What precisely does Run as administrator do

Question

On Windows nbsp 7  I have a command-line program that fails due to file write permission errors  and popping up annoying UAC dialogs every time I run command-line programs that are from an  unknown publisher    However  if I start my console by right clicking and choosing  run as administrator   then the install works fine  even if the UAC dialogs are still present   My user is already a member of the  administrators  group  so what precisely does  run as administrator  do that makes my install work   My specific question is precisely  What does  run as administrator  do  Neither of the answers thus far address this   for example  does it run the new process as the  Administrator  user  Or does it run the process as the current user  but with elevated privileges  If so  what privileges  How does that differ from the privileges I get from my user being in the  Administrators  group    Specifically  I m using the  Console  from SourceForge  not a regular CMD window  but I don t think that s important  This is all while installing the Python  distribute  package by running  python distribute setup py  on a newly installed Python3 MSI from python org  It s a 32-bit Python on 64-bit Windows  See Installing Python and distribute on Windows 7 gives  quot Writing failed     permission denied quot

User · Accepted Answer

When you log on Windows creates an access token. This identifies you, the groups you are a member of and your privileges. And note that whether a user is an administrator or not is determined by whether the user is a member of the Administrators group.

Without UAC, when you run a program it gets a copy of the access token, and this controls what the program can access.

With UAC, when you run a program it gets a restricted access token. This is the original access token with "Administrators" removed from the list of groups (and some other changes). Even though your user is a member of the Administrators group, the program can't use Administrator privileges.

When you select "Run as Administrator" and your user is an administrator the program is launched with the original unrestricted access token. If your user is not an administrator you are prompted for an administrator account, and the program is run under that account.

User · Answer

Windows 7 requires that you intentionally ask for certain privileges so that a malicious program can t do bad things to you  If the free calculator you downloaded needed to be run as an administrator  you would know something is up  There are OS commands to elevate the privilege of your application  which will request confirmation from the user    A good description can be found at   http   msdn microsoft com en-us magazine cc163486 aspx S4

User · Answer

A little clearer    A software program that has kernel mode access has total access to all of the computer s data and its hardware   Since Windows Vista Microsoft has stopped any and all I O processes from accessing the kernel  ring 0  directly ever again  The closest we get is a folder created as a virtual kernel access partition  but technically no access to kernel itself  the kernel meets halfway   This is because the software itself dictates which token to use  so if it asks for an administrator access token  instead of just allowing communications with the kernel like on Windows nbsp XP you are prompted to allow access to the kernel  each and every time  Changing UAC could reduce prompts  but never the kernel prompts   Even when you login as an Administrator  you are running processes as a standard user until prompted to elevate the rights you have  I believe logged in as the administrator saves you from entering the credentials  But it also writes to the administrator users folder structure   Kernel access is similar to root access in Linux  When you elevate your permissions you are isolating yourself from the root of C   and whatever lovely environment variables are contained within   If you remember BSODs this was the OS shutting down when it believed a bad I O reached the kernel

User · Answer

So     more digging  with the result  It seems that although I ran one process normal and one  As Administrator   I had UAC off  Turning UAC to medium allowed me to see different results  Basically  it all boils down to integrity levels  which are 5   Browsers  for example  run at Low Level  1   while services  System user  run at System Level  4   Everything is very well explained in Windows Integrity Mechanism Design   When UAC is enabled  processes are created with Medium level  SID S-1-16-8192 AKA 0x2000 is added  while when  Run as Administrator   the process is created with High Level  SID S-1-16-12288 aka 0x3000    So the correct ACCESS TOKEN for a normal user  Medium Integrity level  is   0 000 x86 gt   token Thread is not impersonating  Using process token    TS Session ID  0x1 User  S-1-5-21-1542574918-171588570-488469355-1000 Groups   00 S-1-5-21-1542574918-171588570-488469355-513     Attributes - Mandatory Default Enabled  01 S-1-1-0     Attributes - Mandatory Default Enabled  02 S-1-5-32-544     Attributes - DenyOnly  03 S-1-5-32-545     Attributes - Mandatory Default Enabled  04 S-1-5-4     Attributes - Mandatory Default Enabled  05 S-1-2-1     Attributes - Mandatory Default Enabled  06 S-1-5-11     Attributes - Mandatory Default Enabled  07 S-1-5-15     Attributes - Mandatory Default Enabled  08 S-1-5-5-0-1908477     Attributes - Mandatory Default Enabled LogonId  09 S-1-2-0     Attributes - Mandatory Default Enabled  10 S-1-5-64-10     Attributes - Mandatory Default Enabled  11 S-1-16-8192     Attributes - GroupIntegrity GroupIntegrityEnabled Primary Group    LocadDumpSid failed to dump Sid at addr 000000000266b458  0xC0000078  try own SID dump  s-1-0x515000000 Privs   00 0x000000013 SeShutdownPrivilege               Attributes -  01 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default  02 0x000000019 SeUndockPrivilege                 Attributes -  03 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes -  04 0x000000022 SeTimeZonePrivilege               Attributes - Auth ID  0 1d1f65 Impersonation Level  Anonymous TokenType  Primary Is restricted token  no    Now  the differences are as follows   S-1-5-32-544 Attributes - Mandatory Default Enabled Owner   for  As Admin   while  S-1-5-32-544 Attributes - DenyOnly   for non-admin   Note that S-1-5-32-544 is BUILTIN Administrators  Also  there are fewer privileges  and the most important thing to notice   admin   S-1-16-12288 Attributes - GroupIntegrity GroupIntegrityEnabled   while for non-admin   S-1-16-8192 Attributes - GroupIntegrity GroupIntegrityEnabled   I hope this helps   Further reading  http   www blackfishsoftware com blog don creating processes sessions integrity levels

User · Answer

UPDATE   Run as Aministrator  is just a command  enabling the program to continue some operations that require the Administrator privileges  without displaying the UAC alerts    Even if your user is a member of administrators group  some applications like yours need the Administrator privileges to continue running  because the application is considered not safe  if it is doing some special operation  like editing a system file or something else  This is the reason why Windows needs the Administrator privilege to execute the application and it notifies you with a UAC alert  Not all applications need an Amnistrator account to run  and some applications  like yours  need the Administrator privileges    If you execute the application with  run as administrator  command  you are notifying the system that your application is safe and doing something that requires the administrator privileges  with your confirm   If you want to avoid this  just disable the UAC on Control Panel   If you want to go further  read the question Difference between  Run as Administrator  and Windows 7 Administrators Group on Microsoft forum or this SuperUser question

User · Answer

Things like  elevates the privileges    restricted access token    Administrator privilege      what the heck is administrator privilege anyway  are nonsense   Here is an ACCESS TOKEN for a process normally run from a user belonging to Administrators group   0  kd gt   process 0 1 test exe PROCESS 87065030  SessionId  1  Cid  0d60    Peb  7ffdf000  ParentCid  0618     DirBase  2f22e1e0  ObjectTable  a0c8a088  HandleCount    6      Image  test exe     VadRoot 8720ef50 Vads 18 Clone 0 Private 83  Modified 0  Locked 0      DeviceMap 8936e560     Token                             935c98e0 0  kd gt   token -n 935c98e0  TOKEN 935c98e0 TS Session ID  0x1 User  S-1-5-21-2452432034-249115698-1235866470-1000  no name mapped  User Groups    00 S-1-5-21-2452432034-249115698-1235866470-513  no name mapped      Attributes - Mandatory Default Enabled   01 S-1-1-0  Well Known Group  localhost Everyone      Attributes - Mandatory Default Enabled   02 S-1-5-32-544  Alias  BUILTIN Administrators      Attributes - Mandatory Default Enabled Owner   03 S-1-5-32-545  Alias  BUILTIN Users      Attributes - Mandatory Default Enabled   04 S-1-5-4  Well Known Group  NT AUTHORITY INTERACTIVE      Attributes - Mandatory Default Enabled   05 S-1-2-1  Well Known Group  localhost CONSOLE LOGON      Attributes - Mandatory Default Enabled   06 S-1-5-11  Well Known Group  NT AUTHORITY Authenticated Users      Attributes - Mandatory Default Enabled   07 S-1-5-15  Well Known Group  NT AUTHORITY This Organization      Attributes - Mandatory Default Enabled   08 S-1-5-5-0-85516  no name mapped      Attributes - Mandatory Default Enabled LogonId   09 S-1-2-0  Well Known Group  localhost LOCAL      Attributes - Mandatory Default Enabled   10 S-1-5-64-10  Well Known Group  NT AUTHORITY NTLM Authentication      Attributes - Mandatory Default Enabled   11 S-1-16-12288  Label  Mandatory Label High Mandatory Level      Attributes - GroupIntegrity GroupIntegrityEnabled  Primary Group  S-1-5-21-2452432034-249115698-1235866470-513  no name mapped  Privs    05 0x000000005 SeIncreaseQuotaPrivilege          Attributes -   08 0x000000008 SeSecurityPrivilege               Attributes -   09 0x000000009 SeTakeOwnershipPrivilege          Attributes -   10 0x00000000a SeLoadDriverPrivilege             Attributes -   11 0x00000000b SeSystemProfilePrivilege          Attributes -   12 0x00000000c SeSystemtimePrivilege             Attributes -   13 0x00000000d SeProfileSingleProcessPrivilege   Attributes -   14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes -   15 0x00000000f SeCreatePagefilePrivilege         Attributes -   17 0x000000011 SeBackupPrivilege                 Attributes -   18 0x000000012 SeRestorePrivilege                Attributes -   19 0x000000013 SeShutdownPrivilege               Attributes -   20 0x000000014 SeDebugPrivilege                  Attributes -   22 0x000000016 SeSystemEnvironmentPrivilege      Attributes -   23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default   24 0x000000018 SeRemoteShutdownPrivilege         Attributes -   25 0x000000019 SeUndockPrivilege                 Attributes -   28 0x00000001c SeManageVolumePrivilege           Attributes -   29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default   30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default   33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes -   34 0x000000022 SeTimeZonePrivilege               Attributes -   35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes -  Authentication ID           0 14e4c  Impersonation Level        Anonymous TokenType                  Primary Source  User32             TokenFlags  0x2000   Token in use   Token ID  d166b            ParentToken ID  0 Modified ID                 0  d052f  RestrictedSidCount  0      RestrictedSids  00000000 OriginatingLogonSession  3e7       and here is an ACCESS TOKEN for a process normally run by the same user with  Run as administrator    TS Session ID  0x1 User  S-1-5-21-2452432034-249115698-1235866470-1000  no name mapped  User Groups    00 S-1-5-21-2452432034-249115698-1235866470-513  no name mapped      Attributes - Mandatory Default Enabled   01 S-1-1-0  Well Known Group  localhost Everyone      Attributes - Mandatory Default Enabled   02 S-1-5-32-544  Alias  BUILTIN Administrators      Attributes - Mandatory Default Enabled Owner   03 S-1-5-32-545  Alias  BUILTIN Users      Attributes - Mandatory Default Enabled   04 S-1-5-4  Well Known Group  NT AUTHORITY INTERACTIVE      Attributes - Mandatory Default Enabled   05 S-1-2-1  Well Known Group  localhost CONSOLE LOGON      Attributes - Mandatory Default Enabled   06 S-1-5-11  Well Known Group  NT AUTHORITY Authenticated Users      Attributes - Mandatory Default Enabled   07 S-1-5-15  Well Known Group  NT AUTHORITY This Organization      Attributes - Mandatory Default Enabled   08 S-1-5-5-0-85516  no name mapped      Attributes - Mandatory Default Enabled LogonId   09 S-1-2-0  Well Known Group  localhost LOCAL      Attributes - Mandatory Default Enabled   10 S-1-5-64-10  Well Known Group  NT AUTHORITY NTLM Authentication      Attributes - Mandatory Default Enabled   11 S-1-16-12288  Label  Mandatory Label High Mandatory Level      Attributes - GroupIntegrity GroupIntegrityEnabled  Primary Group  S-1-5-21-2452432034-249115698-1235866470-513  no name mapped  Privs    05 0x000000005 SeIncreaseQuotaPrivilege          Attributes -   08 0x000000008 SeSecurityPrivilege               Attributes -   09 0x000000009 SeTakeOwnershipPrivilege          Attributes -   10 0x00000000a SeLoadDriverPrivilege             Attributes -   11 0x00000000b SeSystemProfilePrivilege          Attributes -   12 0x00000000c SeSystemtimePrivilege             Attributes -   13 0x00000000d SeProfileSingleProcessPrivilege   Attributes -   14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes -   15 0x00000000f SeCreatePagefilePrivilege         Attributes -   17 0x000000011 SeBackupPrivilege                 Attributes -   18 0x000000012 SeRestorePrivilege                Attributes -   19 0x000000013 SeShutdownPrivilege               Attributes -   20 0x000000014 SeDebugPrivilege                  Attributes -   22 0x000000016 SeSystemEnvironmentPrivilege      Attributes -   23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default   24 0x000000018 SeRemoteShutdownPrivilege         Attributes -   25 0x000000019 SeUndockPrivilege                 Attributes -   28 0x00000001c SeManageVolumePrivilege           Attributes -   29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default   30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default   33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes -   34 0x000000022 SeTimeZonePrivilege               Attributes -   35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes -  Authentication ID           0 14e4c  Impersonation Level        Anonymous TokenType                  Primary Source  User32             TokenFlags  0x2000   Token in use   Token ID  ce282            ParentToken ID  0 Modified ID                 0  cddbd  RestrictedSidCount  0      RestrictedSids  00000000 OriginatingLogonSession  3e7   As you see  the only difference is the token ID   Token ID  d166b            ParentToken ID  0 Modified ID                 0  d052f    vs   Token ID  ce282            ParentToken ID  0 Modified ID                 0  cddbd    Sorry  I can t add much light into this yet  but I am still digging

User · Answer

The Run as  Anything command saves you from logging out and logging in as the user for which you use the runas command for   The reason programs ask for this elevated privilege started with Black Comb and the Panther folder  There is 0 access to the Kernel in windows unless through the Admin prompt and then it is only a virtual relation with the O S kernel   Hoorah

User · Answer

Okay  let s re-iterate     The actual question  and an excellent one at that       What does  run as admin  do that being a member of the administrators group does not      Answer 1  It allows you to call on administrator rights while under a user session   Note  The question is wrongly put  one is a command and the other is a group object to apply policies   Open a command prompt and type runas      This will list all the switches the runas command line can use   As for the Administrators Group this is based on GPEDIT or SECPOL and whether or not a Domain administrator is present or not or a network is present or not   Usually these things will apply restrictions on computers that the administrators group is not affected by   The question should be     What does runas admin do that run as user does not    OR     What does the Administrator group do that a customized user group can t    You are mixing apples and oranges

[windows] What precisely does 'Run as administrator' do?

Examples related to windows

Examples related to windows-7

Examples related to privileges

Examples related to administrator

Examples related to runas