Use RunAs to run Explorer window with elevated privileges in IE7

Some programs, including Control Panel, the Printers folder and Microsoft Management Console utilities like Disk Manager, are started either directly or indirectly using the Windows Explorer Shell. The problem is that some of these programs require elevated privileges to run (aka admin rights) and the logged-on user is not an admin.

Admins using Windows XP had a quick workaround: launching the program via the RUNAS command. But sometimes you need to run several admin utilities at once, and using RUNAS for each of them individually is a pain in the neck.

An alternate method was to use Internet Explorer 6 with the RunAs command. After doing so, you'd type C: in the address bar, hit Enter and then Internet Explorer would convert itself into a Windows Explorer window running under admin privileges.

From there, everything you launched would be started using admin privileges. The command line for this is: runas/user:administrator "\"c:\program files\internet explorer\iexplore\" c:\\"

(Note: This method has worked for me, but some applications are just too picky for this workaround. So you may encounter scenarios where you still cannot get enough privileges to complete your work.)

Unfortunately, Microsoft has removed this wonderfully simple functionality from IE7. If you're an admin who needs this ability, but cannot log off the current user, there is only one default workaround I know of. Short of running all your desired windows and tools individually using the RunAs command, you can instead run the whole Explorer.exe shell under administrative rights to get your wor...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows desktop management tips Reduce hardware costs by using Universal Desktop Converter Teaching a new PC old tricks: How to deploy Windows 7's XP mode New Windows XP Mode eliminates compatibility issues in Windows 7 Remote troubleshooting made easier with Windows 7's Problem Step Recorder Converting Windows 7 deployment images to virtual hard drive files Using Windows 7 to configure workstations for optimal power management An intro to Windows 7's Deployment Image Servicing and Management tool Admins can wear many hats using Netcat Manage the desktop image lifecycle to limit work, ensure security Choosing the best way to install images Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Four Internet Explorer 8 Group Policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Protection against international domain names, URL handling: Step 3 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 Phishing filter: Step 2

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

k done.

The basic concept is to use RunAs to start Task Manager, kill the explorer.exe task and restart the explorer.exe process (which would now be started with admin privileges), do the work needed, then kill and restart the explorer process using the original logged-on user.

Here's how to do it. While logged on as a normal user:

1. Start Task Manager using RunAs. You must do this first, because if you just start Task Manager and perform the steps below, you will not be able to quick the Explorer.exe running with Admin privileges later. Start>Run>Type: runas/user:machine or domain name\administrator taskmgr.exe.

2. Click the Processes tab. Select explorer.exe. Click End Process. Click Yes on the warning pop-up message. The entire desktop will disappear. You will still have any programs that you started including Task Manager.

3. Click the Programs tab. Click New Task. Type: explorer.exe. Click OK.

4. A Console window will appear and prompt you for the password. Minimize Task Manager, type the password and press Enter. The desktop will return, including the task bar, shortcuts, Startup folder items, etc. Perform necessary administrative tasks. For example: clicking Start, Settings and Control Panel will bring up control panel in administrative context.

5. When you're finished, expand the Task Manager window and kill the explorer.exe process. Then restart by choosing the Programs tab. Click New Task. Type: runas /user:machine or domain name\user taskmgr.exe. (Note: You should use the original logged-on user's account to restart the Explorer shell under their own privileges. Do this so the user does not retain the elevated privileges of the admin account from step 3.)

6. Close Task Manager.

It's a lot of steps, but it's the only way I've found to get an Explorer window open with administrative privileges while allowing the user to stay logged on. If anyone has another workaround, let me know.

There's a nice script from Aaron Margosis that temporarily elevates a user's privileges, but relying on scripts is not a perfect solution. Unless you carry that script with you at all times, you'll more than likely hit a scenario (especially if you're a contractor) where you don't have the script handy. As such, it's better to know how to use the default options in Windows (tools, commands, etc.) that are available (in my humble opinion).

Note: You cannot just use RunAs against explorer.exe by default, because it will check to see if a version of Explorer is running and will exit if it detects one. You can work around this by setting the folder option to "Launch folder windows in a separate process." This is a per-user option, off by default, that needs to be set for the target user account.

That is, if you want to use RunAs to start explorer.exe as MyAdminAccount, then MyAdminAccount needs to have the "separate process" option set. Once this flag has been set, you can start explorer.exe with RunAs, or from your admin cmd shell. (I'm sure you can set this via Group Policy, but I've yet to go down that road.)

Note 2: If you're trying to perform a network-related task and still get the same credentials failure message, even when you perform the above steps, you may need to connect to that resource using a mapped network drive that was created using the RUNAS command. See the Microsoft knowledge base article.

Other RunAs references

Aaron Margosis covers the subject of RunAs extensively on his "Non-Admin" blog site, providing useful RunAs shortcuts and tips, advice on getting RunAs to run with Explorer and describing the MakeMeAdmin command, which provides temporary admin capability for your Limited User account.

In addition, there's a Microsoft KnowledgeBase site.

About the author: Tim Fenner (MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment, as well as an independent consultant who specializes in the design, implementation and management of Windows networks.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.