none
"Run as Administrator" not Elevating/Asking for Password properly RRS feed

  • Question

  • I've got a weird issue on a Windows 7 x64 Professional that was installed and distributed (17 times) by someone else. All request to run with Elevated Rights are completely ignored.

    When I try to run Programm Elevated with Rightclick->"Run as Administrator" they are instead started as the User I am currently logged in as. I have to manually relog (logout, login) as Administrator in order to do stuff I normally would do with "Run as Admin".
    There is no UAC question, no Dialog to input the Admins Password/Select the user, no automatic elevation - it just executes as the current user, even if that is a Standart User.
    If any process would normally ask for elevated rights (anything marked with the Admin Right Shield thingy in Windows Explorer) it instead runs as normal user and (of course) runs into lack of rights down the road, sooner or later.
    Haven't checked how Programms with a Manifest that requires Elevation behave yet, but I guess it is the same.

    Parts that might be relevant:
    The UAC is disabeled (set to not ask anything/lowest setting)
    Two accounts: Admin Type account named "sheriff" (instead of default name) and Standart User Type account "User". The Guest account is disabeled.


    While UAC is off, unless I am very mistaken "Run as Administrator" should still work while logged in as a limited Standart User type. After all it has been around a lot longer then the UAC.

    Let's talk about MVVM: http://social.msdn.microsoft.com/Forums/en-US/wpf/thread/b1a8bf14-4acd-4d77-9df8-bdb95b02dbe2 Please mark post as helpfull and answers respectively.

    Wednesday, February 12, 2014 10:39 AM

Answers

  • Was a while since I posted here and I think I understand the problem a lot better now. Couldn't actually solve my problem (this would require setting the UAC back online wich is explicitly not wanted), but it still might be helpfull for others:

    Elevating as Adminsitrator (under Vista and later) needs two Components:

    runas - a Commandline Command that has been around since XP and whose sole purpose is to start Programms under other rights then the current user.
    In order for it to work the "Secundary Login" Windows Service must be running during Login of the current user. Enabling it or disabling it after a login will have no effect.
    And it will fail silently (not telling you it failed).

    UAC - normally you need it to surpress the Admin aspect. In my case it was not neded for that from a Security Standpoint. What I have here was a suiteable set of Credentials for Windows XP style Security: limited normal User, Administrator with non-standart name and password.
    What I would have needed from the UAC (and get on all the other Computers where it is online but we still have limited users) was it's ability to detect wich User to elevate too. The UAC is needed to "Find the Admin". And it cannot do that if set to "not inform".

    Under XP the "Run as"-Explorer Option was designed to let you select the user. Always.
    Under Vista, 7 and 8 it's renamed "Run as Adminsitrator" and the UAC autodetects wich user to Elevate towards. If the UAC is not running the menu Explorer Context Menu Option, the Runas Modifier for .NET Process and Manifests have no idea wich Usercontext they should run under. And never even try to elevate.
    The only way to elevate on such Computers is to relog as Administrator or use Runas on Command Line with explicit naming of the User you want to use.


    Let's talk about MVVM: http://social.msdn.microsoft.com/Forums/en-US/wpf/thread/b1a8bf14-4acd-4d77-9df8-bdb95b02dbe2 Please mark post as helpfull and answers respectively.

    • Marked as answer by Christopher84 Monday, February 24, 2014 9:53 AM
    Monday, February 24, 2014 9:53 AM

All replies

  • Hi,

    Hvae you read this article?

    What are User Account Control settings? 

    When you set the UAC settings to the lowest(Never Notify),

    You won't be notified before any changes are made to your computer. If you're logged on as an administrator, programs can make changes to your computer without you knowing about it.

    If you're logged on as a standard user, any changes that require the permissions of an administrator will automatically be denied.

    If you select this setting, you'll need to restart the computer to complete the process of turning off UAC. Once UAC is off, people that log on as administrator will always have the permissions of an administrator.

    More details, please take a look into the link above.

    Best regards

    Michael


    If you have any feedback on our support, please click here.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Edited by Michael Yan Thursday, February 13, 2014 6:20 AM repair
    Thursday, February 13, 2014 5:15 AM
    Moderator
  • I figured as much about the UAC not talking to me.

    But I was running under the asumption that "Run as Adminsitrator" would run the Programm as well, Administrator ccount (or at least ask me what account/password to run the Process in).

    The "Run as..." dialog/function is not mentioned anywhere in the UAC. And it has been around a bit longer then the UAC (I can rememebr having it as far back as XP):
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true

    Looking at that documentation gave me some new stuff to check.


    Let's talk about MVVM: http://social.msdn.microsoft.com/Forums/en-US/wpf/thread/b1a8bf14-4acd-4d77-9df8-bdb95b02dbe2 Please mark post as helpfull and answers respectively.

    Thursday, February 13, 2014 9:26 AM
  • Looks like the real problem is that runas is not working:
    Even if I manually order it from command line to start a programm as Adminsitrator - it asks for the password, but then goes and starts it as user anyway.
    And it isn't that the password or username are faulty. If I intentionally use wrong credential gives me an error message. Better re-post this as a new question.


    Let's talk about MVVM: http://social.msdn.microsoft.com/Forums/en-US/wpf/thread/b1a8bf14-4acd-4d77-9df8-bdb95b02dbe2 Please mark post as helpfull and answers respectively.

    • Marked as answer by Christopher84 Thursday, February 13, 2014 9:35 AM
    • Unmarked as answer by Christopher84 Thursday, February 13, 2014 10:10 AM
    Thursday, February 13, 2014 9:35 AM
  • Hi,

    For the information about Run as:

    Runas

    http://technet.microsoft.com/en-us/library/cc771525.aspx

    Best regards

    Michael


    If you have any feedback on our support, please click here.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, February 13, 2014 9:51 AM
    Moderator
  • Was a while since I posted here and I think I understand the problem a lot better now. Couldn't actually solve my problem (this would require setting the UAC back online wich is explicitly not wanted), but it still might be helpfull for others:

    Elevating as Adminsitrator (under Vista and later) needs two Components:

    runas - a Commandline Command that has been around since XP and whose sole purpose is to start Programms under other rights then the current user.
    In order for it to work the "Secundary Login" Windows Service must be running during Login of the current user. Enabling it or disabling it after a login will have no effect.
    And it will fail silently (not telling you it failed).

    UAC - normally you need it to surpress the Admin aspect. In my case it was not neded for that from a Security Standpoint. What I have here was a suiteable set of Credentials for Windows XP style Security: limited normal User, Administrator with non-standart name and password.
    What I would have needed from the UAC (and get on all the other Computers where it is online but we still have limited users) was it's ability to detect wich User to elevate too. The UAC is needed to "Find the Admin". And it cannot do that if set to "not inform".

    Under XP the "Run as"-Explorer Option was designed to let you select the user. Always.
    Under Vista, 7 and 8 it's renamed "Run as Adminsitrator" and the UAC autodetects wich user to Elevate towards. If the UAC is not running the menu Explorer Context Menu Option, the Runas Modifier for .NET Process and Manifests have no idea wich Usercontext they should run under. And never even try to elevate.
    The only way to elevate on such Computers is to relog as Administrator or use Runas on Command Line with explicit naming of the User you want to use.


    Let's talk about MVVM: http://social.msdn.microsoft.com/Forums/en-US/wpf/thread/b1a8bf14-4acd-4d77-9df8-bdb95b02dbe2 Please mark post as helpfull and answers respectively.

    • Marked as answer by Christopher84 Monday, February 24, 2014 9:53 AM
    Monday, February 24, 2014 9:53 AM