life ideas

December 3, 2006

RockyH – Least Privilege and Admin Access in Vista

Filed under: Uncategorized — manoftoday @ 5:51 am

This can be done by creating a shortcut to the following:

C:\Windows\System32\runas.exe /user:administrator “cmd /T:4F”

The /T:4F on the end creates a red background with white text to remind me this is a privileged command prompt.

Link to RockyH – Least Privilege and Admin Access in Vista




Windows Vista Secret #10: Open an Elevated Command Prompt in Six Keystrokes

User Account Control is, as I mentioned in secret #4, an important part of the security protection that Windows Vista offers. For any user with administrative credentials, you can always execute a process with full admin rights by right-clicking on the executable or shortcut and choosing “Run as Administrator”.

For myself, I regularly want to open an admin-level command prompt, and it’s a distraction to have to move my hands off the keyboard to go through the elevation contortions. So I was delighted to find a little keyboard shortcut for launching an elevated process. Simply press Ctrl+Shift+Enter from the search bar on the start menu with a selected application, and that triggers elevation.

For example, to launch an elevated command prompt, simply press the Win key; type cmd; press Ctrl+Shift+Enter; and then hit Alt+C to confirm the elevation prompt. Six keystrokes to an elevated command prompt!

(Once I’ve got an elevated command prompt, I always like to execute color 4f as my first input so that this console window is visually differentiated from other non-elevated windows.)





People trying out Vista Beta 2 would soon find out about the new security feature “User Account Control”. Every time you try to perform an admin function, if you are using an administrator account, system will prompt you for consent. If you are using an regular account, system will ask you to use another credential.

This feature is nice if you like to use an administrator account to browse the web and check email. It can reduce the chance of your computer being infected by virus, spyware and other malicious software. However, it gets very annoying when you have to perform a lot of admin functions. For example, I one time needed to run a small script with only a few lines. I got prompted almost once PER LINE! I cannot imagine how many times I need to click away the dialog if I need to run a large script.

Fortunately, you can turn this feature off. However, Microsoft made this somewhat difficult to change if you have not used the Management Console before. Here are the steps.

  1. Click on Start button.
  2. In the Search box, type in Command Prompt. Command Prompt will show up in the search result.
  3. Right click on Command Prompt icon and select Run as administrator.
  4. In the Command Prompt window, type in secpol.msc to bring up Local Security Setting management console.
  5. Expand Local Policies and click on Security Options. Scroll down to find User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. Double click on the entry and change the setting to No prompt. Update: In Vista RC1, the wording has been changed to Elevate without prompting.
  6. The change made in Local Security Setting is not immediate. To force the change immediately, go back to the Command Prompt (cmd) window and type in gpupdate .

Note that from now on, the system will not prompt you again which is both good and bad. Your Vista machine is as vulnerable as Windows XP again if you like to use an admin account for daily use. I strongly recommend everyone who change this setting to use a regular account.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: