Adventures in Least User Privilege: Explorer and Control Panel
October 26, 2011
Posted by on
Have you noticed that “RunAs” doesn’t work for Windows Explorer or Control Panel items? That’s because the shell (the program you use to communicate with the operating system itself) is Windows Explorer. Windows Explorer is (normally) running all the time, and while it’s running, it doesn’t allow you to start other instances in other security contexts (a very long way of saying that “RunAs” doesn’t work for Windows Explorer). Control Panel items don’t work either because they’re not actually programs; they are applets that run within the context of Windows Explorer. So, you can’t connect to a user’s station and use RunAs to, say, change TCP/IP settings.
Read all the directions first before starting this, as there are some things to be aware of. In case it isn’t obvious, all these steps assumed a standard user account is logged in initially and you have somehow connected to that session. To gain elevated access in Windows Explorer (tested on XP and 7, should work in Vista as well):
- Open a command prompt window and minimize it or somehow move it out of the way.
- Bring up Task Manager (this will vary based on how you’re connected and what sorts of Group Policies are in place; right-clicking on the taskbar and choosing it should almost always work).
- On the Processes tab, make sure “Show processes from all users” is checked, find explorer.exe, right-click it, and choose “End Process”. Accept the warning. The taskbar and all icons will disappear, but Task Manager will remain.
- Go to File->New Task (Run…). Type in “RUNAS /USER:<<domain\adminuser>> EXPLORER.EXE” and click OK. A command-line box will appear asking you for the password for that account (it will probably be behind the Task Manager window, since Task Manager runs “Always on Top” by default). Characters typed into that screen will not echo back to the screen at all, not with asterisks or anything else. Enter the password and press Enter.
- The shell will fire back up. If the account you used in RUNAS has never been logged on before, it will set up its local profile. Close Task Manager.
- Explorer is now running under that user context. Warning! Every program you start is also running under that user context.
- When you have completed your work, go back into Task Manager. Switch to the Processes tab and End Process on “explorer.exe” again. As before, all the icons and the taskbar will disappear. If you get an Access Denied error, it’s because you left Task Manager open; it’s a regular user trying to shut down a process owned by an administrator. Close Task Manager and start it again, then retry.
- Still in Task Manager, switch to the “Applications” tab. You should (at least) see the command prompt window you opened in step 1. Highlight that and click “Switch To”.
- In the command prompt window, type “EXPLORER.EXE” and press Enter. The shell will fire back up as the end user (because that command window was initially opened as the end user).
If, for whatever reason, you don’t get Explorer running under the user context again, besides the horrible fact that s/he will be running as an administrator until s/he logs off or shuts down, the Log Off command will just close Explorer and leave the user at an empty screen. Use CTRL-ALT-DEL to access the Log Off or Shut Down commands there.
Instead of using the command window trick, you can repeat 3 in place of step 8 and just supply user credentials, although, for some reason I can’t quite explain, that also leaves you with a blank screen when you log off. My assumption is that Windows knows that anything kicked off under “RunAs” is impersonation while the command window method is not.