Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
"Run as Administrator": What Does It Mean?
Message
<blockquote data-quote="BoraMurdar" data-source="post: 773432" data-attributes="member: 2291"><p>Those of you who made the transition from XP to Vista will probably remember the introduction of "User Access Control" (UAC) or "Mandatory Integrity Control" (MIC). The security feature, which remains part of Microsoft's OS, prompts you when software tries making changes to your system and rests at the crux of why applications sometimes require "elevated" access.</p><p></p><p><img src="https://i.imgur.com/4RcWI6y.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>When you log in to Windows, your account is assigned a token that contains identifying information including your user groups and privileges such as read, write, and execute permissions.</p><p></p><p>Among the information in that token is an integrity level which is used by the operating system determine the trustworthiness of objects like files, registry keys for the purpose of informing users when installations are being launched as well as isolating processes from having unnecessary access to system files.</p><p></p><p><img src="https://i.imgur.com/06Af5LZ.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>The Windows Mandatory Integrity Control (MIC) mechanism has at least six different integrity levels: untrusted, low, medium, high, system and trusted installer.</p><p></p><p>By default, a standard user account has a medium integrity, which is the maximum level available for a process to be created when you open an executable file without providing elevated access via admin credentials.</p><p></p><p>When you right-click on a file or program and choose "Run as administrator," that process (and only that process) is started with an administrator token, thus providing high integrity clearance for features that may require the additional access to your Windows files etc.</p><p></p><p><strong>The different Windows integrity levels:</strong></p><ul> <li data-xf-list-type="ul">Untrusted Integrity: Given to anonymous processes.</li> <li data-xf-list-type="ul">Low Integrity: Commonly used for Web-facing software such as browsers.</li> <li data-xf-list-type="ul">Medium Integrity: Applied to standard users and used for most objects.</li> <li data-xf-list-type="ul">High Integrity: Administrator-level access, generally requires elevation.</li> <li data-xf-list-type="ul">System Integrity: Reserved for the Windows kernel and core services.</li> <li data-xf-list-type="ul">Trusted Installer: Used for Windows Updates and system components.</li> </ul><p>Processes started by opening an exe from a Windows account with medium clearance will have that integrity level unless the executable file is set to low, and developers are encouraged to use the lowest access possible, ideally avoiding instances where software will require high integrity to thwart unauthorized code (malware) from taking root.</p><p></p><p><img src="https://i.imgur.com/iKWwukQ.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>The practice of "least-privilege" design is applied to Windows' own administrator accounts, which receive both standard and admin-level tokens upon logging in, using standard/medium integrity access when possible instead of high.</p><p></p><p>Although Microsoft recommends against running programs as an administrator and giving them high integrity access without a good reason, new data must be written to Program Files for an application to be installed which will always require admin access with UAC enabled, while software such as AutoHotkey scripts will often need elevated status to function properly.</p><p></p><p>Here are all the ways we could find to open executable files with administrator access (high integrity) on Windows 10, including some methods that will configure the software to always open with elevated access:</p><p></p><p><span style="font-size: 22px"><strong>Ways to run a program as an administrator on Windows</strong></span></p><p>Starting with the most obvious: you can launch a program as an administrator by right-clicking on the executable file and choosing "Run as administrator."</p><p></p><p><img src="https://i.imgur.com/JrkHEd7.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>As a shortcut, <strong>holding Shift + Ctrl</strong> while double-clicking the file will also start the program as an admin.</p><p></p><p>Separately, holding only <strong>Shift while you right-click</strong> on the file will add "Run as a different user..." to the context menu, which opens a screen where you can enter another user's credentials, including the administrator account (the username is Administrator and may not have a password if you haven't applied one).</p><p></p><p><strong>These locations also have shortcuts to admin access...</strong></p><p><strong>Start Menu: </strong>Right-click an executable like anywhere else for the option to launch a program as an administrator.</p><p></p><p><strong>Taskbar: </strong>Click a program on your taskbar to open the jump list, then right-click the exe from that menu for the admin option.</p><p></p><p><strong>File Explorer: </strong>Select the file in File Explorer > Click <em>Manage</em> in the Ribbon menu up top > Choose "Run as administrator."</p><p></p><p><strong>Run prompt: </strong>Enter this line into Run (Windows key + R): <em>RunAs.exe /user:Administrator "<strong>cmd.exe</strong>"</em></p><p></p><p><strong>Command Prompt: </strong>From the command line, enter this with your file location: <em>runas /user:administrator "C:\Users\<strong>TechSpot</strong>\Desktop\<strong>file.exe</strong>"</em></p><p></p><p><img src="https://i.imgur.com/fzWddxb.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong>Task Manager: </strong>Click <em>File </em>><em> Run new task </em>> Check the box next to <em>"Create this task with administrative privileges"</em> > Enter the location of your file (example: <em>C:\Users\<strong>TechSpot</strong>\Desktop\<strong>file.exe</strong></em>)</p><p></p><p><strong>Task Scheduler: </strong>When creating a new task (Action > Create Task), enable these settings in the "General" tab:<em> "Run whether user is logged on or not"</em> and <em>"Run with highest privileges"</em></p><p></p><p>Note that the Command Prompt method didn't work until we enabled the Administrator account and changed another setting that would allow the command to be entered without a password:</p><p></p><ul> <li data-xf-list-type="ul">Search Start or Run for <strong><em>compmgmt.msc</em></strong> > Go to Local Users and Groups > Users > double-click on Administrator and uncheck <em>"Account is disabled"</em></li> <li data-xf-list-type="ul">Search Start or Run for <strong><em>gpedit.msc</em></strong> > Go to Computer Configuration > Windows Settings > Local Policies > Security Options > Double-click the option <em>Accounts: Limit local account use of blank passwords to console logon online</em> and choose Disable</li> </ul><p>Also, in the same section of the Group Policy Editor (gpedit.msc) that we just mentioned are a range of options to fine-tune Windows' User Account Control settings (scroll all the way down).</p><p></p><p><span style="font-size: 22px"><strong>How to set programs so they always start as an admin</strong></span></p><p>Given Microsoft's philosophy of providing programs with the least amount of access possible, configuring an application to always run as an administrator is generally not recommended but sometimes convenient when the software always requires elevation so you don't have to jump through those hoops every time. Here are a few ways to accomplish that:</p><p></p><p><img src="https://i.imgur.com/4y3nbAI.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong>Always run as admin from a shortcut: </strong>Right-click on a shortcut file > Shortcut tab > Advanced > Check the box to "Run as administrator"</p><p></p><p>Note that you can create a shortcut file by right-clicking the main exe, and that if you copy the shortcut into <em>C:\Users\<strong>TechSpot</strong>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup </em>the program will automatically start with Windows as you sign in.</p><p></p><p><strong>Always run as admin via Compatibility Properties: </strong>Right-click on an exe > Properties > Compatibility tab > Check the box to "Run this program as an administrator."</p><p></p><p></p><p><strong>Always run as admin via the Registry Editor</strong>:</p><p></p><ul> <li data-xf-list-type="ul">Navigate to: <em>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers</em></li> <li data-xf-list-type="ul">If "Layers" is missing, right-click <em>AppCompatFlags </em>and add a new key named <em>Layers</em></li> <li data-xf-list-type="ul">Right-click Layers (either the folder or in the right pane) and create a new String Value</li> <li data-xf-list-type="ul">Set the <strong>value name</strong> as the <em><strong>full path of the exe</strong></em> file</li> <li data-xf-list-type="ul">Set <strong>value data</strong> as <strong><em>~ RUNASADMIN</em></strong></li> </ul><p><img src="https://i.imgur.com/4DKcfIn.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="font-size: 22px"><strong>Bonus</strong></span></p><p><strong>#1</strong> Third-party software including MicEnum will generate a list of Windows files/folders and their integrity levels, including the ability to set a new integrity level as well as browse in both folder and registry views.</p><p></p><p>Process Explorer (pictured in the intro of this article) also has the ability to display integrity levels if you right-click the horizontal bar with CPU, Private Bytes etc. and open the properties (check the box next to Integrity Levels).</p><p></p><p><img src="https://i.imgur.com/F9M9fLn.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong>#2</strong> On a new Windows installation, the first user account created is a local administrator account while subsequent accounts are standard users. By default, the built-in administrator account is disabled. You can enable the account so it's available when you log in to Windows by entering this line into Command Prompt (use "no" to disable it again): <em>net user administrator /active:yes</em></p><p></p><p><strong>#3</strong> Microsoft has different utilities such as Elevation PowerToys and PsExec which can also be used to gain administrator access but span beyond the scope of this guide.</p><p></p><p></p><p>Original Article via TechSpot</p><p><a href="https://www.techspot.com/guides/1718-run-as-administrator-explained/" target="_blank">"Run as Administrator": What Does It Mean?</a></p></blockquote><p></p>
[QUOTE="BoraMurdar, post: 773432, member: 2291"] Those of you who made the transition from XP to Vista will probably remember the introduction of "User Access Control" (UAC) or "Mandatory Integrity Control" (MIC). The security feature, which remains part of Microsoft's OS, prompts you when software tries making changes to your system and rests at the crux of why applications sometimes require "elevated" access. [IMG]https://i.imgur.com/4RcWI6y.jpg[/IMG] When you log in to Windows, your account is assigned a token that contains identifying information including your user groups and privileges such as read, write, and execute permissions. Among the information in that token is an integrity level which is used by the operating system determine the trustworthiness of objects like files, registry keys for the purpose of informing users when installations are being launched as well as isolating processes from having unnecessary access to system files. [IMG]https://i.imgur.com/06Af5LZ.png[/IMG] The Windows Mandatory Integrity Control (MIC) mechanism has at least six different integrity levels: untrusted, low, medium, high, system and trusted installer. By default, a standard user account has a medium integrity, which is the maximum level available for a process to be created when you open an executable file without providing elevated access via admin credentials. When you right-click on a file or program and choose "Run as administrator," that process (and only that process) is started with an administrator token, thus providing high integrity clearance for features that may require the additional access to your Windows files etc. [B]The different Windows integrity levels:[/B] [LIST] [*]Untrusted Integrity: Given to anonymous processes. [*]Low Integrity: Commonly used for Web-facing software such as browsers. [*]Medium Integrity: Applied to standard users and used for most objects. [*]High Integrity: Administrator-level access, generally requires elevation. [*]System Integrity: Reserved for the Windows kernel and core services. [*]Trusted Installer: Used for Windows Updates and system components. [/LIST] Processes started by opening an exe from a Windows account with medium clearance will have that integrity level unless the executable file is set to low, and developers are encouraged to use the lowest access possible, ideally avoiding instances where software will require high integrity to thwart unauthorized code (malware) from taking root. [IMG]https://i.imgur.com/iKWwukQ.png[/IMG] The practice of "least-privilege" design is applied to Windows' own administrator accounts, which receive both standard and admin-level tokens upon logging in, using standard/medium integrity access when possible instead of high. Although Microsoft recommends against running programs as an administrator and giving them high integrity access without a good reason, new data must be written to Program Files for an application to be installed which will always require admin access with UAC enabled, while software such as AutoHotkey scripts will often need elevated status to function properly. Here are all the ways we could find to open executable files with administrator access (high integrity) on Windows 10, including some methods that will configure the software to always open with elevated access: [SIZE=22px][B]Ways to run a program as an administrator on Windows[/B][/SIZE] Starting with the most obvious: you can launch a program as an administrator by right-clicking on the executable file and choosing "Run as administrator." [IMG]https://i.imgur.com/JrkHEd7.jpg[/IMG] As a shortcut, [B]holding Shift + Ctrl[/B] while double-clicking the file will also start the program as an admin. Separately, holding only [B]Shift while you right-click[/B] on the file will add "Run as a different user..." to the context menu, which opens a screen where you can enter another user's credentials, including the administrator account (the username is Administrator and may not have a password if you haven't applied one). [B]These locations also have shortcuts to admin access... Start Menu: [/B]Right-click an executable like anywhere else for the option to launch a program as an administrator. [B]Taskbar: [/B]Click a program on your taskbar to open the jump list, then right-click the exe from that menu for the admin option. [B]File Explorer: [/B]Select the file in File Explorer > Click [I]Manage[/I] in the Ribbon menu up top > Choose "Run as administrator." [B]Run prompt: [/B]Enter this line into Run (Windows key + R): [I]RunAs.exe /user:Administrator "[B]cmd.exe[/B]"[/I] [B]Command Prompt: [/B]From the command line, enter this with your file location: [I]runas /user:administrator "C:\Users\[B]TechSpot[/B]\Desktop\[B]file.exe[/B]"[/I] [IMG]https://i.imgur.com/fzWddxb.png[/IMG] [B]Task Manager: [/B]Click [I]File [/I]>[I] Run new task [/I]> Check the box next to [I]"Create this task with administrative privileges"[/I] > Enter the location of your file (example: [I]C:\Users\[B]TechSpot[/B]\Desktop\[B]file.exe[/B][/I]) [B]Task Scheduler: [/B]When creating a new task (Action > Create Task), enable these settings in the "General" tab:[I] "Run whether user is logged on or not"[/I] and [I]"Run with highest privileges"[/I] Note that the Command Prompt method didn't work until we enabled the Administrator account and changed another setting that would allow the command to be entered without a password: [LIST] [*]Search Start or Run for [B][I]compmgmt.msc[/I][/B] > Go to Local Users and Groups > Users > double-click on Administrator and uncheck [I]"Account is disabled"[/I] [*]Search Start or Run for [B][I]gpedit.msc[/I][/B] > Go to Computer Configuration > Windows Settings > Local Policies > Security Options > Double-click the option [I]Accounts: Limit local account use of blank passwords to console logon online[/I] and choose Disable [/LIST] Also, in the same section of the Group Policy Editor (gpedit.msc) that we just mentioned are a range of options to fine-tune Windows' User Account Control settings (scroll all the way down). [SIZE=22px][B]How to set programs so they always start as an admin[/B][/SIZE] Given Microsoft's philosophy of providing programs with the least amount of access possible, configuring an application to always run as an administrator is generally not recommended but sometimes convenient when the software always requires elevation so you don't have to jump through those hoops every time. Here are a few ways to accomplish that: [IMG]https://i.imgur.com/4y3nbAI.png[/IMG] [B]Always run as admin from a shortcut: [/B]Right-click on a shortcut file > Shortcut tab > Advanced > Check the box to "Run as administrator" Note that you can create a shortcut file by right-clicking the main exe, and that if you copy the shortcut into [I]C:\Users\[B]TechSpot[/B]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [/I]the program will automatically start with Windows as you sign in. [B]Always run as admin via Compatibility Properties: [/B]Right-click on an exe > Properties > Compatibility tab > Check the box to "Run this program as an administrator." [B]Always run as admin via the Registry Editor[/B]: [LIST] [*]Navigate to: [I]HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers[/I] [*]If "Layers" is missing, right-click [I]AppCompatFlags [/I]and add a new key named [I]Layers[/I] [*]Right-click Layers (either the folder or in the right pane) and create a new String Value [*]Set the [B]value name[/B] as the [I][B]full path of the exe[/B][/I] file [*]Set [B]value data[/B] as [B][I]~ RUNASADMIN[/I][/B] [/LIST] [IMG]https://i.imgur.com/4DKcfIn.png[/IMG] [SIZE=22px][B]Bonus[/B][/SIZE] [B]#1[/B] Third-party software including MicEnum will generate a list of Windows files/folders and their integrity levels, including the ability to set a new integrity level as well as browse in both folder and registry views. Process Explorer (pictured in the intro of this article) also has the ability to display integrity levels if you right-click the horizontal bar with CPU, Private Bytes etc. and open the properties (check the box next to Integrity Levels). [IMG]https://i.imgur.com/F9M9fLn.png[/IMG] [B]#2[/B] On a new Windows installation, the first user account created is a local administrator account while subsequent accounts are standard users. By default, the built-in administrator account is disabled. You can enable the account so it's available when you log in to Windows by entering this line into Command Prompt (use "no" to disable it again): [I]net user administrator /active:yes[/I] [B]#3[/B] Microsoft has different utilities such as Elevation PowerToys and PsExec which can also be used to gain administrator access but span beyond the scope of this guide. Original Article via TechSpot [URL="https://www.techspot.com/guides/1718-run-as-administrator-explained/"]"Run as Administrator": What Does It Mean?[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
