Elevation: Accquiring the Admin Token in Administrator vs Standard Accounts in Windows
I've recently been confused by how UAC works between Standard accounts and Administrator accounts,
As we all know, when UAC is turned on, UAC allows Standard Accounts or Administrator accounts in Admin Approval Mode to gain access to the administrator token in order to perform tasks that require administrative access to the machine - allowing us to switch tokens without switching users,
However, it appears that switching tokens is not really what happens: A while ago, I ran an application that would modify the shell (explorer.exe). I ran the program in a Standard Account, but it needed elevated access: therefore, I used UAC to supply admin credentials so it could complete. I did not seen any change to the shell; I then logged into the administrator account whose credentials I used and I saw that the shell in that account had been changed, which was obviously not what I wanted
It appeared to me that UAC was just basically a "Run-as user" type deal where it actually ran the program as that user. This meant that I wasn't just running it elevated: I was literally running the program as that user,
My question is: is it possible for a standard account to use the administrator token but actually run the program as a standard user and use the current user's profile? Otherwise, it seems to me that if you need to do any administrator tasks, you are pretty much required to log in to an administrator account which defeats the whole purpose of UAC - since UAC runs a program as the administrator, rather than using just the administrator rights,
Is this separation of token and profile possible? Or do all users just have to be administrators in that case? It seems to me this would account for many organizations just granting full administrator access to all users,
Can someone please shed some light on this?
I would like to know if it would have been possible to supply an administrator token to the said program, but run that program in the current user account, not the user account of the administrator whose credentials were supplied - in other words, would it have been possible to modify the shell in the Standard account with that program? The goal would be to launch the process as the logged in user (regardless of current privileges) with administrative rights, not as a process under an account with admin rights.
Hope this makes sense,
CLARIFICATION: I am not referring to Admin Approval Mode or how UAC works. I already know that if UAC is set to a secure setting, even Administrators will be prompted and unless it is turned off, administrators use the standard token by default. I am talking about when the administrator token is gained, is it possible to still run the process as the logged in user, just with the admin token? (not using Run As 'user' but maybe something like run as/with 'token'), etc... In this way, it would be using generic administrative privileges rather than one user's administrative privileges.
Is this at all possible, or have I just pointed out a feature not in Window?
Would I, to achieve the goal described here, have to perhaps turn the standard account into an administrator account any time anything that requires elevation needs to be done, and then turn it back into a standard account when done? Based on comments, it appears that this is not possible and that seems to be a flaw in the OS because it makes UAC basically useless.
CASE IN POINT: A few years ago, I was trying to run a program that would change my computer's theme that needed to patch the system (one of those third-party programs). It required administrator rights. I didn't see any change, but then I logged into the administrator account whose password I had used, and found all the activity had been applied to that account!! I had to mess with it a few times to get it to work, but it was a really wonky process. Would the easiest solution be to just promote that standard account temporarily to an administrator, and then demote it afterwards?
Solution 1:
You cannot have a program running under a Standard account, but with Admin permissions.
You are mistaken that UAC is a "Run as another user". Programs running under an Admin's username run with standard permissions by default. It is only when a program is "elevated" does it gain admin permissions. This is even if your user account is an Admin.
UAC was created to solve the problem that all processes running under a user who was an admin had admin permissions.
Solution 2:
Yes it is possible...
Open a console and type "runas
"
use the /profile switch to select a profile to run the program...
use the /savecred switch to save the admin credentials you choose...
...
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/savecred | /netonly] ]
/user:<UserName> program
RUNAS [ [/noprofile | /profile] [/env] [/savecred] ]
/smartcard [/user:<UserName>] program
RUNAS /trustlevel:<TrustLevel> program
/noprofile specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/profile specifies that the user's profile should be loaded.
This is the default.
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote
access only.
/savecred to use credentials previously saved by the user.
This option is not available on Windows 7 Home or Windows 7 Starter Editions
and will be ignored.
/smartcard use if the credentials are to be supplied from a
smartcard.
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
/showtrustlevels displays the trust levels that can be used as arguments
to /trustlevel.
/trustlevel <Level> should be one of levels enumerated
in /showtrustlevels.
program command line for EXE. See below for examples
Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:[email protected] "notepad \"my file.txt\""
NOTE: Enter user's password only when prompted.
NOTE: /profile is not compatible with /netonly.
NOTE: /savecred is not compatible with /smartcard.