The original steps you listed in your question do not work anymore on XP/Windows 7. The command line Runas version seems to have the same functionality you listed as having in Internet Explorer 6 and doing a right-click runas on iexplore.exe.
0
 
Joseph DalyAuthor Commented:
I understand they do not work any longer the original question was when/how/why ms decided to remove this functionality. Im sure there has to be something out there on their reasoning.
0
 
Adam LeinssCommented:
Yes, you asked two questions and I only answered one:
Does anyone know if this is true and if so is there a way around this? - True: use the runas command line to spawn explorer.exe as a separate process
Is there any documentation as to why this might have been done?
I'm not even going to pretend to guess why Microsoft did this, however, if you search "internet explorer 7 run-as" in Google, it appears that the functionality of being able to run-as explorer changed between Internet Explorer 6 and Internet Explorer 7, and it really is not a difference between SP2 and SP3 for Windows XP.  In fact, when I run explorer.exe using /separate, I get the Internet Explorer banner: Local Disk (C:) - Windows Internet Explorer provided by ... in the title bar of the newly spawned explorer process.
0
 
johnb6767Commented:
SP2 and SP3 work fine using runas, it was the change to IE7/8 that removed the "feature" you are referring to. Steps above using cmd.exe work great for MOST things, but if you want a GUI, you would need to.....

Launch cmd.exe as an alternate user (RunAs)
taskkill /f /im explorer.exe
then start explorer.exe from the command shell...

Takes a few more steps, but still gets you the same functionality of the GUI/Explorer......I have tested this many times on XP SP2/3, regardless of browser version....
0
 
johnb6767Commented:
ALso, to get more to your original Q, I remember reading an article that the RunAs of IExplore.exe, the way you could navigate the filesystem/control panel etc..., was not intended. It was determined to be a security risk, but at the same time, it was a welcomed side effect from the userbase point of view. Wasnt until IE7 came out where they decided to close the risk for good.....

Im sorry, I dont have any documentation, but just going off memory....
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now