Defense in depth -- the Microsoft way (part 35): Windows Explorer ignores "Run as administrator" ...

From: Stefan Kanthak <stefan.kanthak@nexgo.de>
To: bugtraq@securityfocus.com
Cc: fulldisclosure@seclists.org
Subject: Defense in depth -- the Microsoft way (part 35): Windows Explorer ignores "Run as administrator" ...
Date:


Hi @ll,

since Microsoft introduced the security theatre named "user account
control" with Windows Vista users cant start (another instance of)
the Windows Explorer with elevated rights any more: the "Run as
administrator" and the "Run as different user" context menu entries
only start another instance of Windows Explorer with but the
credentials of the logged on (interactive) user.

No, neither starting Windows Explorer per "Explorer.Exe /Separate"
nor setting the following registry entries overcomes this limitation:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"DesktopProcess"=dword:01

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SeparateProcess"=dword:01


Microsoft is well aware of this, but still doesnt remove or disable
these dysfunctional context menu entries for Explorer.exe, although
their own user experience interface guidelines request that (context)
menu entries which are not applicable must not be shown or have to be
disabled!

See <https://msdn.microsoft.com/en-us/library/dn742392.aspx>:

| Disable menu items that don't apply to the current context
...
| Remove rather than disable context menu items that don't
| apply to the current context.

or <http://www.microsoft.com/en-us/download/details.aspx?id=2695>

If you want to get rid of "Run as administrator" and "Run as
different user" for Explorer.exe to save yourself, your users and
your support/helpdesk from confusion or frustration add the following
registry entries:

[HKEY_CLASSES_ROOT\exefile\Shell\RunAs]
"AppliesTo"="System.FileName:<>Explorer.Exe"

[HKEY_CLASSES_ROOT\exefile\Shell\RunAsUser]
"AppliesTo"="System.FileName:<>Explorer.Exe"

See <https://msdn.microsoft.com/en-us/library/cc144171.aspx>
and <https://msdn.microsoft.com/en-us/library/bb266512.aspx>
to understand how and why this registry entry works.

JFTR: the context menu entry "Run as administrator" doesnt work at
      all in standard user accounts when UAC is set to "never elevate".
      This is another clear violation of Microsofts own UX guidelines!

stay tuned
Stefan Kanthak

PS: the script <http://home.arcor.de/skanthak/download/UAC.INF> adds
    this and several other missing registry entries which enable
    "Run as administrator" and "Run as different user" for quite some
    file types.





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.