Being logged on as admin and user at the same time (in XP)? - Windows NT

This is a discussion on Being logged on as admin and user at the same time (in XP)? - Windows NT ; Hi, i have a security questions of sorts. In XP (I think) there is a way that multiple users can be logged in at the same time (Say admin and regular user) and you can just switch between the two ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: Being logged on as admin and user at the same time (in XP)?

  1. Being logged on as admin and user at the same time (in XP)?

    Hi, i have a security questions of sorts. In XP (I think) there is a
    way that multiple users can be logged in at the same time (Say admin
    and regular user) and you can just switch between the two (kinda). My
    question is, would the admin account be ok if i had it running while i
    was doing most of my stuff in the user account? (using the user account
    so that viruses etc have less chance to nuke my system). Any help or
    suggestions would be greatly appreciated!

    Cheers

    -Gaiko


  2. Re: Being logged on as admin and user at the same time (in XP)?

    Would the admin account be OK ??
    By that just what do you mean?
    In an XP when you are using the other account, then
    the desktop / login session of the first (admin) is not
    active (that is, not drawing CPU cycles).
    However, it does hold resources, and so it may be
    possible for something to adjust these, working at at
    rather low level.
    But if your question is something like "If I am running
    as a limited user, but have a switched out administrative
    account, can something I do in the limited account session
    make use of the switched out administrative account to
    elevate itself and so have an administrative impact?"
    If that is close to the question, the answer is no.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    wrote in message
    news:1104816600.854020.226930@c13g2000cwb.googlegr oups.com...
    > Hi, i have a security questions of sorts. In XP (I think) there is a
    > way that multiple users can be logged in at the same time (Say admin
    > and regular user) and you can just switch between the two (kinda). My
    > question is, would the admin account be ok if i had it running while i
    > was doing most of my stuff in the user account? (using the user account
    > so that viruses etc have less chance to nuke my system). Any help or
    > suggestions would be greatly appreciated!
    >
    > Cheers
    >
    > -Gaiko
    >




  3. Re: Being logged on as admin and user at the same time (in XP)?

    Oops, sorry about the ambigous post, but you answered my question. I
    just wanted to know if that "switched out of admin account" would allow
    malicious "things" (spyware, viruses, etc) to compromise my computer
    using admin access (via the switched out of admin account).
    Thanks for your help!

    Cheers

    -Gaiko


  4. Re: Being logged on as admin and user at the same time (in XP)?

    wrote in message
    news:1104828564.641424.32910@z14g2000cwz.googlegro ups.com...
    > Oops, sorry about the ambigous post, but you answered my question. I
    > just wanted to know if that "switched out of admin account" would allow
    > malicious "things" (spyware, viruses, etc) to compromise my computer
    > using admin access (via the switched out of admin account).


    By default the first window of Explorer sets the user
    context however.

    You will have to work with command line or other
    tools started in a RunAs session.

    Or if you stop and restart Explorer from a RunAs
    session you must be aware that all instances of
    Explorer (including Start run) will operate as that
    admin (in that context.)

    One trick to stay kosher (except for stuff like Explorer
    which just attaches to the first instance if you try to
    run it again) is to first start a COMMAND Prompt
    as a RunAs command and force yourself to run everything
    sensative from ONLY that command session.

    Watch out for anything Graphical because it might act
    like Explorer does (and use the existing context.)

    If you follow this method, you might wisht to alter your
    comman prompt colors to make the context change
    obvious.



    --
    Herb Martin


    > Thanks for your help!
    >
    > Cheers
    >
    > -Gaiko
    >




  5. Re: Being logged on as admin and user at the same time (in XP)?

    wrote in message
    news:1104816600.854020.226930@c13g2000cwb.googlegr oups.com...
    > Hi, i have a security questions of sorts. In XP (I think) there is a
    > way that multiple users can be logged in at the same time (Say admin
    > and regular user) and you can just switch between the two (kinda). My
    > question is, would the admin account be ok if i had it running while i
    > was doing most of my stuff in the user account? (using the user account
    > so that viruses etc have less chance to nuke my system). Any help or
    > suggestions would be greatly appreciated!


    RunAs approximates what you describe.

    It is much better than staying logged on as the Admin
    while doing other stuff (dirrectly) in that same context.

    One warning, when you run Explorer you must run the
    FIRST instance from the account you wish to use for
    it -- or you must restrict yourself to command line and
    other tools.

    [Reason: Explore is always run as one instance and
    the user context is derived from the FIRST window
    opened -- this means that if you use Start/Run or any
    clicking around while running Explorer as an admin
    then you are running the new program (child process)
    as the admin too.]

    You cannot have be using two accounts on the same
    machine concurrently but you can do several things that
    approximate that: you can add the user to additional
    groups (not recommened for the Admins group) or have
    the user explicitly authenticate as another user for the
    purpose of access (technically he is only one user in
    each context.)

    RunAs and even "mapping a network drive" (even against
    the same machine as where he is sitting logged on) can
    provide means to change users for that access.



  6. Re: Being logged on as admin and user at the same time (in XP)?

    FYI Due to the single-instance hooks of Explorer it is
    impossible to RunAs the Explorer app; so Explorer is
    always the account used for initial login.

    --
    Roger
    "Herb Martin" wrote in message
    news:OMxYdkv8EHA.2060@TK2MSFTNGP10.phx.gbl...
    > wrote in message
    > news:1104816600.854020.226930@c13g2000cwb.googlegr oups.com...
    > > Hi, i have a security questions of sorts. In XP (I think) there is a
    > > way that multiple users can be logged in at the same time (Say admin
    > > and regular user) and you can just switch between the two (kinda). My
    > > question is, would the admin account be ok if i had it running while i
    > > was doing most of my stuff in the user account? (using the user account
    > > so that viruses etc have less chance to nuke my system). Any help or
    > > suggestions would be greatly appreciated!

    >
    > RunAs approximates what you describe.
    >
    > It is much better than staying logged on as the Admin
    > while doing other stuff (dirrectly) in that same context.
    >
    > One warning, when you run Explorer you must run the
    > FIRST instance from the account you wish to use for
    > it -- or you must restrict yourself to command line and
    > other tools.
    >
    > [Reason: Explore is always run as one instance and
    > the user context is derived from the FIRST window
    > opened -- this means that if you use Start/Run or any
    > clicking around while running Explorer as an admin
    > then you are running the new program (child process)
    > as the admin too.]
    >
    > You cannot have be using two accounts on the same
    > machine concurrently but you can do several things that
    > approximate that: you can add the user to additional
    > groups (not recommened for the Admins group) or have
    > the user explicitly authenticate as another user for the
    > purpose of access (technically he is only one user in
    > each context.)
    >
    > RunAs and even "mapping a network drive" (even against
    > the same machine as where he is sitting logged on) can
    > provide means to change users for that access.
    >
    >




  7. Re: Being logged on as admin and user at the same time (in XP)?

    OK. So AIUI you were asking, if I have an instance of an
    admin account in use (switched out or via RunAs) but am
    logged in as a limited user, am I increasing the risk level
    from what I am doing in the limited account (due to the
    existence of the admin context that is in use).
    I believe the answer is a qualified No. The process contexts
    are kept separate. The qualified part is that in the RunAs
    case there is a chance that something you are doing as the
    limited user may notice the other process that was started
    by RunAs and find a way to force-feed input into it to then
    cause things to happen in the other context - but this would
    be fairly sophisticated and not likely from run of the mill
    malware code.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    wrote in message
    news:1104828564.641424.32910@z14g2000cwz.googlegro ups.com...
    > Oops, sorry about the ambigous post, but you answered my question. I
    > just wanted to know if that "switched out of admin account" would allow
    > malicious "things" (spyware, viruses, etc) to compromise my computer
    > using admin access (via the switched out of admin account).
    > Thanks for your help!
    >
    > Cheers
    >
    > -Gaiko
    >




  8. Re: Being logged on as admin and user at the same time (in XP)?

    "Roger Abell" wrote in message
    news:ubFWNWA9EHA.2540@TK2MSFTNGP09.phx.gbl...
    > FYI Due to the single-instance hooks of Explorer it is
    > impossible to RunAs the Explorer app; so Explorer is
    > always the account used for initial login.
    >


    No, that was what I was describing, i.e., the issue
    you mention and the work-around for it:

    (Optionally RunAs this) Open command prompt
    Stop (using taskkill or taskmgr) Explorer
    Runas Explorer

    When you do this the instance of Explorer is NEW
    and so you get the RunAs context.

    I actually do it the Optional way where my CMD
    prompt is RunAs then anything I start from there will
    be in that context (assuming it is a new instance.)

    --
    Herb Martin


    > --
    > Roger
    > "Herb Martin" wrote in message
    > news:OMxYdkv8EHA.2060@TK2MSFTNGP10.phx.gbl...
    > > wrote in message
    > > news:1104816600.854020.226930@c13g2000cwb.googlegr oups.com...
    > > > Hi, i have a security questions of sorts. In XP (I think) there is a
    > > > way that multiple users can be logged in at the same time (Say admin
    > > > and regular user) and you can just switch between the two (kinda). My
    > > > question is, would the admin account be ok if i had it running while i
    > > > was doing most of my stuff in the user account? (using the user

    account
    > > > so that viruses etc have less chance to nuke my system). Any help or
    > > > suggestions would be greatly appreciated!

    > >
    > > RunAs approximates what you describe.
    > >
    > > It is much better than staying logged on as the Admin
    > > while doing other stuff (dirrectly) in that same context.
    > >
    > > One warning, when you run Explorer you must run the
    > > FIRST instance from the account you wish to use for
    > > it -- or you must restrict yourself to command line and
    > > other tools.
    > >
    > > [Reason: Explore is always run as one instance and
    > > the user context is derived from the FIRST window
    > > opened -- this means that if you use Start/Run or any
    > > clicking around while running Explorer as an admin
    > > then you are running the new program (child process)
    > > as the admin too.]
    > >
    > > You cannot have be using two accounts on the same
    > > machine concurrently but you can do several things that
    > > approximate that: you can add the user to additional
    > > groups (not recommened for the Admins group) or have
    > > the user explicitly authenticate as another user for the
    > > purpose of access (technically he is only one user in
    > > each context.)
    > >
    > > RunAs and even "mapping a network drive" (even against
    > > the same machine as where he is sitting logged on) can
    > > provide means to change users for that access.
    > >
    > >

    >
    >




  9. Re: Being logged on as admin and user at the same time (in XP)?

    "Herb Martin" wrote in message
    news:edgMAyC9EHA.3920@TK2MSFTNGP10.phx.gbl...
    > "Roger Abell" wrote in message
    > news:ubFWNWA9EHA.2540@TK2MSFTNGP09.phx.gbl...
    > > FYI Due to the single-instance hooks of Explorer it is
    > > impossible to RunAs the Explorer app; so Explorer is
    > > always the account used for initial login.
    > >

    >
    > No, that was what I was describing, i.e., the issue
    > you mention and the work-around for it:
    >
    > (Optionally RunAs this) Open command prompt
    > Stop (using taskkill or taskmgr) Explorer
    > Runas Explorer
    >
    > When you do this the instance of Explorer is NEW
    > and so you get the RunAs context.
    >
    > I actually do it the Optional way where my CMD
    > prompt is RunAs then anything I start from there will
    > be in that context (assuming it is a new instance.)
    >
    > --
    > Herb Martin
    >


    Interesting Herb, I really did miss your point.
    While I have used taskmgr before to kill off,
    and/or respawn Explorer, it had never occurred
    to me to try this route to get Explorer running in
    alt security context.
    I commonly will have a cmd window open in the
    alt context and use it to launch whatever it is that
    I next need. However, never having been logged
    in as X but having Explorer running as Y, I am now
    sitting here thinking about its issues and just how it
    would actually play out. Guess I have some new
    experiences ahead :-)
    --
    ra



  10. Re: Being logged on as admin and user at the same time (in XP)?

    > Interesting Herb, I really did miss your point.
    > While I have used taskmgr before to kill off,
    > and/or respawn Explorer, it had never occurred
    > to me to try this route to get Explorer running in
    > alt security context.
    > I commonly will have a cmd window open in the
    > alt context and use it to launch whatever it is that
    > I next need. However, never having been logged
    > in as X but having Explorer running as Y, I am now
    > sitting here thinking about its issues and just how it
    > would actually play out. Guess I have some new
    > experiences ahead :-)


    I am not a big user of Explorer (e.g., the browser as of
    course I use the Toolbar, Taskbar, StartMenu's etc.) so
    I tend to do what you do and work the credentials
    from an alternate command line.

    What I would really prefer is an Alternate Desktop
    and there used to be some working code from the
    Dev Kit that I used in NT(3.51 ?? or 4???) but I
    cannot find it now.

    Of course you can put something like Virtual PC
    on the machine for this but that is overkill for just
    switching/isolating context.

    The advantage of such schemes is you can get
    two truly isolated logons concurrently and it
    really does meet the requirements of the initial
    question.

    Plus it is relatively easy to have different
    background colors and even color schemes
    so that it is always clear which "User" is
    current.

    Each should be screen saver lockable etc.


    --
    Herb Martin


    "Roger Abell" wrote in message
    news:uGD2flF9EHA.3616@TK2MSFTNGP11.phx.gbl...
    > "Herb Martin" wrote in message
    > news:edgMAyC9EHA.3920@TK2MSFTNGP10.phx.gbl...
    > > "Roger Abell" wrote in message
    > > news:ubFWNWA9EHA.2540@TK2MSFTNGP09.phx.gbl...
    > > > FYI Due to the single-instance hooks of Explorer it is
    > > > impossible to RunAs the Explorer app; so Explorer is
    > > > always the account used for initial login.
    > > >

    > >
    > > No, that was what I was describing, i.e., the issue
    > > you mention and the work-around for it:
    > >
    > > (Optionally RunAs this) Open command prompt
    > > Stop (using taskkill or taskmgr) Explorer
    > > Runas Explorer
    > >
    > > When you do this the instance of Explorer is NEW
    > > and so you get the RunAs context.
    > >
    > > I actually do it the Optional way where my CMD
    > > prompt is RunAs then anything I start from there will
    > > be in that context (assuming it is a new instance.)
    > >
    > > --
    > > Herb Martin
    > >

    >
    > Interesting Herb, I really did miss your point.
    > While I have used taskmgr before to kill off,
    > and/or respawn Explorer, it had never occurred
    > to me to try this route to get Explorer running in
    > alt security context.
    > I commonly will have a cmd window open in the
    > alt context and use it to launch whatever it is that
    > I next need. However, never having been logged
    > in as X but having Explorer running as Y, I am now
    > sitting here thinking about its issues and just how it
    > would actually play out. Guess I have some new
    > experiences ahead :-)
    > --
    > ra
    >
    >




  11. Re: Being logged on as admin and user at the same time (in XP)?

    "Herb Martin" said

    > wrote in message
    > news:1104828564.641424.32910@z14g2000cwz.googlegro ups.com...
    >> Oops, sorry about the ambigous post, but you answered my question. I
    >> just wanted to know if that "switched out of admin account" would allow
    >> malicious "things" (spyware, viruses, etc) to compromise my computer
    >> using admin access (via the switched out of admin account).

    >
    > By default the first window of Explorer sets the user
    > context however.
    >
    > You will have to work with command line or other
    > tools started in a RunAs session.
    >
    > Or if you stop and restart Explorer from a RunAs
    > session you must be aware that all instances of
    > Explorer (including Start run) will operate as that
    > admin (in that context.)


    There is a workaround for this behavior.
    If you are logged in as a normal user with an explorer window open you can go
    to the c:\program files\internet explorer directory in a command prompt and
    use runas to launch iexplore.exe as administrator. By default it will open
    your default web page but you can just use the address bar to navigate to any
    drive or UNC path with full admin rights (click the 'Folders' button if you
    want the full explorer view).

    --
    Andy.

  12. Re: Being logged on as admin and user at the same time (in XP)?

    > > Or if you stop and restart Explorer from a RunAs
    > > session you must be aware that all instances of
    > > Explorer (including Start run) will operate as that
    > > admin (in that context.)

    >
    > There is a workaround for this behavior.
    > If you are logged in as a normal user with an explorer window open you can

    go
    > to the c:\program files\internet explorer directory in a command prompt

    and
    > use runas to launch iexplore.exe as administrator. By default it will open
    > your default web page but you can just use the address bar to navigate to

    any
    > drive or UNC path with full admin rights (click the 'Folders' button if

    you
    > want the full explorer view).


    The discussion was of Windows Explorer, not
    Internet Explorer.

    Windows Explorer is (practially) always running
    on a machine, and it runs a single instance in the
    user context that was used to logon EVEN IF you
    attempt to RunAs "Explorer" it attaches to the already
    running instance as the first user.

    The workaround discussed elsewhere in this thread
    is to first Stop (TaskKill, TaskMgr, etc.) the running
    instance of Explorer and then start a new instance
    RunAs (or from a RunAs command prompt etc.)

    Internet Explorer CAN exhibit the same issue if it is
    already running AND you do not have it set to use
    separate instances for different windows.

    You can test if it will work, by starting two windows
    of Internet Explorer and killing one of them violently
    with TaskKill etc. -- If both windows disaappear it
    is only one process instance and will probably be
    using the same credentials/context.
    --
    Herb Martin


    "Andrew Mitchell" wrote in message
    news:Xns95D8143DA7613casey01@207.46.248.16...
    > "Herb Martin" said
    >
    > > wrote in message
    > > news:1104828564.641424.32910@z14g2000cwz.googlegro ups.com...
    > >> Oops, sorry about the ambigous post, but you answered my question. I
    > >> just wanted to know if that "switched out of admin account" would allow
    > >> malicious "things" (spyware, viruses, etc) to compromise my computer
    > >> using admin access (via the switched out of admin account).

    > >
    > > By default the first window of Explorer sets the user
    > > context however.
    > >
    > > You will have to work with command line or other
    > > tools started in a RunAs session.
    > >

    >
    > --
    > Andy.




  13. Re: Being logged on as admin and user at the same time (in XP)?

    "Herb Martin" said

    >> > Or if you stop and restart Explorer from a RunAs
    >> > session you must be aware that all instances of
    >> > Explorer (including Start run) will operate as that
    >> > admin (in that context.)

    >>
    >> There is a workaround for this behavior.
    >> If you are logged in as a normal user with an explorer window open you
    >> can

    > go
    >> to the c:\program files\internet explorer directory in a command prompt

    > and
    >> use runas to launch iexplore.exe as administrator. By default it will
    >> open your default web page but you can just use the address bar to
    >> navigate to

    > any
    >> drive or UNC path with full admin rights (click the 'Folders' button if

    > you
    >> want the full explorer view).

    >
    > The discussion was of Windows Explorer, not
    > Internet Explorer.
    >


    I understand that, but the process I mentioned allows you to access the
    exact same interface you would have using Windows Explorer under a
    different user context without the need to use task manager to kill the
    initial Windows Explorer process.

    > Windows Explorer is (practially) always running
    > on a machine, and it runs a single instance in the
    > user context that was used to logon EVEN IF you
    > attempt to RunAs "Explorer" it attaches to the already
    > running instance as the first user.
    >
    > The workaround discussed elsewhere in this thread
    > is to first Stop (TaskKill, TaskMgr, etc.) the running
    > instance of Explorer and then start a new instance
    > RunAs (or from a RunAs command prompt etc.)
    >


    The only problem with doing this, apart from it being a cumbersome
    process, is that I have seen some applications that normally reside in the
    systray fail to reappear when explorer is restarted. I've just tried it
    here now and must mention that all of my currently running apps (NAV 2005,
    Outlook 2003 and Nvidia control panel) have all reappeared, so it would
    appear that this would only affect a very small minority of applications


    > Internet Explorer CAN exhibit the same issue if it is
    > already running AND you do not have it set to use
    > separate instances for different windows.
    >


    That's correct.

    > You can test if it will work, by starting two windows
    > of Internet Explorer and killing one of them violently
    > with TaskKill etc. -- If both windows disaappear it
    > is only one process instance and will probably be
    > using the same credentials/context.


    It appears that IE will sometimes tie itself to Windows Explorer somehow
    as well. There have been instances where IE stops responding and I've used
    the task manager to kill it and it's taken out Windows Explorer with it.

    --
    Andy.

  14. Re: Being logged on as admin and user at the same time (in XP)?

    I would be concerned about what else that leverages the explorer process is now
    running as admin as well. If you do runas (or my preference cpau) on say a
    command prompt, only that command prompt and what you launch from it are
    enhanced. I am not aware of people writing active plugins for the command prompt
    to go off and fire things up that are bad. If you launch some of the more
    integrated things such as explorer or IE I would be concerned that now any
    plugins now have the enhanced rights as well.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Roger Abell wrote:
    > "Herb Martin" wrote in message
    >
    > Interesting Herb, I really did miss your point.
    > While I have used taskmgr before to kill off,
    > and/or respawn Explorer, it had never occurred
    > to me to try this route to get Explorer running in
    > alt security context.
    > I commonly will have a cmd window open in the
    > alt context and use it to launch whatever it is that
    > I next need. However, never having been logged
    > in as X but having Explorer running as Y, I am now
    > sitting here thinking about its issues and just how it
    > would actually play out. Guess I have some new
    > experiences ahead :-)


  15. Re: Being logged on as admin and user at the same time (in XP)?

    > I understand that, but the process I mentioned allows you to access the
    > exact same interface you would have using Windows Explorer under a
    > different user context without the need to use task manager to kill the
    > initial Windows Explorer process.


    Ok, I missed YOUR point apparently, sorry.

    I suspect most people will just "not get" using
    IE to replace Windows Explorer but personally
    I seldom use Windows Explorer at all -- preferring
    the command line for most things (W) Explorer can
    do.

    --
    Herb Martin


    "Andrew Mitchell" wrote in message
    news:Xns95D8F2306B8EAcasey01@207.46.248.16...
    > "Herb Martin" said
    >
    > >> > Or if you stop and restart Explorer from a RunAs
    > >> > session you must be aware that all instances of
    > >> > Explorer (including Start run) will operate as that
    > >> > admin (in that context.)
    > >>
    > >> There is a workaround for this behavior.
    > >> If you are logged in as a normal user with an explorer window open you
    > >> can

    > > go
    > >> to the c:\program files\internet explorer directory in a command prompt

    > > and
    > >> use runas to launch iexplore.exe as administrator. By default it will
    > >> open your default web page but you can just use the address bar to
    > >> navigate to

    > > any
    > >> drive or UNC path with full admin rights (click the 'Folders' button if

    > > you
    > >> want the full explorer view).

    > >
    > > The discussion was of Windows Explorer, not
    > > Internet Explorer.
    > >

    >
    > I understand that, but the process I mentioned allows you to access the
    > exact same interface you would have using Windows Explorer under a
    > different user context without the need to use task manager to kill the
    > initial Windows Explorer process.
    >
    > > Windows Explorer is (practially) always running
    > > on a machine, and it runs a single instance in the
    > > user context that was used to logon EVEN IF you
    > > attempt to RunAs "Explorer" it attaches to the already
    > > running instance as the first user.
    > >
    > > The workaround discussed elsewhere in this thread
    > > is to first Stop (TaskKill, TaskMgr, etc.) the running
    > > instance of Explorer and then start a new instance
    > > RunAs (or from a RunAs command prompt etc.)
    > >

    >
    > The only problem with doing this, apart from it being a cumbersome
    > process, is that I have seen some applications that normally reside in the
    > systray fail to reappear when explorer is restarted. I've just tried it
    > here now and must mention that all of my currently running apps (NAV 2005,
    > Outlook 2003 and Nvidia control panel) have all reappeared, so it would
    > appear that this would only affect a very small minority of applications
    >
    >
    > > Internet Explorer CAN exhibit the same issue if it is
    > > already running AND you do not have it set to use
    > > separate instances for different windows.
    > >

    >
    > That's correct.
    >
    > > You can test if it will work, by starting two windows
    > > of Internet Explorer and killing one of them violently
    > > with TaskKill etc. -- If both windows disaappear it
    > > is only one process instance and will probably be
    > > using the same credentials/context.

    >
    > It appears that IE will sometimes tie itself to Windows Explorer somehow
    > as well. There have been instances where IE stops responding and I've used
    > the task manager to kill it and it's taken out Windows Explorer with it.
    >
    > --
    > Andy.




  16. Re: Being logged on as admin and user at the same time (in XP)?

    "Joe Richards [MVP]" wrote in message
    news:u1#1vpZ9EHA.960@TK2MSFTNGP11.phx.gbl...
    > I would be concerned about what else that leverages the explorer process

    is now
    > running as admin as well. If you do runas (or my preference cpau) on say a
    > command prompt, only that command prompt and what you launch from it are
    > enhanced. I am not aware of people writing active plugins for the command

    prompt
    > to go off and fire things up that are bad. If you launch some of the more
    > integrated things such as explorer or IE I would be concerned that now any
    > plugins now have the enhanced rights as well.


    You are correct -- this discussion started mainly
    as a warning about the "single instance" and then
    evolved into how to get around that.

    As I said, for me the command line is the preferred
    way to do most anything you can do in Windows
    Explorer and I seldom use it (other than TaskBar and
    Start Menus.)

    --
    Herb Martin


    >
    > joe
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Roger Abell wrote:
    > > "Herb Martin" wrote in message
    > >
    > > Interesting Herb, I really did miss your point.
    > > While I have used taskmgr before to kill off,
    > > and/or respawn Explorer, it had never occurred
    > > to me to try this route to get Explorer running in
    > > alt security context.
    > > I commonly will have a cmd window open in the
    > > alt context and use it to launch whatever it is that
    > > I next need. However, never having been logged
    > > in as X but having Explorer running as Y, I am now
    > > sitting here thinking about its issues and just how it
    > > would actually play out. Guess I have some new
    > > experiences ahead :-)




  17. Re: Being logged on as admin and user at the same time (in XP)?

    Quite so Joe. But now go full circle.
    Logged in as an admin, use this method to replace the
    Explorer instance with one running in a limited account.
    In practice, I would find likely either too confusing and
    so will likely stay with my trusty cmd prompt

    --
    Roger
    "Joe Richards [MVP]" wrote in message
    news:u1%231vpZ9EHA.960@TK2MSFTNGP11.phx.gbl...
    > I would be concerned about what else that leverages the explorer process

    is now
    > running as admin as well. If you do runas (or my preference cpau) on say a
    > command prompt, only that command prompt and what you launch from it are
    > enhanced. I am not aware of people writing active plugins for the command

    prompt
    > to go off and fire things up that are bad. If you launch some of the more
    > integrated things such as explorer or IE I would be concerned that now any
    > plugins now have the enhanced rights as well.
    >
    > joe
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    > Roger Abell wrote:
    > > "Herb Martin" wrote in message
    > >
    > > Interesting Herb, I really did miss your point.
    > > While I have used taskmgr before to kill off,
    > > and/or respawn Explorer, it had never occurred
    > > to me to try this route to get Explorer running in
    > > alt security context.
    > > I commonly will have a cmd window open in the
    > > alt context and use it to launch whatever it is that
    > > I next need. However, never having been logged
    > > in as X but having Explorer running as Y, I am now
    > > sitting here thinking about its issues and just how it
    > > would actually play out. Guess I have some new
    > > experiences ahead :-)




  18. Re: Being logged on as admin and user at the same time (in XP)?


    Andrew Mitchell wrote:
    > "Herb Martin" said
    >
    > > wrote in message
    > > news:1104828564.641424.32910@z14g2000cwz.googlegro ups.com...
    > >> Oops, sorry about the ambigous post, but you answered my question.

    I
    > >> just wanted to know if that "switched out of admin account" would

    allow
    > >> malicious "things" (spyware, viruses, etc) to compromise my

    computer
    > >> using admin access (via the switched out of admin account).

    > >
    > > By default the first window of Explorer sets the user
    > > context however.
    > >
    > > You will have to work with command line or other
    > > tools started in a RunAs session.
    > >
    > > Or if you stop and restart Explorer from a RunAs
    > > session you must be aware that all instances of
    > > Explorer (including Start run) will operate as that
    > > admin (in that context.)

    >
    > There is a workaround for this behavior.
    > If you are logged in as a normal user with an explorer window open

    you can go
    > to the c:\program files\internet explorer directory in a command

    prompt and
    > use runas to launch iexplore.exe as administrator. By default it will

    open
    > your default web page but you can just use the address bar to

    navigate to any
    > drive or UNC path with full admin rights (click the 'Folders' button

    if you
    > want the full explorer view).
    >
    > --
    > Andy.


    Dude! Thats the perfect answer! I tell people every day that IE and
    windows explorer are virtually the same program. In fact there's a
    reason that Windows itself is called explorer. Because it's ALL
    Internet Explorer. That's why you can view web pages or folders right
    on your desktop. Anyway, I digress. I say that all the time to users,
    but I never thought of doing this. TOO COOL!
    Thanks,
    F


+ Reply to Thread