{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Juvenile、少年° 的问题《What precisely does 'Run as administrator'》','https://www.manongdao.com/q-56546.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
On Windows 7, I have a command-line program that fails due to file write permission errors, and popping up annoying UAC dialogs every time I run command-line programs that are from an 'unknown publisher'.
However, if I start my console by right clicking and choosing 'run as administrator', then the install works fine, even if the UAC dialogs are still present.
My user is already a member of the 'administrators' group, so what precisely does 'run as administrator' do that makes my install work?
My specific question is precisely: What does 'run as administrator' do? Neither of the answers thus far address this. (for example, does it run the new process as the 'Administrator' user? Or does it run the process as the current user, but with elevated privileges? If so, what privileges? How does that differ from the privileges I get from my user being in the 'Administrators' group?
(Specifically, I'm using the 'Console' from SourceForge, not a regular CMD window, but I don't think that's important. This is all while installing the Python 'distribute' package by running 'python distribute_setup.py' on a newly installed Python3 MSI from python.org. It's a 32-bit Python on 64-bit Windows. See Installing Python and distribute on Windows 7 gives "Writing failed ... permission denied")
Things like "elevates the privileges", "restricted access token", "Administrator privilege" ... what the heck is administrator privilege anyway? are nonsense.
Here is an ACCESS_TOKEN for a process normally run from a user belonging to Administrators group.
... and here is an ACCESS_TOKEN for a process normally run by the same user with "Run as administrator".
As you see, the only difference is the token ID:
vs
Sorry, I can't add much light into this yet, but I am still digging.
A little clearer... A software program that has kernel mode access has total access to all of the computer's data and its hardware.
Since Windows Vista Microsoft has stopped any and all I/O processes from accessing the kernel (ring 0) directly ever again. The closest we get is a folder created as a virtual kernel access partition, but technically no access to kernel itself; the kernel meets halfway.
This is because the software itself dictates which token to use, so if it asks for an administrator access token, instead of just allowing communications with the kernel like on Windows XP you are prompted to allow access to the kernel, each and every time. Changing UAC could reduce prompts, but never the kernel prompts.
Even when you login as an Administrator, you are running processes as a standard user until prompted to elevate the rights you have. I believe logged in as the administrator saves you from entering the credentials. But it also writes to the administrator users folder structure.
Kernel access is similar to root access in Linux. When you elevate your permissions you are isolating yourself from the root of C:\ and whatever lovely environment variables are contained within.
If you remember BSODs this was the OS shutting down when it believed a bad I/O reached the kernel.
Okay, let's re-iterate...
The actual question (and an excellent one at that)
(Answer)1. It allows you to call on administrator rights while under a user session.
Note: The question is wrongly put; one is a command and the other is a group object to apply policies.
Open a command prompt and type
runas /?.This will list all the switches the
runascommand line can use.As for the Administrators Group this is based on GPEDIT or SECPOL and whether or not a Domain administrator is present or not or a network is present or not.
Usually these things will apply restrictions on computers that the administrators group is not affected by.
The question should be
OR
You are mixing apples and oranges.
UPDATE
"Run as Aministrator" is just a command, enabling the program to continue some operations that require the Administrator privileges, without displaying the UAC alerts.
Even if your user is a member of administrators group, some applications like yours need the Administrator privileges to continue running, because the application is considered not safe, if it is doing some special operation, like editing a system file or something else. This is the reason why Windows needs the Administrator privilege to execute the application and it notifies you with a UAC alert. Not all applications need an Amnistrator account to run, and some applications, like yours, need the Administrator privileges.
If you execute the application with 'run as administrator' command, you are notifying the system that your application is safe and doing something that requires the administrator privileges, with your confirm.
If you want to avoid this, just disable the UAC on Control Panel.
If you want to go further, read the question Difference between "Run as Administrator" and Windows 7 Administrators Group on Microsoft forum or this SuperUser question.
When you log on Windows creates an access token. This identifies you, the groups you are a member of and your privileges. And note that whether a user is an administrator or not is determined by whether the user is a member of the Administrators group.
Without UAC, when you run a program it gets a copy of the access token, and this controls what the program can access.
With UAC, when you run a program it gets a restricted access token. This is the original access token with "Administrators" removed from the list of groups (and some other changes). Even though your user is a member of the Administrators group, the program can't use Administrator privileges.
When you select "Run as Administrator" and your user is an administrator the program is launched with the original unrestricted access token. If your user is not an administrator you are prompted for an administrator account, and the program is run under that account.
The Run as *Anything command saves you from logging out and logging in as the user for which you use the runas command for.
The reason programs ask for this elevated privilege started with Black Comb and the Panther folder. There is 0 access to the Kernel in windows unless through the Admin prompt and then it is only a virtual relation with the O/S kernel.
Hoorah!