WindowsDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


AddThis Social Bookmark Button

Using Windows Explorer with Alternate Credentials

by Mitch Tulloch
09/20/2005

Running Windows using administrator credentials can be hazardous to the health of your machine. What if you're logged on using the local Administrator account, and you check your email and open an attachment that contains some malicious program? That program has gained administrator privileges by leveraging your log-on credentials. Because of this, it's a good idea for administrators to have two user accounts: an ordinary user account with limited privileges that is used for ordinary work such as writing reports, checking email, and browsing the web; and an administrator-level account that is used only when managing servers and performing similar administrative tasks.

The runas.exe command or secondary log-on feature of Windows 2000 and later is perfect for this scenario, as it eliminates the need for administrators to log off and on to switch between their two accounts. Unfortunately, not every program can be run using alternate credentials using runas.exe, and one prime example is Windows Explorer.

The Problem

Say you're logged on using your ordinary account and you want to start an instance of Windows Explorer using local admin privileges. So you navigate the Start menu until you find the shortcut for Windows Explorer and then you right-click on the shortcut and select "Run as…" from the context menu. A dialog box opens and you enter your local admin credentials:

Figure 1
Figure 1. Trying to run Windows Explorer using alternate (admin) credentials

Unfortunately when you click OK, nothing happens. The reason is that Windows Explorer (explorer.exe) is one of those programs like Microsoft Outlook; when you try to run it, it starts by checking to see whether a copy of itself is already running on your machine. And since the Windows desktop itself is an explorer.exe shell, there is always a copy of explorer.exe running on your desktop.

Before we look at the solution though, we might ask why we might want to start a second instance of explorer.exe running under admin credentials. Well, one reason could be if you were logged on as an ordinary user and you want to share a folder over the network. Trouble is, in this scenario you can't share a folder from the GUI because the properties sheet for the folder doesn't have a Sharing tab. So if you could open explorer.exe as administrator you could find your folder, access its properties, and select the Sharing tab to share it. So how can we do this, short of logging off and then on again as Administrator?

Windows Server Hacks

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

Pages: 1, 2

Next Pagearrow