Another option for elevating privileges is a program that I wrote called MakeMeAdmin. MakeMeAdmin gives you a command shell, running as you but with admin privileges. It does this by calling RunAs twice. The first time it invokes MakeMeAdmin running as local admin then takes your normal account and adds it to the administrators group. Then it will call RunAs again and invoke your regular account and when you supply credentials you'll get new a new logon session. It checks to see what groups you're in and builds a brand new token with admin privileges. So you'll be running as a regular user, but with admin privileges.
The trick is it does not keep you as admin. The rest of the desktop is at normal privileges, it's only the MakeMeAdmin shell and anything run from it that has admin privileges. Also, once it starts that MakeMeAdmin command shell it immediately removes you from that admin group so that any subsequent logon will not give you admin privileges. It is a simple command shell script so you can customize it. It is downloadable from my blog.
Elevating privileges for administrators
Step 1: RunAs dialog
Step 2: RunAs command line
Step 3: Differentiating security levels
Step 4: MakeMeAdmin
Step 5: Caveats
Step 6: Resources
|ABOUT THE AUTHOR:|
| Aaron Margosis is a Senior
Consultant with Microsoft Consulting Services, focusing on US Federal government customers. He
specializes in application development on Microsoft platforms and products with an emphasis on
application and platform security. Aaron has blogged extensively about how to run Windows as a
non-admin, and created the popular MakeMeAdmin and PrivBar utilities. Aaron holds Bachelors and
Masters Degrees from the University of Virginia, and calls Arlington, VA, home.
Copyright 2005 TechTarget
This was first published in April 2006