Saturday, July 25, 2015

Windows 7 Admin user - batch file always runs as Administrator


This question has been edited based on necessary clarification as received thru below comments.


I have a simple bat file taken from https://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rights. It tests if the bat script was invoked as a User by simply double-clicking on it or it was run as ‘Run as Administrator’. I have tested it and it works just fine on my Windows 8.1 Home 64-bit laptop under an administrator level user. When I double-click, it indicates that it’s not been run from an Elevated command prompt and says otherwise when ‘Run as Administrator’.


From the below comments it’s understood that the lowest privilege level for Administrator is a User and selecting ‘Run as Administrator’ elevate it to Administrator.


However on my Windows 7 Ultimate 32-bit it’s not behaving the same way! When I just double click on it, it’s still running as Administrator. Is this a security issue and is there any way to set it to default User level?


In my Control Panel UAC is turned off. Also note that I am not creating/running any shortcut set it to always 'Run as Administrator'


On my Windows 7, I would like it to Run as User when I double-click and only as Admin when ‘Run as Administrator’ is invoked.




Note that the script is out of scope for discussion, however just pasting it below for reference.


@echo off
openfiles > NUL 2>&1
if NOT %ERRORLEVEL% EQU 0 goto NotAdmin
echo Hello from elevated command prompt
goto End
:NotAdmin
echo This command prompt is NOT ELEVATED
:End
pause
exit

Answer



The situation you describe is expected behavior when logged on with the built-in Administrator account, even if you have User Account Control (UAC) enabled.


Starting with Windows Vista (and as of this writing, including Windows 10) in the default configuration, applications run with the built-in Administrator account are executed with full administrative privileges. This is because of the default setting of the "Admin Approval Mode" security policy is Disabled:



The User Account Control: Admin Approval Mode for the built-in
Administrator account policy setting controls the behavior of Admin
Approval Mode for the built-in Administrator account.


The options are:



  • Enabled. The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege
    will prompt the user to approve the operation.


  • Disabled. (Default) The built-in Administrator account runs all applications with full administrative privilege.






How to Change the Admin Approval Mode Setting


If you have the Professional/Business/Enterprise/Ultimate edition of Windows: You can change this setting by editing local Group Policy:



  1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.


  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.


  3. In the console tree, expand Local Policies, and then click Security Options.


  4. In the details pane, scroll down and double-click the Group Policy setting User Account Control: Admin Approval Mode for the built-in Administrator account


  5. On the Properties page, make your selection, and then click OK.



If you have the Home or Starter edition of Windows: You don't have access to secpol.msc and therefore cannot edit the Local Security Policy. However, this answer points us to another fortunately, still accessible link at askvg.com that explains how to change the setting in the Registry:




  1. Type regedit in RUN or Start Menu search box and press Enter. It'll open Registry Editor. Now go to following key:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies


  2. Under Policies key look for a key with the name "System". If it's not present then create it by right-click on Policies key and
    select "New -> Key" and give it name "System".


  3. Now select System key and in right-side pane create a new DWORD value to apply the desired tweak as mentioned in following list:



User Account Control: Admin Approval Mode for the Built-in
Administrator account


DWORD Value - FilterAdministratorToken


To Enable - 1
To Disable - 0



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...