Want to be total Admin on my System

[DMikeM]

Ok I am tired of being restricted from some folders or drives and some apps needing to be run as Admin.
I have gone through the policy top to bottom and can’t figure out what to do to be in full control (AS IN ROOT) of my system. I am an IT specialist, Network Admin, Systems Admin. ETC… and want total access to my stuff with no restrictions. Why is this so hard with this OS?

Anyone here figure this out yet?

[Indrek]

Permissions, is why. Or rather, lack of them. You simply don’t have permissions for certain system objects, because they’re owned by the SYSTEM account. For complete root powers, taking ownership of the entire file system and subsequently granting yourself all permissions should do the trick.

[Anonymous]

Permissions, is why. Or rather, lack of them. You simply don’t have permissions for certain system objects, because they’re owned by the SYSTEM account. For complete root powers, taking ownership of the entire file system and subsequently granting yourself all permissions should do the trick.

[DMikeM]

I have had to do that with a few folders. One was just so I could install a UT3 Server and be able to manage it correctly.
You cannot install such things in the default Program files or program files (x86) folders. Server, Vista and Win 7 will just not give you the correct permissions even if your account is an admin account.
There has got to be a way somewhere in the Policies or registry to give a USER, GOD access to the system.
I even added my account to act as system and that still doesn’t cover it.

[Anonymous]

I have had to do that with a few folders. One was just so I could install a UT3 Server and be able to manage it correctly.
You cannot install such things in the default Program files or program files (x86) folders. Server, Vista and Win 7 will just not give you the correct permissions even if your account is an admin account.
There has got to be a way somewhere in the Policies or registry to give a USER, GOD access to the system.
I even added my account to act as system and that still doesn’t cover it.

[JonusC]

@DMikeM wrote:

I have had to do that with a few folders. One was just so I could install a UT3 Server and be able to manage it correctly.
You cannot install such things in the default Program files or program files (x86) folders. Server, Vista and Win 7 will just not give you the correct permissions even if your account is an admin account.
There has got to be a way somewhere in the Policies or registry to give a USER, GOD access to the system.
I even added my account to act as system and that still doesn’t cover it.

Running a process as administrator via Runas in CMD, right-click context menu or, in the case of startup programs for legacy apps, use Task Scheduler to run on login as max privledges.

What you want to do is disable UAC completely and take Full Control of all folders. But if you do that, you might want to nail down your security to the max with clientside firewalls and a strong permanent AV as your system will then be vulnerable to rootkits – despite it being x64.

Unlike Linux, there is no “root user” that is interactive in Windows NT and there never was. Usermode applications never have direct kernalmode access, even when you set the “Allow user to act as part of the operating system” flag. Because then you’d be as secure as Windows 98 and malware could just run DELTREE %WINDIR% /S /Q and you’re dead =P

I’ve actually never had UAC enabled on my PC since Vista, but as of about 2 weeks ago I enabled it in Windows 7 and managed to get used to it very quickly. Since I don’t hack around with my OS everyday anymore, I like to leave it on for that extra level of protection just incase I get a hijack scenario from some new freaky virus outbreak.

[Anonymous]

@DMikeM wrote:

I have had to do that with a few folders. One was just so I could install a UT3 Server and be able to manage it correctly.
You cannot install such things in the default Program files or program files (x86) folders. Server, Vista and Win 7 will just not give you the correct permissions even if your account is an admin account.
There has got to be a way somewhere in the Policies or registry to give a USER, GOD access to the system.
I even added my account to act as system and that still doesn’t cover it.

Running a process as administrator via Runas in CMD, right-click context menu or, in the case of startup programs for legacy apps, use Task Scheduler to run on login as max privledges.

What you want to do is disable UAC completely and take Full Control of all folders. But if you do that, you might want to nail down your security to the max with clientside firewalls and a strong permanent AV as your system will then be vulnerable to rootkits – despite it being x64.

Unlike Linux, there is no “root user” that is interactive in Windows NT and there never was. Usermode applications never have direct kernalmode access, even when you set the “Allow user to act as part of the operating system” flag. Because then you’d be as secure as Windows 98 and malware could just run DELTREE %WINDIR% /S /Q and you’re dead =P

I’ve actually never had UAC enabled on my PC since Vista, but as of about 2 weeks ago I enabled it in Windows 7 and managed to get used to it very quickly. Since I don’t hack around with my OS everyday anymore, I like to leave it on for that extra level of protection just incase I get a hijack scenario from some new freaky virus outbreak.

[JingoFresh]

@DMikeM wrote:

Ok I am tired of being restricted from some folders or drives and some apps needing to be run as Admin.
I have gone through the policy top to bottom and can’t figure out what to do to be in full control (AS IN ROOT) of my system. I am an IT specialist, Network Admin, Systems Admin. ETC… and want total access to my stuff with no restrictions. Why is this so hard with this OS?

Anyone here figure this out yet?

If you are as qualified as you say, then you should know that your request is a bad idea.

Instead, just run as an Administrator account, and you should have sufficient access for actually using your system.

[Anonymous]

@DMikeM wrote:

Ok I am tired of being restricted from some folders or drives and some apps needing to be run as Admin.
I have gone through the policy top to bottom and can’t figure out what to do to be in full control (AS IN ROOT) of my system. I am an IT specialist, Network Admin, Systems Admin. ETC… and want total access to my stuff with no restrictions. Why is this so hard with this OS?

Anyone here figure this out yet?

If you are as qualified as you say, then you should know that your request is a bad idea.

Instead, just run as an Administrator account, and you should have sufficient access for actually using your system.

[JonusC]

Yeah, I agree with JingoFresh to be quite honest. Plus, I ironically have hosted a UT3 server on my UAC enabled account, it installed and worked as expected. I’m only guessing that you come from a Linux background with questions like this, so i’ll repeat – Windows does things differently and there’s no such this as an interactive “SYSTEM” or “TrustedInstaller” account you can use.

Just disable UAC and take full control of your entire harddisk via the TAKEOWN and ICACLS commands (the WinNT6.1 equivalent of CHMOD) if you really want to do it, but don’t be surprised if you get Reverse ARP poisoned or Hijacked/Clickjacked or (trails off)…

😀

[Anonymous]

Yeah, I agree with JingoFresh to be quite honest. Plus, I ironically have hosted a UT3 server on my UAC enabled account, it installed and worked as expected. I’m only guessing that you come from a Linux background with questions like this, so i’ll repeat – Windows does things differently and there’s no such this as an interactive “SYSTEM” or “TrustedInstaller” account you can use.

Just disable UAC and take full control of your entire harddisk via the TAKEOWN and ICACLS commands (the WinNT6.1 equivalent of CHMOD) if you really want to do it, but don’t be surprised if you get Reverse ARP poisoned or Hijacked/Clickjacked or (trails off)…

😀

[DMikeM]

My background is actually windows first with a few years of Xenix/Unix support.

I do know that what I am asking is in fact dangerous but I do have good full time firewalls on our network and a good resident antimalware on my machines. I also run FireFox with NoScript and Adblock Plus, and cookies disabled for new and unknown sites.
Some programs do not run as expected:
Nero
RipIt4Me
PowerDesk Pro
ACDSee
Image Burn
Hawke ChairGun Pro

Some issues are as minor as the system will not allow me to save a database file in the program directory or make changes to the existing ones, even with “Run as Admin” used. I have taken possession of these folders and been able to move along but I would like to just be able to do as I want with out needing to make these changes for random applications.

[Anonymous]

My background is actually windows first with a few years of Xenix/Unix support.

I do know that what I am asking is in fact dangerous but I do have good full time firewalls on our network and a good resident antimalware on my machines. I also run FireFox with NoScript and Adblock Plus, and cookies disabled for new and unknown sites.
Some programs do not run as expected:
Nero
RipIt4Me
PowerDesk Pro
ACDSee
Image Burn
Hawke ChairGun Pro

Some issues are as minor as the system will not allow me to save a database file in the program directory or make changes to the existing ones, even with “Run as Admin” used. I have taken possession of these folders and been able to move along but I would like to just be able to do as I want with out needing to make these changes for random applications.

[JonusC]

@DMikeM wrote:

I do know that what I am asking is in fact dangerous but I do have good full time firewalls on our network […]

Then you should also already know that a Server/Router-Side Firewall is completely useless in the most severe, critical cost infections, such as Windows exploits and Rootkit infection; you need those client-side policies for that – but if you’re running Server 2008 R2 and the Clients are Windows 7, that’s a breeze. Of course third party corporate Firewall networks are also great, from my experience I find McAfee to still be the best after so many years – followed by the relatively new Sophos. Symantec is somewhat poor and difficult to manage… but I’m sure you know what I mean and have that all under control 😉

@DMikeM wrote:

Some programs do not run as expected:
Nero
RipIt4Me
PowerDesk Pro
ACDSee
Image Burn
Hawke ChairGun Pro

Nero 9 and ACDSee Pro Photo Manager 9.1 run 100% fine on my machine.

@DMikeM wrote:

Some issues are as minor as the system will not allow me to save a database file in the program directory or make changes to the existing ones, even with “Run as Admin” used. I have taken possession of these folders and been able to move along but I would like to just be able to do as I want with out needing to make these changes for random applications.

That doesn’t make any sense. Well for starters, you may as well disable UAC completely and stick with the XP-days recommendations of group security; to assign your staff members accounts on their workstation to the ‘Limited’ or at most ‘Power User’ account groups. Then, it’s safe to leave the Owner of any program folder as Administrator – just make the permissions changes via Administrative Command Prompt (will have Administrator: in the title bar). CD to the directory and run this command:

icacls *.* /grant USERNAME:F /inheritance:e /T /C /Q

…replacing USERNAME with the username of the Limited/Power User account you want to give Full Access to the folder contents to. You might need to substitute *.* with “C:Program FilesPath To Program” for some dodgy legacy programs that test it’s parent folder for write access instead of a specific file within the folder. A rundown of that commandline is to grant all files and folders in current directory/subdirectories (/T – recursively) FULL permissions to USERNAME, do not abort on errors but still echo them (/C), and hide all success messages (/Q). Alternatively add a pipe command to the end, eg:

icacls *.* /grant USERNAME:F /inheritance:e /T /C /Q > C:PermsLog.txt

incase you overflow the screen buffer in the NTVDM Console with too many errors (highly recommended if you do it to, say, the root of C, there will be lots).

With that done and UAC turned off, you should be able to run everything – as long as it doesn’t try to write data to the Local Registry Hive (Not Current User Hive) or modify/add files to protected folders (C:Windows). In which case you will need to check the “Run as administrator” box in the Compatibility tab for the EXE properties. While you’re at it, fiddle with the OS compat. options – I had to set Nero 9’s installation to Vista SP2 in order to get it past the initial OS check tantrum 😉

OK, that’s it. I have no idea how much you already knew of that, sorry if I’m not telling you much new – it wasn’t my intention to patronize anyone 😆

P.S. Taking Ownership of C:Windowssystem32 and many other folder paths away from TrustedInstaller will create an unstable system. Taking ownership of C:Boot or C:System Volume Information will create an unbootable system. Taking Ownership of system files never has to be done for compatibility purposes; Granting Full Permissions and Running as Administrator without UAC is literally the best you can get (that is the same behaviour as Windows XP). You only need to use Take Ownership if you (a) have multiple partitions, reinstall Windows on the systemdrive and realize that the Home/User partition has invalid SID’s (The owner is a user that doesnt exist anymore) or (b) You want to resource hack the Windows DLL’s to e.g. make the blue Aero ring thingy red instead of blue 😛

Hope any of that helped in some way. Let us know what you find.

[Anonymous]

@DMikeM wrote:

I do know that what I am asking is in fact dangerous but I do have good full time firewalls on our network […]

Then you should also already know that a Server/Router-Side Firewall is completely useless in the most severe, critical cost infections, such as Windows exploits and Rootkit infection; you need those client-side policies for that – but if you’re running Server 2008 R2 and the Clients are Windows 7, that’s a breeze. Of course third party corporate Firewall networks are also great, from my experience I find McAfee to still be the best after so many years – followed by the relatively new Sophos. Symantec is somewhat poor and difficult to manage… but I’m sure you know what I mean and have that all under control 😉

@DMikeM wrote:

Some programs do not run as expected:
Nero
RipIt4Me
PowerDesk Pro
ACDSee
Image Burn
Hawke ChairGun Pro

Nero 9 and ACDSee Pro Photo Manager 9.1 run 100% fine on my machine.

@DMikeM wrote:

Some issues are as minor as the system will not allow me to save a database file in the program directory or make changes to the existing ones, even with “Run as Admin” used. I have taken possession of these folders and been able to move along but I would like to just be able to do as I want with out needing to make these changes for random applications.

That doesn’t make any sense. Well for starters, you may as well disable UAC completely and stick with the XP-days recommendations of group security; to assign your staff members accounts on their workstation to the ‘Limited’ or at most ‘Power User’ account groups. Then, it’s safe to leave the Owner of any program folder as Administrator – just make the permissions changes via Administrative Command Prompt (will have Administrator: in the title bar). CD to the directory and run this command:

icacls *.* /grant USERNAME:F /inheritance:e /T /C /Q

…replacing USERNAME with the username of the Limited/Power User account you want to give Full Access to the folder contents to. You might need to substitute *.* with “C:Program FilesPath To Program” for some dodgy legacy programs that test it’s parent folder for write access instead of a specific file within the folder. A rundown of that commandline is to grant all files and folders in current directory/subdirectories (/T – recursively) FULL permissions to USERNAME, do not abort on errors but still echo them (/C), and hide all success messages (/Q). Alternatively add a pipe command to the end, eg:

icacls *.* /grant USERNAME:F /inheritance:e /T /C /Q > C:PermsLog.txt

incase you overflow the screen buffer in the NTVDM Console with too many errors (highly recommended if you do it to, say, the root of C, there will be lots).

With that done and UAC turned off, you should be able to run everything – as long as it doesn’t try to write data to the Local Registry Hive (Not Current User Hive) or modify/add files to protected folders (C:Windows). In which case you will need to check the “Run as administrator” box in the Compatibility tab for the EXE properties. While you’re at it, fiddle with the OS compat. options – I had to set Nero 9’s installation to Vista SP2 in order to get it past the initial OS check tantrum 😉

OK, that’s it. I have no idea how much you already knew of that, sorry if I’m not telling you much new – it wasn’t my intention to patronize anyone 😆

P.S. Taking Ownership of C:Windowssystem32 and many other folder paths away from TrustedInstaller will create an unstable system. Taking ownership of C:Boot or C:System Volume Information will create an unbootable system. Taking Ownership of system files never has to be done for compatibility purposes; Granting Full Permissions and Running as Administrator without UAC is literally the best you can get (that is the same behaviour as Windows XP). You only need to use Take Ownership if you (a) have multiple partitions, reinstall Windows on the systemdrive and realize that the Home/User partition has invalid SID’s (The owner is a user that doesnt exist anymore) or (b) You want to resource hack the Windows DLL’s to e.g. make the blue Aero ring thingy red instead of blue 😛

Hope any of that helped in some way. Let us know what you find.

[DMikeM]

Great write up, Thanks!

Hardware Firewall, Sonicwall NSA 2400 with everything turned on.

For user name, being as I am a Domain Admin at work should I include the FQDN in the username string, eg: “USERNAME.DOMAIN.local”
I have a special GP set up for Domain Admins as well with very little restrictions, so I doubt there would be any hindrance from the GP.

At home it will be simple as I did not enable a domain there.

[Anonymous]

Great write up, Thanks!

Hardware Firewall, Sonicwall NSA 2400 with everything turned on.

For user name, being as I am a Domain Admin at work should I include the FQDN in the username string, eg: “USERNAME.DOMAIN.local”
I have a special GP set up for Domain Admins as well with very little restrictions, so I doubt there would be any hindrance from the GP.

At home it will be simple as I did not enable a domain there.

[JonusC]

If you need to specify a Domain and Username to grant permissions to, replace USERNAME with DOMAINUSERNAME. It will otherwise scan the Domain that the current user (administrator) is a part of for the specified username if omitted (as long as you are actively connected to the domain controller), so the DOMAIN prepender usually isn’t required in most cases unless you are (a) Doing an offline administrative task or (b) Have a multi-domain system with shared resources and User Accounts. Make sense?

Actually, i’m pretty sure ICACLS supports the USERNAME to be a Group aswell as a user name or domain/user name. As such, since you mentioned Domain, it maybe better to change USERNAME for Administrators which would apply the permissions to all users in the Administrators group across the domain (provided the Workstation is correctly configured for User Group Domain Propagation, or whatever it’s called – that thing where it transparently sees local + domain users as one and the same… or is that always on in Windows these days?)

Remember though that the ICACLS /grant simply adds permissions for the USERNAME you specify (or, it replaces them if the object(s) already have a certain permission set for that particular USERNAME). It doesn’t remove anything at all, and will still respect inherited permissions (the parent folder’s permissions if set to recurse through) which is set to true by default. In other words, if you do a /grant command for ten different users on a certain object, that object will have ten new SD (Security Descriptor) entries.

😉

Fire-up an administrative Command Prompt and do ICACLS /? for more info, Microsofts’ CLI program help text hasn’t changed since MS-DOS days still.

If you prefer a more friendly looking help desk, check out the TechNet article – http://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx

[Anonymous]

If you need to specify a Domain and Username to grant permissions to, replace USERNAME with DOMAINUSERNAME. It will otherwise scan the Domain that the current user (administrator) is a part of for the specified username if omitted (as long as you are actively connected to the domain controller), so the DOMAIN prepender usually isn’t required in most cases unless you are (a) Doing an offline administrative task or (b) Have a multi-domain system with shared resources and User Accounts. Make sense?

Actually, i’m pretty sure ICACLS supports the USERNAME to be a Group aswell as a user name or domain/user name. As such, since you mentioned Domain, it maybe better to change USERNAME for Administrators which would apply the permissions to all users in the Administrators group across the domain (provided the Workstation is correctly configured for User Group Domain Propagation, or whatever it’s called – that thing where it transparently sees local + domain users as one and the same… or is that always on in Windows these days?)

Remember though that the ICACLS /grant simply adds permissions for the USERNAME you specify (or, it replaces them if the object(s) already have a certain permission set for that particular USERNAME). It doesn’t remove anything at all, and will still respect inherited permissions (the parent folder’s permissions if set to recurse through) which is set to true by default. In other words, if you do a /grant command for ten different users on a certain object, that object will have ten new SD (Security Descriptor) entries.

😉

Fire-up an administrative Command Prompt and do ICACLS /? for more info, Microsofts’ CLI program help text hasn’t changed since MS-DOS days still.

If you prefer a more friendly looking help desk, check out the TechNet article – http://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx

[JingoFresh]

@DMikeM wrote:

My background is actually windows first with a few years of Xenix/Unix support.

I do know that what I am asking is in fact dangerous but I do have good full time firewalls on our network and a good resident antimalware on my machines. I also run FireFox with NoScript and Adblock Plus, and cookies disabled for new and unknown sites.

What you are asking for is not just dangerous, but entireley unneccessary. You don’t need to run as higher than Administrator, ever, for anything. If you are actually running as the Administrator account with UAC turned off, you won’t get prompted for any authentication, and you will have full access.

If programs do not work, it is not due to a lack of access, but some other problem.

Insisting that you wish to run as higher than the Administrator account shows that you don’t have that great of an idea how Windows works, or what you are doing.

Some issues are as minor as the system will not allow me to save a database file in the program directory or make changes to the existing ones, even with “Run as Admin” used.

Then just run as the Administrator, and you will have full access, and won’t need to use run as admin.

Remember, run as admin only means the program you ran as admin wil lhave access, not anything outside of it…..

[Anonymous]

@DMikeM wrote:

My background is actually windows first with a few years of Xenix/Unix support.

I do know that what I am asking is in fact dangerous but I do have good full time firewalls on our network and a good resident antimalware on my machines. I also run FireFox with NoScript and Adblock Plus, and cookies disabled for new and unknown sites.

What you are asking for is not just dangerous, but entireley unneccessary. You don’t need to run as higher than Administrator, ever, for anything. If you are actually running as the Administrator account with UAC turned off, you won’t get prompted for any authentication, and you will have full access.

If programs do not work, it is not due to a lack of access, but some other problem.

Insisting that you wish to run as higher than the Administrator account shows that you don’t have that great of an idea how Windows works, or what you are doing.

Some issues are as minor as the system will not allow me to save a database file in the program directory or make changes to the existing ones, even with “Run as Admin” used.

Then just run as the Administrator, and you will have full access, and won’t need to use run as admin.

Remember, run as admin only means the program you ran as admin wil lhave access, not anything outside of it…..

[JonusC]

Not entirely true. If you launch a process as administrator, any additional processes that it creates will also be run as administrator. If he starts his Database client as administrator, but it still can’t write to the database file, then the only thing left to check out is permissions.

He’s already stated that he’s running as an administrator of a domain so there is additional layers of security at hand in regards to Local and Group Policy. I have a hunch that the reason why it’s happening is because the Administrators Group needed to be have Grant:Full on the program folder and it’s children, rather than just the local administrator user.

Then just run as the Administrator, and you will have full access, and won’t need to use run as admin.

Seriously, did you even read that? Just run as administrator, then you wont need to run as administrator? 😆 Besides, the ‘Run as Administrator’ context menu option is 100% useless when UAC is disabled as long as the account is actually in the Administrators group already (which in Server 2008(R2), Vista and Win7, the default account already is).

We already established a few posts back that he doesn’t need to run higher than Administrator, so you saying all that was pretty much a meaningless flame to my eye. Please actually read all the posts before you reply next time.

[Anonymous]

Not entirely true. If you launch a process as administrator, any additional processes that it creates will also be run as administrator. If he starts his Database client as administrator, but it still can’t write to the database file, then the only thing left to check out is permissions.

He’s already stated that he’s running as an administrator of a domain so there is additional layers of security at hand in regards to Local and Group Policy. I have a hunch that the reason why it’s happening is because the Administrators Group needed to be have Grant:Full on the program folder and it’s children, rather than just the local administrator user.

Then just run as the Administrator, and you will have full access, and won’t need to use run as admin.

Seriously, did you even read that? Just run as administrator, then you wont need to run as administrator? 😆 Besides, the ‘Run as Administrator’ context menu option is 100% useless when UAC is disabled as long as the account is actually in the Administrators group already (which in Server 2008(R2), Vista and Win7, the default account already is).

We already established a few posts back that he doesn’t need to run higher than Administrator, so you saying all that was pretty much a meaningless flame to my eye. Please actually read all the posts before you reply next time.

[DMikeM]

@JingoFresh wrote:

@DMikeM wrote:

My background is actually windows first with a few years of Xenix/Unix support.

I do know that what I am asking is in fact dangerous but I do have good full time firewalls on our network and a good resident antimalware on my machines. I also run FireFox with NoScript and Adblock Plus, and cookies disabled for new and unknown sites.

What you are asking for is not just dangerous, but entireley unneccessary. You don’t need to run as higher than Administrator, ever, for anything. If you are actually running as the Administrator account with UAC turned off, you won’t get prompted for any authentication, and you will have full access.

If programs do not work, it is not due to a lack of access, but some other problem.

Insisting that you wish to run as higher than the Administrator account shows that you don’t have that great of an idea how Windows works, or what you are doing.

Some issues are as minor as the system will not allow me to save a database file in the program directory or make changes to the existing ones, even with “Run as Admin” used.

Then just run as the Administrator, and you will have full access, and won’t need to use run as admin.

Remember, run as admin only means the program you ran as admin wil lhave access, not anything outside of it…..

Please don’t try to start a flame war in a good thread. Saying that I don’t know what I am doing is a pretty petty statement. I would suggest you add a spellchecker to your browser or not make posts in a heated hurry.

I have tried as “YOU” have suggested and as I have stated things do not always work as expected. Some of our drives come from older windows installs and are attached to new Win 2008 server installs. These old volumes need to be re-managed so that they will function properly. My original question was all encompassing to address these problems as well as getting better access to my own files and system processes.

Have a nice Day
Mike

[Anonymous]

@JingoFresh wrote:

@DMikeM wrote:

My background is actually windows first with a few years of Xenix/Unix support.

I do know that what I am asking is in fact dangerous but I do have good full time firewalls on our network and a good resident antimalware on my machines. I also run FireFox with NoScript and Adblock Plus, and cookies disabled for new and unknown sites.

What you are asking for is not just dangerous, but entireley unneccessary. You don’t need to run as higher than Administrator, ever, for anything. If you are actually running as the Administrator account with UAC turned off, you won’t get prompted for any authentication, and you will have full access.

If programs do not work, it is not due to a lack of access, but some other problem.

Insisting that you wish to run as higher than the Administrator account shows that you don’t have that great of an idea how Windows works, or what you are doing.

Some issues are as minor as the system will not allow me to save a database file in the program directory or make changes to the existing ones, even with “Run as Admin” used.

Then just run as the Administrator, and you will have full access, and won’t need to use run as admin.

Remember, run as admin only means the program you ran as admin wil lhave access, not anything outside of it…..

Please don’t try to start a flame war in a good thread. Saying that I don’t know what I am doing is a pretty petty statement. I would suggest you add a spellchecker to your browser or not make posts in a heated hurry.

I have tried as “YOU” have suggested and as I have stated things do not always work as expected. Some of our drives come from older windows installs and are attached to new Win 2008 server installs. These old volumes need to be re-managed so that they will function properly. My original question was all encompassing to address these problems as well as getting better access to my own files and system processes.

Have a nice Day
Mike

[JingoFresh]

@JonusC wrote:

Not entirely true. If you launch a process as administrator, any additional processes that it creates will also be run as administrator. If he starts his Database client as administrator, but it still can’t write to the database file, then the only thing left to check out is permissions.

Permissions, or some sub program is being called not as Administrator user for some reason would be my guess.

He’s already stated that he’s running as an administrator of a domain so there is additional layers of security at hand in regards to Local and Group Policy. I have a hunch that the reason why it’s happening is because the Administrators Group needed to be have Grant:Full on the program folder and it’s children, rather than just the local administrator user.

Sure, but it is my understanding that he wants to run as a higher user. This is what is wrong and unnecessary.

Seriously, did you even read that? Just run as administrator, then you wont need to run as administrator?

Ahh, I see the ambiguity. I meant use the run as administrator option from a normal user account, and you would not have to run as the administrator user.

We already established a few posts back that he doesn’t need to run higher than Administrator, so you saying all that was pretty much a meaningless flame to my eye. Please actually read all the posts before you reply next time.

I just reread through the thread, and can’t see where that was sorted. He actually mentions trying to get his user account to run with system privileges, when he should know better. If I have misinterpreted or missed something, then I do apologise. I am not trying to flame for no reason, but rather to point out what I consider to be something daft when I see it.

@DMikeM wrote:

Please don’t try to start a flame war in a good thread. Saying that I don’t know what I am doing is a pretty petty statement. I would suggest you add a spellchecker to your browser or not make posts in a heated hurry.

Sure, and if I have drawn a false conclusion, I apologize. But, earlier on in the thread, where you stated you tried to get your user account to run with System privileges, demonstrates a poor understand of the Windows architecture, which led me to my conclusion. Of course, assumptions can be false, and if so, I do apologize, and would like to hear your justification.

I have tried as “YOU” have suggested and as I have stated things do not always work as expected. Some of our drives come from older windows installs and are attached to new Win 2008 server installs. These old volumes need to be re-managed so that they will function properly. My original question was all encompassing to address these problems as well as getting better access to my own files and system processes.

You stated you had problems, for example, installing UT3 server and not being granted permissions. Having installed this several times(assuming you mean the game), I can honestly say I have never had a problem, which is another reason I don’t see your level of privilege as being the issue.

Again, sorry for any misunderstanding, not trying to flame, etc…

[Anonymous]

@JonusC wrote:

Not entirely true. If you launch a process as administrator, any additional processes that it creates will also be run as administrator. If he starts his Database client as administrator, but it still can’t write to the database file, then the only thing left to check out is permissions.

Permissions, or some sub program is being called not as Administrator user for some reason would be my guess.

He’s already stated that he’s running as an administrator of a domain so there is additional layers of security at hand in regards to Local and Group Policy. I have a hunch that the reason why it’s happening is because the Administrators Group needed to be have Grant:Full on the program folder and it’s children, rather than just the local administrator user.

Sure, but it is my understanding that he wants to run as a higher user. This is what is wrong and unnecessary.

Seriously, did you even read that? Just run as administrator, then you wont need to run as administrator?

Ahh, I see the ambiguity. I meant use the run as administrator option from a normal user account, and you would not have to run as the administrator user.

We already established a few posts back that he doesn’t need to run higher than Administrator, so you saying all that was pretty much a meaningless flame to my eye. Please actually read all the posts before you reply next time.

I just reread through the thread, and can’t see where that was sorted. He actually mentions trying to get his user account to run with system privileges, when he should know better. If I have misinterpreted or missed something, then I do apologise. I am not trying to flame for no reason, but rather to point out what I consider to be something daft when I see it.

@DMikeM wrote:

Please don’t try to start a flame war in a good thread. Saying that I don’t know what I am doing is a pretty petty statement. I would suggest you add a spellchecker to your browser or not make posts in a heated hurry.

Sure, and if I have drawn a false conclusion, I apologize. But, earlier on in the thread, where you stated you tried to get your user account to run with System privileges, demonstrates a poor understand of the Windows architecture, which led me to my conclusion. Of course, assumptions can be false, and if so, I do apologize, and would like to hear your justification.

I have tried as “YOU” have suggested and as I have stated things do not always work as expected. Some of our drives come from older windows installs and are attached to new Win 2008 server installs. These old volumes need to be re-managed so that they will function properly. My original question was all encompassing to address these problems as well as getting better access to my own files and system processes.

You stated you had problems, for example, installing UT3 server and not being granted permissions. Having installed this several times(assuming you mean the game), I can honestly say I have never had a problem, which is another reason I don’t see your level of privilege as being the issue.

Again, sorry for any misunderstanding, not trying to flame, etc…

[JonusC]

ANYWAY…

Did the O.P. actually figure out his system? This topic was indeed interesting 😆

Maybe I’ll head over to an Ubuntu forum now and ask them something like – how do I use my computer as ‘root’ all the time? I don’t want any of these so-called “SECURITY PRECAUTIONS” in place from now fancy-pants “KERNEL PROGRAMMER” who thinks he knows what I’m free to do and not to do on my computer!!!

WOW I’m being a jerk! If the thread creator reads that, I’m just playing mate don’t stress… let us know if you sorted it out though or how far you got

But yeah, if you want to take 100% control of your PC it’s quite easy really..

1) Disable UAC
2) Take ownership of all files
3) Assign “Full Permissions” to the “Administrators” group to your entire C:
4) [Optional] save hackers the effort and nuke your harddisk right now, set PC on fire, throw it out window, etc.

If it still doesn’t work, either update/swap your software to a newer or alternative one compatible with the OS, or simply go back to the older version of Windows that was originally working. Nothing too difficult there

[Anonymous]

ANYWAY…

Did the O.P. actually figure out his system? This topic was indeed interesting 😆

Maybe I’ll head over to an Ubuntu forum now and ask them something like – how do I use my computer as ‘root’ all the time? I don’t want any of these so-called “SECURITY PRECAUTIONS” in place from now fancy-pants “KERNEL PROGRAMMER” who thinks he knows what I’m free to do and not to do on my computer!!!

WOW I’m being a jerk! If the thread creator reads that, I’m just playing mate don’t stress… let us know if you sorted it out though or how far you got

But yeah, if you want to take 100% control of your PC it’s quite easy really..

1) Disable UAC
2) Take ownership of all files
3) Assign “Full Permissions” to the “Administrators” group to your entire C:
4) [Optional] save hackers the effort and nuke your harddisk right now, set PC on fire, throw it out window, etc.

If it still doesn’t work, either update/swap your software to a newer or alternative one compatible with the OS, or simply go back to the older version of Windows that was originally working. Nothing too difficult there

[Sevener]

@JingoFresh wrote:

You don’t need to run as higher than Administrator, ever, for anything. If you are actually running as the Administrator account with UAC turned off, you won’t get prompted for any authentication, and you will have full access.

This statement is NOT TRUE.
Windows is NOT Linux.
Unlike Linux root, Windows Administrator is not able to do ANYTHING. I won’t go deep into technical details, but this is just how Windows works.

[Anonymous]

@JingoFresh wrote:

You don’t need to run as higher than Administrator, ever, for anything. If you are actually running as the Administrator account with UAC turned off, you won’t get prompted for any authentication, and you will have full access.

This statement is NOT TRUE.
Windows is NOT Linux.
Unlike Linux root, Windows Administrator is not able to do ANYTHING. I won’t go deep into technical details, but this is just how Windows works.

[JonusC]

@Sevener wrote:

@JingoFresh wrote:

You don’t need to run as higher than Administrator, ever, for anything. If you are actually running as the Administrator account with UAC turned off, you won’t get prompted for any authentication, and you will have full access.

This statement is NOT TRUE.
Windows is NOT Linux.
Unlike Linux root, Windows Administrator is not able to do ANYTHING. I won’t go deep into technical details, but this is just how Windows works.

Please, do go deeper into technicals for the sake of backing up your claim. Name ONE Win32 application that requires higher privledges than Administrator – apart from standard TrustedInstaller calls of course (such as those that install new drivers or kernel stacks, that are built with trusted/signed INF’s and certificates via standard methods in Windows development).

JingoFresh is correct, but feel free to refute him/me when you actually find some proof and we can talk more on it.

[Anonymous]

@Sevener wrote:

@JingoFresh wrote:

You don’t need to run as higher than Administrator, ever, for anything. If you are actually running as the Administrator account with UAC turned off, you won’t get prompted for any authentication, and you will have full access.

This statement is NOT TRUE.
Windows is NOT Linux.
Unlike Linux root, Windows Administrator is not able to do ANYTHING. I won’t go deep into technical details, but this is just how Windows works.

Please, do go deeper into technicals for the sake of backing up your claim. Name ONE Win32 application that requires higher privledges than Administrator – apart from standard TrustedInstaller calls of course (such as those that install new drivers or kernel stacks, that are built with trusted/signed INF’s and certificates via standard methods in Windows development).

JingoFresh is correct, but feel free to refute him/me when you actually find some proof and we can talk more on it.

[Sevener]

Just a couple of weeks ago my COMODO antivirus suddenly broke. After system booted it immediately hung up and consumed 100% of CPU time. I couldn’t uninstall it while it was running. I could not stop the tray application (because it would immediately restore itself) and, most importantly, I could not end its system process from the Task Manager (it said I didn’t have enough privileges). Of course I was running taskman as Administrator. So, the only solution left was to boot in Safe Mode.
Another case was about a year ago on Vista, when I couldn’t delete a certain system file (I don’t remember what was its name and why did I want to delete it).
I remember having this kend of issues several more times earlier but I don’t remember details because a lot of time passed.
And AFAIK I cannot delete C:/Windows, can I?

[Anonymous]

Just a couple of weeks ago my COMODO antivirus suddenly broke. After system booted it immediately hung up and consumed 100% of CPU time. I couldn’t uninstall it while it was running. I could not stop the tray application (because it would immediately restore itself) and, most importantly, I could not end its system process from the Task Manager (it said I didn’t have enough privileges). Of course I was running taskman as Administrator. So, the only solution left was to boot in Safe Mode.
Another case was about a year ago on Vista, when I couldn’t delete a certain system file (I don’t remember what was its name and why did I want to delete it).
I remember having this kend of issues several more times earlier but I don’t remember details because a lot of time passed.
And AFAIK I cannot delete C:/Windows, can I?

[Indrek]

File permissions are a separate issue. As far as I understood, JonusC was talking about running applications, for which you indeed don’t need to go higher than Administrator.

[Anonymous]

File permissions are a separate issue. As far as I understood, JonusC was talking about running applications, for which you indeed don’t need to go higher than Administrator.

[JingoFresh]

@JonusC wrote:

Maybe I’ll head over to an Ubuntu forum now and ask them something like – how do I use my computer as ‘root’ all the time? I don’t want any of these so-called “SECURITY PRECAUTIONS” in place from now fancy-pants “KERNEL PROGRAMMER” who thinks he knows what I’m free to do and not to do on my computer!!:

A slightly OT note, but I do indeed hate the Ubuntu approach of get rid of root. I’m all for advocating the approach they have by default, but banning or refusing to tell people how to enable root on their forums is going a bit too far.

@Sevener wrote:

This statement is NOT TRUE.
Windows is NOT Linux.
Unlike Linux root, Windows Administrator is not able to do ANYTHING. I won’t go deep into technical details, but this is just how Windows works.

@JonusC wrote:

Please, do go deeper into technicals for the sake of backing up your claim. Name ONE Win32 application that requires higher privledges than Administrator – apart from standard TrustedInstaller calls of course (such as those that install new drivers or kernel stacks, that are built with trusted/signed INF’s and certificates via standard methods in Windows development).

JingoFresh is correct, but feel free to refute him/me when you actually find some proof and we can talk more on it.

I assume Sevener is talking about the fact that unlike root, the Administrator account is not the most powerful. Although, saying that the Administrator can’t do anything is by far an exaggeration.

While it is true that there are higher privilege accounts than Administrator, these are never designed to be used by users, and are internal to Windows. It also is in no way a problem, and you don’t gain anything by trying to make your account a member of the same group as the System account.

Sevener, the reason you could not end your antivirus, is because it is a trashy program that does indeed run as System. If you look at the vulnerability history for that program, you will probably find running that software leads to a decrease in security, rather than an increase.

[Anonymous]

@JonusC wrote:

Maybe I’ll head over to an Ubuntu forum now and ask them something like – how do I use my computer as ‘root’ all the time? I don’t want any of these so-called “SECURITY PRECAUTIONS” in place from now fancy-pants “KERNEL PROGRAMMER” who thinks he knows what I’m free to do and not to do on my computer!!:

A slightly OT note, but I do indeed hate the Ubuntu approach of get rid of root. I’m all for advocating the approach they have by default, but banning or refusing to tell people how to enable root on their forums is going a bit too far.

@Sevener wrote:

This statement is NOT TRUE.
Windows is NOT Linux.
Unlike Linux root, Windows Administrator is not able to do ANYTHING. I won’t go deep into technical details, but this is just how Windows works.

@JonusC wrote:

Please, do go deeper into technicals for the sake of backing up your claim. Name ONE Win32 application that requires higher privledges than Administrator – apart from standard TrustedInstaller calls of course (such as those that install new drivers or kernel stacks, that are built with trusted/signed INF’s and certificates via standard methods in Windows development).

JingoFresh is correct, but feel free to refute him/me when you actually find some proof and we can talk more on it.

I assume Sevener is talking about the fact that unlike root, the Administrator account is not the most powerful. Although, saying that the Administrator can’t do anything is by far an exaggeration.

While it is true that there are higher privilege accounts than Administrator, these are never designed to be used by users, and are internal to Windows. It also is in no way a problem, and you don’t gain anything by trying to make your account a member of the same group as the System account.

Sevener, the reason you could not end your antivirus, is because it is a trashy program that does indeed run as System. If you look at the vulnerability history for that program, you will probably find running that software leads to a decrease in security, rather than an increase.

[JonusC]

Hey JF,

Yeah well – I can’t stand all those Linux’s that aren’t even Linux haha. You run Ubuntu, you’re an Ubuntu user – not a Linux user. Same with Fedoran, Mandriva, openSUSE, and so on…. sure they are easy to use, but they are no more “elite” than Windows in my opinion, they are just as babied down and sandboxed (albeit poorly as they still required root/console access in many cases). Slackware on the other hand…. you run slackware, and you DO run Linux – knowledge that is transferable to any other distro…

[End OT]

Anywho, Sevener that Comodo thing, that’s called a bug. Not a permissions or user rights or privledges issue.

I could not end its system process from the Task Manager (it said I didn’t have enough privileges). Of course I was running taskman as Administrator.

I have never seen that before in my entire life. Oh wait – you were probably trying to kill the Service or the Kernel Driver. Either go to services.msc or Device Manager to stop it in this case. But regardless, this is a BUG. There is – literally – no such user in Windows higher than administrator. TrustedInstaller is internally used by AUTHORIZED administrative-approved setup tasks, and SYSTEM is just a psuedo-user meaning it operates outside the scope of the Roaming Profiles (i.e. kernel/boot drivers).

Another case was about a year ago on Vista, when I couldn’t delete a certain system file (I don’t remember what was its name and why did I want to delete it).

As I said, taking ownership and then CHMOD’ing it is all you have to do. There are two common mistakes people make in this case that they still complain about not having access after doing that, (1) not disabling inherited permissions or (2) not observing the user group assignment hierachy to see which permissions are actually effective for a particular user (usually it’s “Everyone” conflicting, for obvious reasons). Commonly you have to take ownership then erase all existing permissions (to break all inhereted relationships in the object node), then start from scratch adding permissions.

And AFAIK I cannot delete C:/Windows, can I?

That’s a little insulting. You sound like one of these Linux fanboys who wants a feature to be available, despite it being 10000000% useless – its just the fact that you can’t do it, and so you complain about Windows being sandboxed. With that said, yes you can as long as you take ownership of the folder (well you could in Vista anyway).

[Anonymous]

Hey JF,

Yeah well – I can’t stand all those Linux’s that aren’t even Linux haha. You run Ubuntu, you’re an Ubuntu user – not a Linux user. Same with Fedoran, Mandriva, openSUSE, and so on…. sure they are easy to use, but they are no more “elite” than Windows in my opinion, they are just as babied down and sandboxed (albeit poorly as they still required root/console access in many cases). Slackware on the other hand…. you run slackware, and you DO run Linux – knowledge that is transferable to any other distro…

[End OT]

Anywho, Sevener that Comodo thing, that’s called a bug. Not a permissions or user rights or privledges issue.

I could not end its system process from the Task Manager (it said I didn’t have enough privileges). Of course I was running taskman as Administrator.

I have never seen that before in my entire life. Oh wait – you were probably trying to kill the Service or the Kernel Driver. Either go to services.msc or Device Manager to stop it in this case. But regardless, this is a BUG. There is – literally – no such user in Windows higher than administrator. TrustedInstaller is internally used by AUTHORIZED administrative-approved setup tasks, and SYSTEM is just a psuedo-user meaning it operates outside the scope of the Roaming Profiles (i.e. kernel/boot drivers).

Another case was about a year ago on Vista, when I couldn’t delete a certain system file (I don’t remember what was its name and why did I want to delete it).

As I said, taking ownership and then CHMOD’ing it is all you have to do. There are two common mistakes people make in this case that they still complain about not having access after doing that, (1) not disabling inherited permissions or (2) not observing the user group assignment hierachy to see which permissions are actually effective for a particular user (usually it’s “Everyone” conflicting, for obvious reasons). Commonly you have to take ownership then erase all existing permissions (to break all inhereted relationships in the object node), then start from scratch adding permissions.

And AFAIK I cannot delete C:/Windows, can I?

That’s a little insulting. You sound like one of these Linux fanboys who wants a feature to be available, despite it being 10000000% useless – its just the fact that you can’t do it, and so you complain about Windows being sandboxed. With that said, yes you can as long as you take ownership of the folder (well you could in Vista anyway).

[JingoFresh]

@JonusC wrote:

And AFAIK I cannot delete C:/Windows, can I?

That’s a little insulting. You sound like one of these Linux fanboys who wants a feature to be available, despite it being 10000000% useless – its just the fact that you can’t do it, and so you complain about Windows being sandboxed. With that said, yes you can as long as you take ownership of the folder (well you could in Vista anyway).

You would run into problems rm -rf’ing /lib on a linux system as well, due to the basic utilities not running without the libaries they need. Most systems will run into problems if you try and delete the system files, and most won’t let you if the files are in use.

[Anonymous]

@JonusC wrote:

And AFAIK I cannot delete C:/Windows, can I?

That’s a little insulting. You sound like one of these Linux fanboys who wants a feature to be available, despite it being 10000000% useless – its just the fact that you can’t do it, and so you complain about Windows being sandboxed. With that said, yes you can as long as you take ownership of the folder (well you could in Vista anyway).

You would run into problems rm -rf’ing /lib on a linux system as well, due to the basic utilities not running without the libaries they need. Most systems will run into problems if you try and delete the system files, and most won’t let you if the files are in use.

[JonusC]

Indeed.

Anywho, the main issue I find with Windows 7 users is relying on the cryptic-at-best-descriptions of the Security GUI. You need to remember, when editing permissions, to check the “Replace all child object permissions with inheritable permissions from this object” and Windows will be all “OMG are you SURE dude!?!?” when all it means is to “propagate this new Permission Rule to all objects inside this object; where they are marked to inherit from the folder above them” (and most files/folders, if not all unless specified otherwise; do inherit permissions from parents by default).

It’s why it’s a good idea to get that ‘Take Ownership’ shell extension, or make your own. This is the one-liner I use with FileMenu Tools (a context menu customizer) which works on Folders only (not files) but will go through and take ownership/add permissions to all of said folders’ files/directories:

@cmd /c @echo off && echo WARNING! This will take ownership and grant permission of && echo ALL containing files and folders recursively, INCLUDING && echo system folders. This can be dangerous and is undoable! && echo. && pause && takeown /f %FILEPATHS% /r /a /d y && echo --- && icacls %FILEPATHS% /grant administrators:F && echo. && echo. && pause && EXIT

[Anonymous]

Indeed.

Anywho, the main issue I find with Windows 7 users is relying on the cryptic-at-best-descriptions of the Security GUI. You need to remember, when editing permissions, to check the “Replace all child object permissions with inheritable permissions from this object” and Windows will be all “OMG are you SURE dude!?!?” when all it means is to “propagate this new Permission Rule to all objects inside this object; where they are marked to inherit from the folder above them” (and most files/folders, if not all unless specified otherwise; do inherit permissions from parents by default).

It’s why it’s a good idea to get that ‘Take Ownership’ shell extension, or make your own. This is the one-liner I use with FileMenu Tools (a context menu customizer) which works on Folders only (not files) but will go through and take ownership/add permissions to all of said folders’ files/directories:

@cmd /c @echo off && echo WARNING! This will take ownership and grant permission of && echo ALL containing files and folders recursively, INCLUDING && echo system folders. This can be dangerous and is undoable! && echo. && pause && takeown /f %FILEPATHS% /r /a /d y && echo --- && icacls %FILEPATHS% /grant administrators:F && echo. && echo. && pause && EXIT

[Author]

Posts