A
Andrew McLaren
DaveGray said:
Yeah. I actually meant that you'd use the literal, built-in "Administrator"
account as the alternative FUS session.
If you log into Vista as a User who is a member of the Administrators group,
you still only get a "standard user" token when you log in. You only get
elevated to Administrative privilege, when the code you're running is
elevated, either by maifest, by a "Run as" command, or by internal,
programmatic elevation. The rest of the time, you are protected from doing
dumb things, because you're a running as a standard user - even though
you're an administrator.
Except that, as we saw, Explorer does not prompt for elevation; so even if
you're an administrator, you're SOL.
If you log in as the literal, built-in Administrator account (with a
S-1-5-21-*-500 SID), you get a full Administrative token right from the
start, when you log in. So everything runs elevated all the time, including
Explorer. So you can do whatever the hell you want.
Obviousy this is risky, and Vista rightly disables the Administrator
account, by default. I'm kinda lazy so I enabled it, and that's what I use
when I FUS over to an alternative session.
If you do enable the Administrator account, make sure you only use it for
specific purposes. Likewise, the more secure arrangement is to run as a
Standard User most of the time, and elevate to Administrator as required;
rather than run as an Administrator with a restricted token. But that can be
challenging, especially if you're running Visual Studio etc.
Hope it helps,
Andrew