After install Windows 10, it seems that I lost the ability to run explorer.exe as administrator with a user in administrator group.
The reason I want to do that is, in our team's development environment, we are using a C# exe to do some environment configuration which will start command prompt under administrator mode and subst a drive. As a result those substed drives are not visible within the file explorer since it is run not as administrator. That will be kind of inconvenience and sometimes make mistakes.
I was able to run explorer.exe from task manager with the option "create with privileges" checked and then I can see all the drives in explorer. But now this is not working anymore.
I knew there are other options to workaround this workflow, but just want to make sure that if it is now totally impossible under Windows 10?
Any comment is appreciated.
94 Answers
I discovered a way to run Explorer as admin some time ago:
start regedit.exe and go to the following key. You should be able to copy/paste this string into the regedit address bar:
HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
make a right click on
Permissionsand set your user as owner (click onadvancedbutton to be able to take ownership) of the key and give your current user writing permissions.
or use the 3rd party tool RegOwnershipEx to get full control of the key:
- Next, delete or rename the value RunAs.
Now the Elevated-Unelevated Explorer Factory (which causes that the Run As admin is ignored) is disabled and you can start the Explorer with admin rights.
Note: In order to start Explorer as admin after having done that, don't do this: Task Manager > Run > explorer.exe with "As admininistrator" checked, it will not work. Instead create an explorer shortcut on desktop, right-click on it and select "Run as admin" or edit the shortcut > Advanced > Run as administrator.
18For small things like browsing a folder that cannot be browsed without elevated explorer I start elevated notepad and then in the file open dialog I can browse all directories. With right click I can do quite a bit. (It's a fast solution that mostly does the trick.)
Start command line as Administrator.
Type these commands:
taskkill /im explorer.exe
explorer.exe 3 To apply the accepted solution of @magicandre1981 with a copy & past PowerShell script, just execute the following from an elevated PowerShell prompt:
Function Enable-Privilege
{ param([ValidateSet("SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege", "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege", "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege", "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege", "SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege", "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege", "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege", "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege", "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege", "SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]$Privilege, $ProcessId = $pid, [Switch]$Disable) $Definition = @' using System; using System.Runtime.InteropServices; public class AdjPriv { [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok); [DllImport("advapi32.dll", SetLastError = true)] internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid); [StructLayout(LayoutKind.Sequential, Pack = 1)] internal struct TokPriv1Luid { public int Count; public long Luid; public int Attr; } internal const int SE_PRIVILEGE_ENABLED = 0x00000002; internal const int SE_PRIVILEGE_DISABLED = 0x00000000; internal const int TOKEN_QUERY = 0x00000008; internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; public static bool EnablePrivilege(long processHandle, string privilege, bool disable) { bool retVal; TokPriv1Luid tp; IntPtr hproc = new IntPtr(processHandle); IntPtr htok = IntPtr.Zero; retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); tp.Count = 1; tp.Luid = 0; if(disable) { tp.Attr = SE_PRIVILEGE_DISABLED; } else { tp.Attr = SE_PRIVILEGE_ENABLED; } retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); return retVal; } }
'@ $processHandle = (Get-Process -id $ProcessId).Handle $type = Add-Type $definition -PassThru $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
$path = 'HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}'
$acl = Get-Acl $path
$originalOwner = $acl.GetOwner([System.Security.Principal.NTAccount]).Value
$acl.SetOwner((New-Object System.Security.Principal.NTAccount([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)))
$acl | Set-Acl $path
Rename-ItemProperty -LiteralPath $path -Name "RunAs" -NewName "__RunAs";
$acl = Get-Acl $path
$acl.SetOwner((New-Object System.Security.Principal.NTAccount($originalOwner)))
Enable-Privilege SeRestorePrivilege
$acl | Set-Acl $pathIt renames the RunAs value name to __RunAs.