Back to list
Defense in depth -- the Microsoft way (part 35): Windows Explorer ignores "Run as administrator" ...
Sep 19 2015 08:13PM
Stefan Kanthak (stefan kanthak nexgo de)
since Microsoft introduced the security theatre named "user account
control" with Windows Vista users cant start (another instance of)
the Windows Explorer with elevated rights any more: the "Run as
administrator" and the "Run as different user" context menu entries
only start another instance of Windows Explorer with but the
credentials of the logged on (interactive) user.
No, neither starting Windows Explorer per "Explorer.Exe /Separate"
nor setting the following registry entries overcomes this limitation:
Microsoft is well aware of this, but still doesnt remove or disable
these dysfunctional context menu entries for Explorer.exe, although
their own user experience interface guidelines request that (context)
menu entries which are not applicable must not be shown or have to be
| Disable menu items that don't apply to the current context
| Remove rather than disable context menu items that don't
| apply to the current context.
If you want to get rid of "Run as administrator" and "Run as
different user" for Explorer.exe to save yourself, your users and
your support/helpdesk from confusion or frustration add the following
to understand how and why this registry entry works.
JFTR: the context menu entry "Run as administrator" doesnt work at
all in standard user accounts when UAC is set to "never elevate".
This is another clear violation of Microsofts own UX guidelines!
PS: the script <http://home.arcor.de/skanthak/download/UAC.INF> adds
this and several other missing registry entries which enable
"Run as administrator" and "Run as different user" for quite some
[ reply ]
Copyright 2010, SecurityFocus