48

After install Windows 10, it seems that I lost the ability to run explorer.exe as administrator with a user in administrator group.

The reason I want to do that is, in our team's development environment, we are using a C# exe to do some environment configuration which will start command prompt under administrator mode and subst a drive. As a result those substed drives are not visible within the file explorer since it is run not as administrator. That will be kind of inconvenience and sometimes make mistakes.

I was able to run explorer.exe from task manager with the option "create with privileges" checked and then I can see all the drives in explorer. But now this is not working anymore.

I knew there are other options to workaround this workflow, but just want to make sure that if it is now totally impossible under Windows 10?

Any comment is appreciated.

magicandre1981
  • 97,301
  • 30
  • 179
  • 245
shinji
  • 483
  • 1
  • 4
  • 5
  • 5
    Have you tried searching for explorer.exe with the start menu and right-clicking and selecting Run as Administrator? – InterLinked Apr 02 '16 at 11:10
  • Please format your question why do you need to run it administrator what's the issue when it's not running as admin add? – SeanClt Apr 02 '16 at 11:20
  • 1
    @InterLinked, thanks for the suggestion. However, in Win 10, there is no "Run as Administrator" option in context menu for explorer.exe after found it with you way. Go to the C:\Windows and then "run as" doesn't work. Actually, I think if current explorer is still running, "run as" should not work. But if I quit explorer, both ways should not available as well. – shinji Apr 02 '16 at 11:34
  • @SeanClt I have formatted my question per your suggestion. Thanks for the reminder. – shinji Apr 02 '16 at 11:35
  • If UAC is completely disabled, does your problem still occur? – InterLinked Apr 02 '16 at 11:36
  • @InterLinked, I have changed UAC to never notify. Is that what you mean completely disabled? – shinji Apr 02 '16 at 11:38
  • Yes, And if you launch other programs they are automatically elevated, right? – InterLinked Apr 02 '16 at 11:41
  • With UAC disabled, I still need get a program run under administrator mode by using "run as administrator". I think it is still because my explorer.exe under standard mode. – shinji Apr 02 '16 at 11:53
  • As my reputation is too low, here is my answer as a comment: Use `Everything` from voidtools.com to locate the file (usually C:\Windows\SysWOW64\explorer.exe) and right-click on it => here you can choose to run it as administrator. – Gorgsenegger Apr 14 '18 at 19:09

4 Answers4

42

For small things like browsing a folder that cannot be browsed without elevated explorer I start elevated notepad and then in the file open dialog I can browse all directories. With right click I can do quite a bit. (It's a fast solution that mostly does the trick.)

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
rony
  • 421
  • 1
  • 3
  • 3
  • +1 - but this trick is not useful when I want to copy paste multiple files. Because notepad let me select only 1 file at a time, which I can move anywhere. Any trick for moving multiple files? (through such elevated running program) – Tahir Jul 12 '17 at 12:56
  • 7
    @TahirAkram Just run any programs that allow selecting multiple files. For example, Windows Media Player. – raymai97 Dec 17 '17 at 04:45
  • 1
    @raymai97 and rony, thank you both! Sheer genius! – cxw Jan 25 '18 at 14:39
  • that is so nice. worked with Notepad++ - was able to paste in 2 files. – Jay Cummins Jun 06 '18 at 20:02
  • +1 I used drag and drop within notepad open dialog to copy parent folders. – golfalot Nov 04 '20 at 16:34
19

I discovered a way to run Explorer as admin some time ago:

  • start regedit.exe and go to the following key. You should be able to copy/paste this string into the regedit address bar:

    HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}

  • make a right click on Permissions and set your user as owner (click on advanced button to be able to take ownership) of the key and give your current user writing permissions.

enter image description here

enter image description here

or use the 3rd party tool RegOwnershipEx to get full control of the key:

  • Next, delete or rename the value RunAs.

Now the Elevated-Unelevated Explorer Factory (which causes that the Run As admin is ignored) is disabled and you can start the Explorer with admin rights.

enter image description here

Note: In order to start Explorer as admin after having done that, don't do this: Task Manager > Run > explorer.exe with "As admininistrator" checked, it will not work. Instead create an explorer shortcut on desktop, right-click on it and select "Run as admin" or edit the shortcut > Advanced > Run as administrator.

Basj
  • 1,489
  • 7
  • 47
  • 90
magicandre1981
  • 97,301
  • 30
  • 179
  • 245
  • 3
    This doesn't work either. I cannot save the permission changes even after run regedit with elevated mode. – shinji Apr 03 '16 at 04:21
  • 1
    Oooops, I cannot save the permission changes even after enabled and log in as the hidden administrator account. – shinji Apr 03 '16 at 04:42
  • you have to take ownership of the key. I tested it on Build 14295 and it still works fine. – magicandre1981 Apr 03 '16 at 16:03
  • Thank you. this finally worked! BTW, may you share if there will be any issue with this change in reg? – shinji Apr 04 '16 at 10:54
  • I sometimes had 4-5 Explorer.exe instances running even if I close all Explorer windows. – magicandre1981 Apr 04 '16 at 15:44
  • @magicandre1981 Disabling the "Launch Folder Windows in a separate process" option might help – Ben Philipp Dec 05 '16 at 11:50
  • I can't get it to work with this either. I'm perfectly able to edit the registry, but neither elevated cmd nor task manager can launch Explorer elevated, it always shows up as limited. Any ideas on what might be causing this? – Ben Philipp Dec 05 '16 at 11:52
  • @user282284 it works fine for me. just tested it in official 1607 – magicandre1981 Dec 05 '16 at 17:00
  • For me, just changing "RunAs" did it. – wolfram77 Dec 07 '16 at 18:20
  • In Windows 10 when I right click the CDCBCFCA-3CDC-436f-A4E2-0E02075250C2 node and select permissions, add myself to security and give myself full control, when I click OK, I get a dialog that says "Unable to save permission changes on {CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}. Access is denied. – RonC Sep 06 '17 at 15:20
  • 1
    @RonC first select your account as **owner** (important) of the key, next change the permissions. – magicandre1981 Sep 06 '17 at 15:28
  • @magicandre1981 thanks. I see your partial screenshot about changing the owner, but I can't figure out in the UI how to get to that place with the link to change the owner. – RonC Sep 06 '17 at 15:32
  • @RonC click on the **advanced** button or use this [tool to take ownership of keys](http://winaero.com/comment.php?comment.news.210) – magicandre1981 Sep 06 '17 at 15:42
  • @magicandre1981 That solved my issue. – RonC Sep 06 '17 at 16:06
  • I used RegOwnershipEx to take ownership on HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}, then I deleted the `RunAs` key. Then I went to Task manager, I killed the `explorer.exe` process (there was only one). Then I used 'Run' from the menu, I entered `explorer.exe`, I checked the "As admininistrator" checkbox. But then, the column `Elevated` still mentions No :( and not Yes like in your screenshot... Do you have any idea @magicandre1981? – Basj Jun 18 '20 at 19:47
  • don't kill normal explorer, create an explorer shortcut on desktop, rightlick on it and select "run as admin" . now you can drag&drop files from this explorer instance to the old programs that run as admin – magicandre1981 Jun 18 '20 at 20:04
  • I tried your method @magicandre1981, and it works. I included these details in the answer as an edit (maybe it will save precious time to future readers too, because I spent a lot of time trying to kill explorer.exe and run it as admin from Task manager, which does not work). Thanks! – Basj Jun 19 '20 at 10:30
  • PS @magicandre1981: How to run Explorer as admin by default, when Windows boots? (I don't want to have to run the Explorer as admin "manually" after each reboot...) – Basj Jun 19 '20 at 10:31
3

Start command line as Administrator.

Type these commands:

taskkill /im explorer.exe
explorer.exe
sohnryang
  • 103
  • 4
jung
  • 47
  • 1
0

To apply the accepted solution of @magicandre1981 with a copy & past PowerShell script, just execute the following from an elevated PowerShell prompt:

Function Enable-Privilege 
{
 param([ValidateSet("SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
   "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
   "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
   "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
   "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
   "SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
   "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
   "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
   "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
   "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
   "SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]$Privilege,
  $ProcessId = $pid,
  [Switch]$Disable)

   $Definition = @'
 using System;
 using System.Runtime.InteropServices;

 public class AdjPriv
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
   ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }

  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
  {
   bool retVal;
   TokPriv1Luid tp;
   IntPtr hproc = new IntPtr(processHandle);
   IntPtr htok = IntPtr.Zero;
   retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
   tp.Count = 1;
   tp.Luid = 0;
   if(disable)
   {
    tp.Attr = SE_PRIVILEGE_DISABLED;
   }
   else
   {
    tp.Attr = SE_PRIVILEGE_ENABLED;
   }
   retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
   retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
   return retVal;
  }
 }
'@

 $processHandle = (Get-Process -id $ProcessId).Handle
 $type = Add-Type $definition -PassThru
 $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}

$path = 'HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}'

$acl = Get-Acl $path
$originalOwner = $acl.GetOwner([System.Security.Principal.NTAccount]).Value
$acl.SetOwner((New-Object System.Security.Principal.NTAccount([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)))
$acl | Set-Acl $path

Rename-ItemProperty -LiteralPath $path -Name "RunAs" -NewName "__RunAs";

$acl = Get-Acl $path
$acl.SetOwner((New-Object System.Security.Principal.NTAccount($originalOwner)))
Enable-Privilege SeRestorePrivilege
$acl | Set-Acl $path

It renames the RunAs value name to __RunAs.

lauxjpn
  • 149
  • 6
  • No idea why this got downvoted. Should work flawlessly. If not, add a comment, so we can find the issue. – lauxjpn Sep 20 '21 at 07:52