Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


Using Windows Explorer with Alternate Credentials

by Mitch Tulloch
09/20/2005

Running Windows using administrator credentials can be hazardous to the health of your machine. What if you're logged on using the local Administrator account, and you check your email and open an attachment that contains some malicious program? That program has gained administrator privileges by leveraging your log-on credentials. Because of this, it's a good idea for administrators to have two user accounts: an ordinary user account with limited privileges that is used for ordinary work such as writing reports, checking email, and browsing the web; and an administrator-level account that is used only when managing servers and performing similar administrative tasks.

The runas.exe command or secondary log-on feature of Windows 2000 and later is perfect for this scenario, as it eliminates the need for administrators to log off and on to switch between their two accounts. Unfortunately, not every program can be run using alternate credentials using runas.exe, and one prime example is Windows Explorer.

The Problem

Say you're logged on using your ordinary account and you want to start an instance of Windows Explorer using local admin privileges. So you navigate the Start menu until you find the shortcut for Windows Explorer and then you right-click on the shortcut and select "Run as…" from the context menu. A dialog box opens and you enter your local admin credentials:

Figure 1
Figure 1. Trying to run Windows Explorer using alternate (admin) credentials

Unfortunately when you click OK, nothing happens. The reason is that Windows Explorer (explorer.exe) is one of those programs like Microsoft Outlook; when you try to run it, it starts by checking to see whether a copy of itself is already running on your machine. And since the Windows desktop itself is an explorer.exe shell, there is always a copy of explorer.exe running on your desktop.

Before we look at the solution though, we might ask why we might want to start a second instance of explorer.exe running under admin credentials. Well, one reason could be if you were logged on as an ordinary user and you want to share a folder over the network. Trouble is, in this scenario you can't share a folder from the GUI because the properties sheet for the folder doesn't have a Sharing tab. So if you could open explorer.exe as administrator you could find your folder, access its properties, and select the Sharing tab to share it. So how can we do this, short of logging off and then on again as Administrator?

Windows Server Hacks

Related Reading

Windows Server Hacks
100 Industrial-Strength Tips & Tools
By Mitch Tulloch

The Solution

The trick with solving this is to use Internet Explorer instead of Windows Explorer. Remember the big brouhaha in the late '90s about whether Microsoft was being monopolistic and unfair by including a free web browser with their Windows operating system? Microsoft's argument was that Internet Explorer was not just a free web browser but an integral part of Windows itself, and that by removing it (as some demanded they do) it would break functionality in the operating system itself.

Well that issue is history now, but the similarity between Internet Explorer (iexplore.exe, the web browser) and Windows Explorer (explorer.exe, the file system manager) is pretty remarkable. For example, say you're logged on as an ordinary user and you want to share a folder named C:\stuff. If you try opening the properties sheet for this folder in Windows Explorer, there's no sharing tab, so you can't do it:

Figure 2
Figure 2. How can I share my stuff so others can access it?

But you can do the following: right-click on the Internet Explorer shortcut on your Quick Launch toolbar and select "Run as…" from the context menu, specify your administrator credentials as shown in Figure 1, and click OK. Then type C:\ into the address bar of Internet Explorer and suddenly you're browsing your file system instead of the Web:

Figure 3
Figure 3. Internet Explorer can browse your file system, too.

Now right-click on the C:\stuff folder and you can share it over the network as desired:

Figure 4
Figure 4. Shared stuff is great if you need it.

Hacking the Hack

Once you have iexplore.exe running with admin credentials, you can do other things, too. Say you want to access the Windows operating system files-just type "%systemroot%" in the address bar (without the quotes) and you'll go straight there. That's because %systemroot% is what's known as an environment variable and is understood by iexplore.exe to represent the string "C:\Windows" or wherever your system files are installed. You can also type "My Computer" or "My Network Places" in the address bar and go there as well. You can even type "Desktop" and access your Administrator desktop while logged on as an ordinary user!

It gets better: type "Control Panel" into the address bar and Control Panel opens in a window running with admin credentials. Now you can access the Date and Time utility and change your system time, something you couldn't do if you accessed Control Panel the usual way (from the Start menu) when you're logged on as an ordinary user. Or you can set Power Options, and do other stuff you can't do as an ordinary user. Just remember, you're running as Administrator even though you're logged in as an ordinary user, so be careful what changes you make to your system!

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.