Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - Tip: Start explorer.exe elevated with UAC enabled
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Tip: Start explorer.exe elevated with UAC enabled

 Post Reply Post Reply
Author
Message
Matts_User_Name View Drop Down
Senior Member
Senior Member
Avatar

Joined: 10 August 2006
Location: USA
Status: Offline
Points: 687
Post Options Post Options   Thanks (0) Thanks(0)   Quote Matts_User_Name Quote  Post ReplyReply Direct Link To This Post Topic: Tip: Start explorer.exe elevated with UAC enabled
    Posted: 01 April 2013 at 9:02pm

Background:
I felt the need to investigate a bit of UAC internals and such, and do some elevation trickery like old times :P. I do enjoy Windows 8, but one thing that bothers me is that Metro (Modern) apps require UAC to NOT be disabled, in order to run (because their Integrity level is Low... as shown from Process Explorer or Process Hacker). Disabling UAC therefore was not an option (by adding EnableLUA=0), because all Metro apps refuse to run.

Windows 8's new UAC Setting "Never Notify" makes things easier to cope with by never showing a UAC dialog but still leaving UAC "enabled" (ie: userinit spawns explorer.exe with a non-elevated (Medium Integrity) token), but it still bothers me that explorer and all my applications that it runs on startup from the HKLM\HKCU...Run keys still run at Medium integrity (not elevated), and sometimes require an extra "Show" or "Continue" button to proceed with operations, in order for that thread to elevate, in order to do some operation.

If there was a way to change a process' Integrity that would be the answer, but unfortunately it is not possible. So the solution? Have explorer run as a High integrity by a proxy application (in this case, a script hosted by wscript.exe). It was easier said than done, because explorer was a little too "smart" about things.

The script:
To use:
- save the code to ElevateExplorer.vbs
- run the script anywhere once
- place it in system32 (it just make things easier that way)

The code below is pretty self-explanatory, but the basic idea is that this script does the following:
- 1st time you run it, it changes the "shell" key to have it execute this vbs
- When you log in, the vbs executed via wscript, and it self elevates
- The scripts resets the "shell" key back to EXACTLY what explorer expects to be in "shell" for it to display a desktop: "explorer.exe"
- And finally, after explorer runs, it resets the value back to run this script again.


Set oShellApp = CreateObject("Shell.Application")
Set oWshShell = CreateObject( "WScript.Shell" )

Const Q = """"

' Elevate self (Re-run this script elevated: Integrity = High, instead of Medium), so that we can access change registry values in the HKLM hive
If IsElevated = False Then
Call oShellApp.ShellExecute("wscript.exe", Q & WScript.ScriptFullName & Q & "", "", "runas", 1)
WScript.Quit
End If

' Before executing explorer.exe we MUST set the "shell" (REG_SZ) value to be explorer.exe, or else when Windows Explorer loads,
' then it will read this regval and thing we don't need a desktop, since a different shell is being used.
'
' 'shell' value replacement idea from here: http://social.msdn.microsoft.com/Forums/en-US/windowsgeneraldevelopmentissues/thread/49c05fe8-0ec3-4e1b-9d11-8d893cdea11c/
Call oWshShell.RegWrite("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell", "explorer.exe", "REG_SZ")

'Call oShellApp.ShellExecute("explorer.exe", " uac", "", "runas", 1)
Call oShellApp.ShellExecute("cmd.exe", "/c start explorer.exe", "", "open", 1)

' Once explorer.exe loads, change the 'shell' value back to be this script in "system32"
WScript.Sleep 3000
Call oWshShell.RegWrite("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell", "cmd.exe /c start " & WScript.ScriptName, "REG_SZ")


' --------------
' Functions:
' --------------

' From: http://www.kellestine.com/self-elevate-vbscript/
' Checks if the script is running elevated (UAC)
Function IsElevated
  Set shell = CreateObject("WScript.Shell")
  Set whoami = shell.Exec("whoami /groups")
  Set whoamiOutput = whoami.StdOut
  strWhoamiOutput = whoamiOutput.ReadAll
 
  If InStr(1, strWhoamiOutput, "S-1-16-12288", vbTextCompare) Then 
    isElevated = True
  Else
      isElevated = False
  End If
End Function


Some random UAC tips I discovered along the way:
- Process Hackers or Process Explorer "Integrity" column is great for seeing if processes are elevated or not.

- If you like to leave UAC prompts enabled, a less intrusive way of having them disrupt you is to set a group policy to not have it appear on its own desktop: secpol.msc --> Local Policies --> Security Options --> User Account Control: Switch to the secure desktop when prompting for elevation --> Disabled

- (not really UAC, but cool anyway) - Stardock created an interesting Win8 app called ModernMix to run multiple Metro apps in windows and side-by-side (I just liked it :P).




Hopefully this is useful to some out there :D
Regards,
- Matt


Edited by Matts_User_Name - 01 April 2013 at 9:28pm
Back to Top
MrBeer View Drop Down
Newbie
Newbie


Joined: 28 September 2013
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote MrBeer Quote  Post ReplyReply Direct Link To This Post Posted: 28 September 2013 at 5:36am
how do i stop my system from running this
Is there any way to uninstall this and go back.

Thanks
Back to Top
MagicAndre1981 View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 08 January 2007
Location: Germany
Status: Offline
Points: 2217
Post Options Post Options   Thanks (0) Thanks(0)   Quote MagicAndre1981 Quote  Post ReplyReply Direct Link To This Post Posted: 28 September 2013 at 6:44am
This is an ugly hack.Try my one:

http://www.msfn.org/board/index.php?showtopic=144776

and disable the Elevated-Unelevated Explorer Factory, so that you can make a rightclick on simply select "Run as admin" and this starts Explorer now as admin.


Back to Top
WindowsStar View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 June 2010
Status: Offline
Points: 617
Post Options Post Options   Thanks (0) Thanks(0)   Quote WindowsStar Quote  Post ReplyReply Direct Link To This Post Posted: 30 September 2013 at 11:18pm
A super extremely simple work around is to just use Explorer++ Portable (or installed) and use the RunAs. Been doing it for years, no modification to the machine and you can even have the program on a USB drive to work on family/friends/clients machines.
 
 
Or any other shell replacement software. -WS
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down