• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
Sign in to follow this  
Followers 0
MagicAndre1981

Unable to open an elevated Windows Explorer window

18 posts in this topic

When making a right click on the Explorer and select "Run as administrator" it doesn't start the Windows Explorer with admin rights. The Windows Vista/7 Explorer includes a special function to block such requests.

To disable it, start regedit.exe and go to the following key:

HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}

make a right click on Permissions and set your user as owner of the key and give your current user writing permissions.

Next, delete or rename the value RunAs. Now the Elevated-Unelevated Explorer Factory is disabled and you can start the Explorer with admin rights.

WindowsExplorer_Windows7_IL.png

This helps you delete files, for which you need admin rights.

Have fun :)

Edited by MagicAndre1981
0

Share this post


Link to post
Share on other sites

When making a right click on the Explorer and select "Run as administrator" it doesn't start the Windows Explorer with admin rights. The Windows Vista/7 Explorer includes a special function to block such requests.

To disable it, start regedit.exe and go to the following key:

HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}

make a right click on Permissions and set your user as owner of the key and give your current user writing permissions.

Next, delete or rename the value RunAs. Now the Elevated-Unelevated Explorer Factory is disabled and you can start the Explorer with admin rights.

IMG REMOVED

This helps you delete files, for which you need admin rights.

Have fun :)

If you dont wanna mess up with RegEdit there is the proper way to modify that RunAs field

from your Administrator user open the Run.. window and write dcomcnfg.exe and press enter. The Component Services window will open (same from Administrator Tools).

From Component Services - > Computer - > Local Computer - > Config DCOM select Elevated-Unelevated Explorer Factory, right click and select Properties

immagineqyz.png

Select Identity Pane, you will see first option selected (Interactive User), select the second option (i have italian windows 7 i dont know what the english translate the second option to).

0

Share this post


Link to post
Share on other sites

thanks for pointing this out. The name is "the user who started the application":

The Launching User: the application will run using the security context of the user who started the application. The launching user and the interactive user may be the same.

INFO: Using DCOM Config (DCOMCNFG.EXE) on Windows NT

http://support.microsoft.com/kb/176799

0

Share this post


Link to post
Share on other sites

Thanks for the tip, I am running it with Set-ACL, seems to be working on W8. Not sure I will need Set-ACL once I try it from SetupComplete.cmd which runs as system already.

SetACL -on "HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" -ot reg -rec yes -actn setowner -ownr "n:S-1-5-32-544"SetACL -on "HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" -ot reg -actn ace -ace "n:S-1-5-32-544;p:full"Remove-ItemProperty -Path "registry::HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" -Name RunAs# and to enable linked connectonsNew-ItemProperty -Path "registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLinkedConnections" -Value 1 -PropertyType "DWord"
Edited by MrJinje
0

Share this post


Link to post
Share on other sites

The same happens in Windows XP but without the Elevated-Unelevated Explorer Factory. A remedy for this?

0

Share this post


Link to post
Share on other sites

XP doesn't have this issues because it doesn't have the UAC. You have a different issue.

0

Share this post


Link to post
Share on other sites

Btw, the user "mlehmk" posted a tool on the Microsoft Technet forums, to start the Explorer with admin rights:

http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/1798a1a7-bd2e-4e42-8e98-0bc715e7f641/#d00925cc-905f-4640-8b6f-106930220e98

You can download it from his DropBox:

https://dl.dropbox.com/u/12462931/ExplorerLoader.zip

Expand the ZIP and run the tool ElevatedExplorer.exe and it will start at the view "Computer". You can also pass a folder as parameter and Explorer will start at the folder.

0

Share this post


Link to post
Share on other sites

This helps you delete files, for which you need admin rights.

It could also be possible to let you see drives mapped with elevated Command Prompts? I've noticed this sometimes where if you map with an elevated CMD, you can't see or can't use the the mapped drive in Explorer.

0

Share this post


Link to post
Share on other sites

this happens because of the 2 tokens which users have with the UAC.

You can set the value EnableLinkedConnections to workaround this issue:

To configure the EnableLinkedConnections registry value, follow these steps:

Click Start, type regedit in the Start Search box, and then press Enter.

Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Point to New, and then click DWORD Value.

Type EnableLinkedConnections, and then press Enter.

Right-click EnableLinkedConnections, and then click Modify.

In the Value data box, type 1, and then click OK.

Exit Registry Editor, and then restart the computer.

http://support.microsoft.com/kb/937624

0

Share this post


Link to post
Share on other sites

XP doesn't have this issues because it doesn't have the UAC. You have a different issue.

In my both Windows XP computers (desktop and laptop) I can't open Windows Explorer with administrator's rights if I am in a restricted user account. Is it normal and if yes what can I do to change it? If no what can be causing it?

0

Share this post


Link to post
Share on other sites

sorry, I have no idea. Ask this in the XP forum because I haven't used XP since Vista Beta2 any longer.

0

Share this post


Link to post
Share on other sites

XP doesn't have this issues because it doesn't have the UAC. You have a different issue.

In my both Windows XP computers (desktop and laptop) I can't open Windows Explorer with administrator's rights if I am in a restricted user account. Is it normal and if yes what can I do to change it? If no what can be causing it?

This is normal for XP. There is no user elevation for limited accounts. However, you can add a Run-As option (in Pro or Enterprise) to the context menu BUT it still requires you to know the credentials for an administrative login on the local machine or domain.

0

Share this post


Link to post
Share on other sites

I found the answer to my problem here:

I know this is an old thread, but in case someone else like me comes along later via search engine...

If you're running IE7 under WinXP, in order to run Windows Explorer with the runas command, it must be run as a separate process. A quick way to do this, without having to change your Folder Options settings, would be to run an instance of Explorer with the undocumented parameter /separate, like this:

runas /user:domain\username "explorer /separate"

...where domain is the domain name or local computer name of which username is a member.

Hope this helps.

Michael

With IE6 I could do the job, then with IE7 I couldn't (but I didn't know why). Obviously the same things that apply to IE7 apply to IE8 that I have now too.

0

Share this post


Link to post
Share on other sites

 

If you dont wanna mess up with RegEdit there is the proper way to modify that RunAs field

from your Administrator user open the Run.. window and write dcomcnfg.exe and press enter. The Component Services window will open (same from Administrator Tools).

From Component Services - > Computer - > Local Computer - > Config DCOM select Elevated-Unelevated Explorer Factory, right click and select Properties

Select Identity Pane, you will see first option selected (Interactive User), select the second option (i have italian windows 7 i dont know what the english translate the second option to).

 

I tried this method on Windows 8.1 (from the activated Administrator account), but all the options are grayed out so I can´t choose this second option. What am I doing wrong?

0

Share this post


Link to post
Share on other sites

I tried this method on Windows 8.1 (from the activated Administrator account), but all the options are grayed out so I can´t choose this second option. What am I doing wrong?

 

Running 8.1? :w00t::ph34r:

Seriously, maybe the approach that was suggested for Vista/7 simply is not appropriate anymore for Windows 8.1.

 

See if this fits:

http://winaero.com/blog/how-to-run-explorer-as-administrator-on-windows-8-1-windows-8-and-windows-7/

 

jaclaz

0

Share this post


Link to post
Share on other sites

Thanks very much! This solution seems to be working.

I realized the former solution being rather for Windows 7, but as everything is there in Windows 8.1, too, I thought it should work the same way. I only thought it´s strange that I´m not able to make any modifications in the DCOM-configuration even using the administrator account.

0

Share this post


Link to post
Share on other sites

@HarryTri :«In my both Windows XP computers (desktop and laptop) I can't open

Windows Explorer with administrator's rights if I am in a restricted user account.

Is it normal and if yes what can I do to change it? »

This would need to be in the Windows XP section, but briefly -

Yes it is expected behaviour : you are in effect launching "explorer.exe" as your administrative

account, but explorer has special coding that it immediately relaunches itself as the owner of

the shell explorer process (that which "owns" the desktop window,i.e. you "restricted user" self).

As you correctly noted, a workaround to this windows explorer "feature" had been to run

"iexplore.exe" (ie6) instead of explorer, but the workaround does not work in IE7-IE8.

You guess there are several ways to double-smart Microsoft. Simplest method, imho :

runas /user:your_admin "explorer.exe /n,."

HTH

Edited by Czerno
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.