When you log on Windows creates an access token. This identifies you, the groups you are a member of and your privileges. And note that whether a user is an administrator or not is determined by whether the user is a member of the Administrators group.
Without UAC, when you run a program it gets a copy of the access token, and this controls what the program can access.
With UAC, when you run a program it gets a restricted access token. This is the original access token with "Administrators" removed from the list of groups (and some other changes). Even though your user is a member of the Administrators group, the program can't use Administrator privileges.
When you select "Run as Administrator" and your user is an administrator the program is launched with the original unrestricted access token. If your user is not an administrator you are prompted for an administrator account, and the program is run under that account.
So ... more digging, with the result. It seems that although I ran one process normal and one "As Administrator", I had UAC off. Turning UAC to medium allowed me to see different results. Basically, it all boils down to integrity levels, which are 5.
Browsers, for example, run at Low Level (1), while services (System user) run at System Level (4). Everything is very well explained in Windows Integrity Mechanism Design . When UAC is enabled, processes are created with Medium level (SID S-1-16-8192 AKA 0x2000 is added) while when "Run as Administrator", the process is created with High Level (SID S-1-16-12288 aka 0x3000).
So the correct ACCESS_TOKEN for a normal user (Medium Integrity level) is:
"Run as Aministrator" is just a command, enabling the program to continue some operations that require the Administrator privileges, without displaying the UAC alerts.
Even if your user is a member of administrators group, some applications like yours need the Administrator privileges to continue running, because the application is considered not safe, if it is doing some special operation, like editing a system file or something else. This is the reason why Windows needs the Administrator privilege to execute the application and it notifies you with a UAC alert. Not all applications need an Amnistrator account to run, and some applications, like yours, need the Administrator privileges.
If you execute the application with 'run as administrator' command, you are notifying the system that your application is safe and doing something that requires the administrator privileges, with your confirm.
If you want to avoid this, just disable the UAC on Control Panel.
Things like "elevates the privileges", "restricted access token", "Administrator privilege" ... what the heck is administrator privilege anyway? are nonsense.
Here is an ACCESS_TOKEN for a process normally run from a user belonging to Administrators group.
程序要求此提升权限的原因始于 Black Comb 和 Panther 文件夹。在windows中,除非通过管理员提示符,否则对内核的访问是0,那么它与O/S内核只是一种虚拟关系。
万岁!
The Run as *Anything command saves you from logging out and logging in as the user for which you use the runas command for.
The reason programs ask for this elevated privilege started with Black Comb and the Panther folder. There is 0 access to the Kernel in windows unless through the Admin prompt and then it is only a virtual relation with the O/S kernel.
内核访问类似于 Linux 中的 root 访问。当您提升权限时,您会将自己与 C:\ 的根目录以及其中包含的任何可爱的环境变量隔离开来。
如果您还记得 BSOD,这是操作系统在认为错误的 I/O 到达内核时关闭的情况。
A little clearer... A software program that has kernel mode access has total access to all of the computer's data and its hardware.
Since Windows Vista Microsoft has stopped any and all I/O processes from accessing the kernel (ring 0) directly ever again. The closest we get is a folder created as a virtual kernel access partition, but technically no access to kernel itself; the kernel meets halfway.
This is because the software itself dictates which token to use, so if it asks for an administrator access token, instead of just allowing communications with the kernel like on Windows XP you are prompted to allow access to the kernel, each and every time. Changing UAC could reduce prompts, but never the kernel prompts.
Even when you login as an Administrator, you are running processes as a standard user until prompted to elevate the rights you have. I believe logged in as the administrator saves you from entering the credentials. But it also writes to the administrator users folder structure.
Kernel access is similar to root access in Linux. When you elevate your permissions you are isolating yourself from the root of C:\ and whatever lovely environment variables are contained within.
If you remember BSODs this was the OS shutting down when it believed a bad I/O reached the kernel.
The actual question (and an excellent one at that)
"What does 'run as admin' do that being a member of the administrators group does not?"
(Answer)1. It allows you to call on administrator rights while under a user session.
Note: The question is wrongly put; one is a command and the other is a group object to apply policies.
Open a command prompt and type runas /?.
This will list all the switches the runas command line can use.
As for the Administrators Group this is based on GPEDIT or SECPOL and whether or not a Domain administrator is present or not or a network is present or not.
Usually these things will apply restrictions on computers that the administrators group is not affected by.
The question should be
What does runas admin do that run as user does not?
OR
What does the Administrator group do that a customized user group can't?
Windows 7 requires that you intentionally ask for certain privileges so that a malicious program can't do bad things to you. If the free calculator you downloaded needed to be run as an administrator, you would know something is up. There are OS commands to elevate the privilege of your application (which will request confirmation from the user).
发布评论
评论(8)
当您登录 Windows 时,会创建一个访问令牌。这可以识别您、您所属的群组以及您的特权。并且需要注意的是,用户是否是管理员取决于该用户是否是Administrators组的成员。
如果没有 UAC,当您运行程序时,它会获取访问令牌的副本,这将控制程序可以访问的内容。
使用 UAC,当您运行程序时,它会获得受限的访问令牌。这是原始访问令牌,其中“管理员”已从组列表中删除(以及一些其他更改)。即使您的用户是管理员组的成员,该程序也无法使用管理员权限。
当您选择“以管理员身份运行”并且您的用户是管理员时,程序将使用原始的不受限制的访问令牌启动。如果您的用户不是管理员,系统会提示您输入管理员帐户,并且程序将在该帐户下运行。
When you log on Windows creates an access token. This identifies you, the groups you are a member of and your privileges. And note that whether a user is an administrator or not is determined by whether the user is a member of the Administrators group.
Without UAC, when you run a program it gets a copy of the access token, and this controls what the program can access.
With UAC, when you run a program it gets a restricted access token. This is the original access token with "Administrators" removed from the list of groups (and some other changes). Even though your user is a member of the Administrators group, the program can't use Administrator privileges.
When you select "Run as Administrator" and your user is an administrator the program is launched with the original unrestricted access token. If your user is not an administrator you are prompted for an administrator account, and the program is run under that account.
所以......更多的挖掘,结果。看来,虽然我正常运行了一个进程,并且运行了一个“以管理员身份”,但我关闭了 UAC。将 UAC 切换到 Medium 让我看到了不同的结果。基本上,这一切都归结为完整性级别,即 5。
例如,浏览器在低级别 (1) 运行,而服务(系统用户)在系统级别 (4) 运行。 Windows 完整性机制设计。启用 UAC 时,会以中级别创建进程(添加 SID S-1-16-8192 又名 0x2000),而当“以管理员身份运行”时,会以高级别创建进程(SID S-1-16-12288 又名0x3000)。
因此,普通用户(中等完整性级别)的正确 ACCESS_TOKEN 是:
现在,差异如下:
对于“作为管理员”,而
对于非管理员。
请注意,S-1-5-32-544 是 BUILTIN\Administrators。另外,权限较少,最需要注意的是:
管理员:
而对于非管理员:
我希望这会有所帮助。
进一步阅读:http://www.blackfishsoftware.com/blog/don/creating_processes_sessions_integrity_levels
So ... more digging, with the result. It seems that although I ran one process normal and one "As Administrator", I had UAC off. Turning UAC to medium allowed me to see different results. Basically, it all boils down to integrity levels, which are 5.
Browsers, for example, run at Low Level (1), while services (System user) run at System Level (4). Everything is very well explained in Windows Integrity Mechanism Design . When UAC is enabled, processes are created with Medium level (SID S-1-16-8192 AKA 0x2000 is added) while when "Run as Administrator", the process is created with High Level (SID S-1-16-12288 aka 0x3000).
So the correct ACCESS_TOKEN for a normal user (Medium Integrity level) is:
Now, the differences are as follows:
for "As Admin", while
for non-admin.
Note that S-1-5-32-544 is BUILTIN\Administrators. Also, there are fewer privileges, and the most important thing to notice:
admin:
while for non-admin:
I hope this helps.
Further reading: http://www.blackfishsoftware.com/blog/don/creating_processes_sessions_integrity_levels
更新
“以管理员身份运行”只是一个命令,使程序能够继续某些需要管理员权限的操作,而不显示 UAC 警报。
即使您的用户是管理员组的成员,像您这样的某些应用程序也需要管理员权限才能继续运行,因为如果该应用程序正在执行某些特殊操作(例如编辑系统文件或其他操作),则该应用程序被认为不安全。这就是 Windows 需要管理员权限才能执行应用程序并通过 UAC 警报通知您的原因。并非所有应用程序都需要 Amnistrator 帐户才能运行,有些应用程序(例如您的应用程序)需要管理员权限。
如果您使用“以管理员身份运行”命令执行应用程序,则您将通知系统您的应用程序是安全的,并且正在执行需要管理员权限的操作,并需要您的确认。
如果您想避免这种情况,只需在控制面板上禁用 UAC 即可。
如果您想进一步了解,请阅读问题之间的差异Microsoft 论坛或 这个超级用户问题。
UPDATE
"Run as Aministrator" is just a command, enabling the program to continue some operations that require the Administrator privileges, without displaying the UAC alerts.
Even if your user is a member of administrators group, some applications like yours need the Administrator privileges to continue running, because the application is considered not safe, if it is doing some special operation, like editing a system file or something else. This is the reason why Windows needs the Administrator privilege to execute the application and it notifies you with a UAC alert. Not all applications need an Amnistrator account to run, and some applications, like yours, need the Administrator privileges.
If you execute the application with 'run as administrator' command, you are notifying the system that your application is safe and doing something that requires the administrator privileges, with your confirm.
If you want to avoid this, just disable the UAC on Control Panel.
If you want to go further, read the question Difference between "Run as Administrator" and Windows 7 Administrators Group on Microsoft forum or this SuperUser question.
诸如“提升权限”、“受限访问令牌”、“管理员权限”之类的东西……管理员权限到底是什么?都是废话。
这是通常由属于管理员组的用户运行的进程的 ACCESS_TOKEN。
...这是一个通常由同一用户“以管理员身份运行”运行的进程的 ACCESS_TOKEN。
如您所见,唯一的区别是令牌 ID:
vs
抱歉,我还不能对此添加太多信息,但我仍在挖掘。
Things like "elevates the privileges", "restricted access token", "Administrator privilege" ... what the heck is administrator privilege anyway? are nonsense.
Here is an ACCESS_TOKEN for a process normally run from a user belonging to Administrators group.
... and here is an ACCESS_TOKEN for a process normally run by the same user with "Run as administrator".
As you see, the only difference is the token ID:
vs
Sorry, I can't add much light into this yet, but I am still digging.
Run as *Anything 命令可以让您免于以使用 runas 命令的用户身份注销和登录。
程序要求此提升权限的原因始于 Black Comb 和 Panther 文件夹。在windows中,除非通过管理员提示符,否则对内核的访问是0,那么它与O/S内核只是一种虚拟关系。
万岁!
The Run as *Anything command saves you from logging out and logging in as the user for which you use the runas command for.
The reason programs ask for this elevated privilege started with Black Comb and the Panther folder. There is 0 access to the Kernel in windows unless through the Admin prompt and then it is only a virtual relation with the O/S kernel.
Hoorah!
更清楚一点...具有内核模式访问权限的软件程序可以完全访问计算机的所有数据及其硬件。
自 Windows Vista 以来,Microsoft 已再次停止所有 I/O 进程直接访问内核(ring 0)。我们得到的最接近的是一个作为虚拟内核访问分区创建的文件夹,但从技术上讲,无法访问内核本身;内核半途而废。
这是因为软件本身规定了要使用哪个令牌,因此如果它要求管理员访问令牌,则每次都会提示您允许访问内核,而不是像 Windows XP 上那样只允许与内核通信。更改 UAC 可以减少提示,但永远不会减少内核提示。
即使您以管理员身份登录,您也会以标准用户身份运行进程,直到系统提示您提升您拥有的权限。我相信以管理员身份登录可以让您免于输入凭据。但它也会写入管理员用户文件夹结构。
内核访问类似于 Linux 中的 root 访问。当您提升权限时,您会将自己与 C:\ 的根目录以及其中包含的任何可爱的环境变量隔离开来。
如果您还记得 BSOD,这是操作系统在认为错误的 I/O 到达内核时关闭的情况。
A little clearer... A software program that has kernel mode access has total access to all of the computer's data and its hardware.
Since Windows Vista Microsoft has stopped any and all I/O processes from accessing the kernel (ring 0) directly ever again. The closest we get is a folder created as a virtual kernel access partition, but technically no access to kernel itself; the kernel meets halfway.
This is because the software itself dictates which token to use, so if it asks for an administrator access token, instead of just allowing communications with the kernel like on Windows XP you are prompted to allow access to the kernel, each and every time. Changing UAC could reduce prompts, but never the kernel prompts.
Even when you login as an Administrator, you are running processes as a standard user until prompted to elevate the rights you have. I believe logged in as the administrator saves you from entering the credentials. But it also writes to the administrator users folder structure.
Kernel access is similar to root access in Linux. When you elevate your permissions you are isolating yourself from the root of C:\ and whatever lovely environment variables are contained within.
If you remember BSODs this was the OS shutting down when it believed a bad I/O reached the kernel.
好吧,让我们重申一下......
实际问题(这是一个很好的问题)
(答案)1。它允许您在用户会话下调用管理员权限。
注:问题提出错误;一个是命令,另一个是应用策略的组对象。
打开命令提示符并输入
runas /?。这将列出 runas 命令行可以使用的所有开关。
对于管理员组,这是基于 GPEDIT 或 SECPOL 以及域管理员是否存在或网络是否存在。
通常这些东西会对管理员组不受影响的计算机施加限制。
问题应该是
或者
你正在混合苹果和橙子。
Okay, let's re-iterate...
The actual question (and an excellent one at that)
(Answer)1. It allows you to call on administrator rights while under a user session.
Note: The question is wrongly put; one is a command and the other is a group object to apply policies.
Open a command prompt and type
runas /?.This will list all the switches the
runascommand line can use.As for the Administrators Group this is based on GPEDIT or SECPOL and whether or not a Domain administrator is present or not or a network is present or not.
Usually these things will apply restrictions on computers that the administrators group is not affected by.
The question should be
OR
You are mixing apples and oranges.
Windows 7 要求您有意请求某些权限,以便恶意程序无法对您做坏事。如果您下载的免费计算器需要以管理员身份运行,您就会知道出了问题。有一些操作系统命令可以提升应用程序的权限(这将请求用户确认)。
可以在以下位置找到详细说明:
https://learn.microsoft.com/en-us/archive/msdn-magazine/2007/january/teach-your-apps-to-work-with-windows-vista-user-account-control#S4
Windows 7 requires that you intentionally ask for certain privileges so that a malicious program can't do bad things to you. If the free calculator you downloaded needed to be run as an administrator, you would know something is up. There are OS commands to elevate the privilege of your application (which will request confirmation from the user).
A good description can be found at:
https://learn.microsoft.com/en-us/archive/msdn-magazine/2007/january/teach-your-apps-to-work-with-windows-vista-user-account-control#S4