4

I know this has been asked before because I already tried every answer I could google up. Please read through before marking it as duplicate.

My home machine has two accounts set up:

  • one simple unprivileged user
  • another administrator account with full control over everything

There are times when I would need to perform some action which requires administrator rights, such as deleteing something from C:\ . For the love of all that is holy I cannot convince the windows file explorer that it is running with administrator account with full control over everything. I tried:

  • running as administrator which prompts UAC to ask for username and password at which point I use the admin account
  • shift right click and choose run as different user at which point I receive the same prompt as above
  • running command prompt with the admin account and starting explorer.exe from there
  • checking the Run as administrator option in the advanced properties of the explorer shortcut
  • the suggestions from this superuser answer and failed
  • running various combinations of the runas command through an elevated command prompt

Every single time I want to perform some privileged action on some privileged file I get either the access denied message or another message stating my user is not in the administrators group. Even when I try to take ownership of a folder (from myself, because I am already the owner of it and all its contents) it tells me access denied.

And yes, I do have the rights to do anything and everything because if I use command prompt with the admin account I can rmdir, mkdir, etcdir all day long without any issues. I can even start free commander with admin account and do whatever without any problems. Why is the file explorer so stubborn?

The reason I have set up two accounts is that I like to remote into this machine, using RDP, from work for example. Only the unprivileged account is allowed to RDP into this machine. I cannot and do not want to allow RDP with the administrator account. This is just to explain why I don't log in with the administrator account but this does not affect the issue. Even when I am at home and log in with the admin account I experience the same problem with an elevated file explorer window.

It is not a corrupted window installation, this very same problem occurs on a fresh clean install after the hard drive has been formatted.

user1969903
  • 168
  • 1
  • 12
  • 1
    Explorer is deeply rooted in Windows and with the increased security measures of Win7 you might be unable to. Especially if there is no reason to do this. If you want to perform a privileged action it should ask for credentials and after providing them allow you to perform said action. If you do not get that prompt it does sound like something is off with your Windows Installation. Maybe you changed the UAC settings or similar? – Seth Nov 08 '18 at 07:13
  • 1
    Yes, it does ask me for credentials but then it just tells me that access is denied. Also, I do change the UAC settings. I set it to the lowest security setting so that it bugs me as few times as possible. – user1969903 Nov 08 '18 at 07:16
  • 1
    So if you try to delete a file you get the prompt to provide credentials and after you enter your administrative credentials it says you can't delete those files? Where are those files located? For instance the Program Files folder has some more strict security settings applied in comparison to a folder that you create yourself. Why is running an alternative file explorer like the one you mention insufficient? – Seth Nov 08 '18 at 09:06
  • 1
    Sounds about right. I get the "you need permissions from..." message, I write in the admin credentials and after that I get access denied. For example files / folders in Program Files left over after uninstalling apps. It is sufficient but I'm just curious why is this very basic functionality not working in Windows. This is literally the only reason I have free commander installed. I'd rather not install it otherwise. – user1969903 Nov 08 '18 at 10:20
  • 1
    I noticed that no matter how I start the file explorer, under the username column in task manager, I always see the unprivileged account. Is this normal? – user1969903 Nov 08 '18 at 10:21
  • 1
    As mentioned Explorer is deeply rooted in the system. As far as I know the easiest option would be to terminate all Explorer instances (this will kill your UI) and start an explorer with different credentials. This comes with all sorts of different issues. The basic functionality is not working because Microsoft doesn't have a reason to enable it. After all there is little reason to start a complete explorer instance as a privileged user. You could try to raise your UAC level and it give it a shot to see whenever that helps. – Seth Nov 08 '18 at 10:31
  • 1
    I actually tried that already. I opened up a command line with the admin account, ended the explorer process and then using the elevated command line I ran the explorer.exe command. Upon checking the username it still showed that of the simple account. It's frustrating! – user1969903 Nov 08 '18 at 10:39
  • 1
    I honestly don't get what your problem is at this point. Just use one of the workarounds you already found yourself. By running the explorer as a privileged user you could just as well logon as the Administrator. What you want to do are essentially administrative tasks anyway. It's simply not supported to run the [explorer with privileges](https://serverfault.com/a/564475/366255). The mentioned forum also references what @harrymc said. If you didn't follow these particular steps you could do that but it's still not supported what you're doing and you have a reliable workaround that would be. – Seth Nov 08 '18 at 10:53
  • 1
    Are you able to perform the desired file operations if you actually *log on* with your administrator account? Also, what changes did you make to your computer to prevent connecting to it via RDP with your administrator account? – I say Reinstate Monica Nov 08 '18 at 11:02
  • 1
    @TwistyImpersonator: Still the same problem when logging in with the admin account. As for preventing RDP access I simply removed the admin account fromt the Remote Desktop Users group using Computer Management > Local Users and Groups. – user1969903 Nov 08 '18 at 11:07
  • 1
    @Seth: My problem is why do I have to rely on workarounds? In linux if I need elevated priviliges I just sudo the command and voila. Same goes for anyother process in Windows. If I need to run Visual Studio with admin rights so that it can register I don't know what COM components or whatever, I just run it with that account and it just works. Perfectly valid use case. Why is this not the case with the humble file explorer? Is this a bug or is it by design? – user1969903 Nov 08 '18 at 11:09
  • 1
    @user1969903 Is your admin account a member of the local Administrators group? – I say Reinstate Monica Nov 08 '18 at 11:10
  • 1
    @TwistyImpersonator yes it is. It is also the owner and the creator the files, apart from the system and trusted installer owned files from the windows dir which I usually don't touch. – user1969903 Nov 08 '18 at 11:11
  • 1
    @user1969903 1) if so, then this user can still logon remotely via RDP unless you edit the user rights assignments to prohibit it, and 2) what other changes to security settings have you made? This is *not* default behavior in a clean install of Windows. – I say Reinstate Monica Nov 08 '18 at 11:14
  • 1
    @TwistyImpersonator not much else. Just lowered the UAC level to the minimum it would go, which is never notify or something like that. Never actually tried connecting with the admin account, I thought removing the user from that group would be enough. – user1969903 Nov 08 '18 at 11:17
  • 1
    @user1969903 Is this happening to one specific folder/file, or *any* such object you create in the root of C:? – I say Reinstate Monica Nov 08 '18 at 11:19
  • 1
    If you run the command `net user (name of your admin user)` does it show it as being in the Administrators group? Sorry for harping on that, but this would be the best explanation for the problem. – I say Reinstate Monica Nov 08 '18 at 11:33
  • 1
    No problem: `Local Group Memberships *Administrators *Performance Log Users *Users Global Group memberships *None` – user1969903 Nov 08 '18 at 11:59
  • 1
    You have to rely on that workaround because, again, it's not supported what you're trying to do. As you're asking whenever it's by design you didn't even bother to read what I linked because that is actually what is being stated. That doesn't mean you can't try to use a crowbar to change it. – Seth Nov 08 '18 at 15:17
  • 1
    I did, actually. It's just that I found it hard to believe, then Twisty commented that this is not the default behavior. Besides, who knows what Microsoft decides to do in between their updates. And I always thought this is the sort of stuff Apple does. Then again if all you do is surf social media websites I guess it's perfectly fine, but I digress. – user1969903 Nov 08 '18 at 15:28

2 Answers2

1

From the article How to Run File Explorer as Administrator in Windows 10:

It is not easy to run File Explorer as Administrator. This ability is locked and can't be enabled easily. Here is how you can enable this feature.

  • Download the free ExecTI, which allows running Programs as TrustedInstaller, and unpack it to some folder.

  • Unblock the program by right-click on its .exe, Properties, General tab, untick Unblock and then OK.

  • Start ExecTI and enter the command regedit.exe -m. This will open the Registry Editor running with TrustedInstaller permissions, so you may do the below registry modification.

  • Navigate to the Registry key
    HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}

  • Rename the value RunAs to anything, for example to RunAs_my. Deleting will also work, but renaming will allow to later easily undo this modification.

  • Close regedit and restart Windows 10.

  • To run Explorer as Administrator, right-click C:\windows\Explorer.exe and select 'Run as administrator', or create a shortcut set to run as Administrator.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • 1
    I already have the "Run as administrator" option. It's the first thing I specified I tried. Besides, I tried the changes you mention and still no luck. The article mentions windows 10. I am running windows 7. Perhaps this works on Windows 10? – user1969903 Nov 08 '18 at 10:16
  • 2
    I missed that. For Windows 7, you may [Enable the (Hidden) Administrator Account](https://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/) and login as that. – harrymc Nov 08 '18 at 10:18
  • 1
    Yeah, I could do that but as I've said I don't want to use the admin account through remote connections. – user1969903 Nov 08 '18 at 10:22
  • 2
    You might try in an elevated cmd "[psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) -s explorer.exe` to run it as System, but be very careful and the results can sometimes be unexpected. – harrymc Nov 08 '18 at 10:28
  • 1
    Or use `explorer.exe /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D} ` to start My Computer only. – harrymc Nov 08 '18 at 10:43
  • Thanks for the suggestions. The last command doesn't seem to work. As for psexec, I'll need to install sysinternals and I'll get back to you after. – user1969903 Nov 08 '18 at 11:13
  • Tried the psexec command and at first glance nothing happens. I checked the processes list and I do see the new explorer running under SYSTEM username but there is no explorer window. I tried running the command with the interactive switch (`-i`) but when I try this the normal explorer pops up. I'll look up psexec and see if I can find any other arguments that might do the trick. – user1969903 Nov 08 '18 at 15:00
  • The `{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}` solution is mentioned in many sources for Windows 7. Without psexec, try to take ownership of the key to make the change. Create first a system restore point since this change of ownership is otherwise irreversible, except by using the [reg command](https://ss64.com/nt/reg.html) save an restore verbs. – harrymc Nov 08 '18 at 15:45
1

Frame challenge

This answer to the question you linked suggests running an elevated Notepad.exe, then using the File/Open command, and using the mini-explorer that shows to perform Admin operations.

If that's not flexible enough (i.e. no multifile copy/paste) consider installing an alternative file manager that you can run elevated. I just tried with Explorer++, which is a single file portable app that is only 1.8Mb, and when run elevated I was able to do anything as admin.

Ross Presser
  • 1,401
  • 1
  • 13
  • 19