« Windows Server Division Gets Jiggy | Main | Running as Non-Admin, Day 4 »

December 01, 2004

Running as Non-Admin, Day 2/3

A few more adventures running as non-admin. I had a beta of Whidbey (.Net 2.0) on my machine, and when I went to uninstall it, it said I had to be admininstrator to run setup. OK, that's reasonable. I figured I could just fire up an instance of "Add/Remove Programs" that ran as the local Administrator account.

Unfortunately I could not, because Control Panel is a "special" shortcut that doesn't let you set itself to run as a specific user. Next!

To make a user an administrator, I right-click on "My Computer" and select "Manage", which brings up MMC in the computer management console. Since I figured I might occasionally need to make my domain account admin again (I had installed Whidbey under my domain account when it was admin; I figured it was safest to uninstall it from the same situation, rather than uninstalling it when I was logged on as local administrator), I wanted to create a shortcut to that console that ran as local administrator -- that way I would not have to log out, log on as local Administrator, and then log back on as the domain account.

MMC is just an app, but the "My Computer" element on the Start menu is also magic in some way, in that you can't easily figure out what the "Manage" menu item really links to. And when I run mmc.exe directly, it gives me a generic empty console. Luckily, if I click on the "Console" menu, it brings up a "recently used" list that included compmgmt.msc, which is the computer management console. So I manually created a shortcut to "mmc compmgmt.msc", and on THAT I was able to set it up to run as local Administrator.

Other than that, it worked. I could now use that shortcut to make my domain account admin without logging on as local Administrator (I still had to log off and on to have the change take effect, since once you are logged on your token doesn't change privilege (that's probably not QUITE accurate)).

There was one funny glitch when I ran MMC as an admin domain account and changed that account itself to non-admin -- it made the change, but then got an error trying to save it. I guess this is because the file/registry/whatever permissions are re-checked at that point. Actually it's a little strange. At the moment when I do the write to commit the change of the account being non-admin, I am still admin. So it should work. Is it failing doing a second write? Yet when it fails I am still admin, not half-admin. I think what probably happens is there is an explicit check for exactly this case -- it's the kind of thing a tester would think of checking -- and it fails intentionally and backs out cleanly.

But things mostly worked well. For example when I ran as local Administrator and had to browse Active Directory to find my domain account (so I could add it as admin), it correctly prompted me for an account that had privilege to browse.

Posted by AdamBa at December 1, 2004 07:24 PM

Trackback Pings

TrackBack URL for this entry:


what about running appwiz.cpl from a runassed cmd.exe?
Second option:
runas /user:administrator "control appwiz.cpl"
It's been working for me since ages

Posted by: varanusz at December 2, 2004 03:27 AM

I usually right-click an Internet Explorer shortcut in my Quick Launch bar, then choose Run As to run as an administrator. Once IE's running (with Aaron Margosis' PrivBar so I don't forget it's privileged) I just enter 'Control Panel' in the address bar.

One oddity of IE used as an Explorer under alternate credentials is that the display doesn't refresh in response to events in the displayed folder - for example, if you choose New > Folder from the context menu, you have to refresh before you see 'New Folder' appear. If you delete a file, you have to refresh before the file disappears from the view.

Others have suggested using the 'Launch new folder windows in a separate process' option, but that never worked for me.

Posted by: Mike Dimmick at December 2, 2004 05:29 AM

Varanusz -- good suggestion, I will try. Actually once I know that the control panel is really an app called control.exe and the Add/Remove Programs is appwiz.cpl, then I can directly set up a shortcut to that. The problem was I didn't know that, and if you go to Control Panel and right-click, it doesn't give you the usual Properties choice (plus that would just tell you that it was control.exe; to determine what Add/Remove Program was I would need to right-click on that, and again it doesn't give me the usual Properties choice).

I hate it when Windows "hides" information like this in a misguided effort to simplify things for the user.

- adam

Posted by: Adam Barr at December 2, 2004 07:53 AM

I see Aaron Margosis's PrivBar mentioned above, but not his MakeMeAdmin script. It's turned out to be my favorite tool by a long shot. :-)


Posted by: Garrett Fitzgerald at December 2, 2004 04:16 PM

BTW, why do you need to run Add/Remove programs here, instead of just running the setup.exe directly?

Posted by: Garrett Fitzgerald at December 2, 2004 04:17 PM

I'm trying to do things the "official" way.

- adam

Posted by: Adam Barr at December 2, 2004 08:53 PM

Maybe a 'add/remove program' cmdlet would be nice? ;)

>get-program micro*
Microsoft Office
Microsoft Visual Studio
>uninstall-program "Microsoft Office"
Microsoft Office was uninstalled

Posted by: Andreas Häber at December 3, 2004 05:54 PM

To run control panel applets as an admin, just hold shift while you right-click on them. This usually adds 'run as...' to the pop-up menu.

Posted by: Chris Lundie at December 4, 2004 01:22 AM

Andreas: Yes indeed. I don't know how familiar you are with Monad, but you could do it as a provider:

C:\> cd programs:\
programs:\> dir
Microsoft Office
Microsoft Visual Studio
programs:\> del "Microsoft Office"

- adam

Posted by: Adam Barr at December 4, 2004 08:20 AM

Yeah, I'm quite familiar with Monad but of course not as familiar as you. I actually started on writing those get/remove-program cmdlets, seemed like a fun small project to do :).

But it would be nice to have filters, so you can write stuff like "remove-program Micro*" (no offence! ;)) and that started to become a little mess... I forgot all the benefits you get from writing a provider instead, so I try that way instead now :)

Posted by: Andreas Häber at December 10, 2004 03:43 AM

The list of .CPL's are available here:

For example I had to change the international setting several times, not only as admin, but as normal user as well.

"-, intl.cpl, " is much faster, than wandering around w/ the mouse.

Posted by: varanusz at December 13, 2004 04:57 AM

I mean:
>Win<->R<, intl.cpl, >enter<

Posted by: varanusz at December 13, 2004 04:59 AM