Tag Archives: Windows Vista

Adventures in Least User Privilege: Explorer and Control Panel

Have you noticed that “RunAs” doesn’t work for Windows Explorer or Control Panel items? That’s because the shell (the program you use to communicate with the operating system itself) is Windows Explorer. Windows Explorer is (normally) running all the time, and while it’s running, it doesn’t allow you to start other instances in other security contexts (a very long way of saying that “RunAs” doesn’t work for Windows Explorer). Control Panel items don’t work either because they’re not actually programs; they are applets that run within the context of Windows Explorer. So, you can’t connect to a user’s station and use RunAs to, say, change TCP/IP settings.

