windows “以管理员身份运行”究竟是做什么的?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8986971/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What precisely does 'Run as administrator' do?
提问by Jonathan Hartley
On Windows 7, I have a command-line program that fails due to file write permission errors, and popping up annoying UACdialogs every time I run command-line programs that are from an 'unknown publisher'.
在 Windows 7 上,我有一个命令行程序由于文件写入权限错误而失败,并且每次运行来自“未知发布者”的命令行程序时都会弹出烦人的UAC对话框。
However, if I start my console by right clicking and choosing 'run as administrator', then the install works fine, even if the UAC dialogs are still present.
但是,如果我通过右键单击并选择“以管理员身份运行”来启动我的控制台,那么安装工作正常,即使 UAC 对话框仍然存在。
My user is already a member of the 'administrators' group, so what precisely does 'run as administrator' do that makes my install work?
我的用户已经是“管理员”组的成员,那么“以管理员身份运行”究竟做了什么使我的安装工作?
My specific question is precisely: What does 'run as administrator' do? Neither of the answers thus far address this. (for example, does it run the new process as the 'Administrator' user? Or does it run the process as the current user, but with elevated privileges? If so, what privileges? How does that differ from the privileges I get from my user being in the 'Administrators' group?
我的具体问题正是:“以管理员身份运行”有什么作用?到目前为止,这两个答案都没有解决这个问题。(例如,它是否以“管理员”用户身份运行新进程?或者它是否以当前用户身份运行进程,但具有提升的权限?如果是,什么权限?这与我从我的权限中获得的权限有何不同?用户是否在“管理员”组中?
(Specifically, I'm using the 'Console' from SourceForge, not a regular CMD window, but I don't think that's important. This is all while installing the Python 'distribute' package by running 'python distribute_setup.py' on a newly installed Python3 MSI from python.org. It's a 32-bit Python on 64-bit Windows. See Installing Python and distribute on Windows 7 gives "Writing failed ... permission denied")
(具体来说,我使用的是SourceForge的“控制台” ,而不是常规的 CMD 窗口,但我认为这并不重要。这是在通过在从 python.org 新安装的 Python3 MSI。它是 64 位 Windows 上的 32 位 Python。请参阅在 Windows 7 上安装 Python 和分发给出“写入失败...权限被拒绝”)
回答by arx
When you log on Windows creates an access token. This identifies you, the groups you are a member of and your privileges. And note that whether a user is an administrator or not is determined by whether the user is a member of the Administrators group.
当您登录 Windows 时,会创建一个访问令牌。这可以识别您、您所属的组以及您的权限。并注意,用户是否为管理员取决于用户是否为管理员组的成员。
Without UAC, when you run a program it gets a copy of the access token, and this controls what the program can access.
如果没有 UAC,当您运行程序时,它会获取访问令牌的副本,这将控制程序可以访问的内容。
With UAC, when you run a program it gets a restricted access token. This is the original access token with "Administrators" removed from the list of groups (and some other changes). Even though your user is a member of the Administrators group, the program can't use Administrator privileges.
使用 UAC,当您运行程序时,它会获得一个受限访问令牌。这是从组列表中删除了“管理员”(以及一些其他更改)的原始访问令牌。即使您的用户是管理员组的成员,该程序也不能使用管理员权限。
When you select "Run as Administrator" and your user is an administrator the program is launched with the original unrestricted access token. If your user is not an administrator you are prompted for an administrator account, and the program is run under that account.
当您选择“以管理员身份运行”并且您的用户是管理员时,程序将使用原始的无限制访问令牌启动。如果您的用户不是管理员,系统会提示您输入管理员帐户,并且程序将在该帐户下运行。
回答by Andrei
So ... more digging, with the result. It seems that although I ran one process normal and one "As Administrator", I had UAC off. Turning UAC to medium allowed me to see different results. Basically, it all boils down to integrity levels, which are 5.
所以......更多的挖掘,结果。似乎虽然我运行了一个正常进程和一个“以管理员身份”,但我关闭了 UAC。将 UAC 转为中等让我看到了不同的结果。基本上,这一切都归结为完整性级别,即 5。
Browsers, for example, run at Low Level (1), while services (System user) run at System Level (4). Everything is very well explained in Windows Integrity Mechanism Design . When UAC is enabled, processes are created with Medium level (SID S-1-16-8192 AKA 0x2000 is added) while when "Run as Administrator", the process is created with High Level (SID S-1-16-12288 aka 0x3000).
例如,浏览器运行在低级别 (1),而服务(系统用户)运行在系统级别 (4)。Windows Integrity Mechanism Design 中对所有内容进行了很好的解释。启用 UAC 时,进程创建为中等级别(添加了 SID S-1-16-8192 AKA 0x2000),而当“以管理员身份运行”时,进程创建为高级(SID S-1-16-12288 又名 SID S-1-16-12288 0x3000)。
So the correct ACCESS_TOKEN for a normal user (Medium Integrity level) is:
因此,普通用户(中等完整性级别)的正确 ACCESS_TOKEN 是:
0:000:x86> !token
Thread is not impersonating. Using process token...
TS Session ID: 0x1
User: S-1-5-21-1542574918-171588570-488469355-1000
Groups:
00 S-1-5-21-1542574918-171588570-488469355-513
Attributes - Mandatory Default Enabled
01 S-1-1-0
Attributes - Mandatory Default Enabled
02 S-1-5-32-544
Attributes - DenyOnly
03 S-1-5-32-545
Attributes - Mandatory Default Enabled
04 S-1-5-4
Attributes - Mandatory Default Enabled
05 S-1-2-1
Attributes - Mandatory Default Enabled
06 S-1-5-11
Attributes - Mandatory Default Enabled
07 S-1-5-15
Attributes - Mandatory Default Enabled
08 S-1-5-5-0-1908477
Attributes - Mandatory Default Enabled LogonId
09 S-1-2-0
Attributes - Mandatory Default Enabled
10 S-1-5-64-10
Attributes - Mandatory Default Enabled
11 S-1-16-8192
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: LocadDumpSid failed to dump Sid at addr 000000000266b458, 0xC0000078; try own SID dump.
s-1-0x515000000
Privs:
00 0x000000013 SeShutdownPrivilege Attributes -
01 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
02 0x000000019 SeUndockPrivilege Attributes -
03 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
04 0x000000022 SeTimeZonePrivilege Attributes -
Auth ID: 0:1d1f65
Impersonation Level: Anonymous
TokenType: Primary
Is restricted token: no.
Now, the differences are as follows:
现在,差异如下:
S-1-5-32-544
Attributes - Mandatory Default Enabled Owner
for "As Admin", while
对于“作为管理员”,而
S-1-5-32-544
Attributes - DenyOnly
for non-admin.
对于非管理员。
Note that S-1-5-32-544 is BUILTIN\Administrators. Also, there are fewer privileges, and the most important thing to notice:
请注意,S-1-5-32-544 是 BUILTIN\Administrators。此外,权限较少,最重要的是要注意:
admin:
行政:
S-1-16-12288
Attributes - GroupIntegrity GroupIntegrityEnabled
while for non-admin:
而对于非管理员:
S-1-16-8192
Attributes - GroupIntegrity GroupIntegrityEnabled
I hope this helps.
我希望这有帮助。
Further reading: http://www.blackfishsoftware.com/blog/don/creating_processes_sessions_integrity_levels
进一步阅读:http: //www.blackfishsoftware.com/blog/don/creating_processes_sessions_integrity_levels
回答by Alberto Solano
UPDATE
更新
"Run as Aministrator" is just a command, enabling the program to continue some operations that require the Administrator privileges, without displaying the UAC alerts.
“以管理员身份运行”只是一个命令,使程序能够继续一些需要管理员权限的操作,而不会显示 UAC 警报。
Even if your user is a member of administrators group, some applications like yours need the Administrator privileges to continue running, because the application is considered not safe, if it is doing some special operation, like editing a system file or something else. This is the reason why Windows needs the Administrator privilege to execute the application and it notifies you with a UAC alert. Not all applications need an Amnistrator account to run, and some applications, like yours, need the Administrator privileges.
即使您的用户是管理员组的成员,一些像您这样的应用程序也需要管理员权限才能继续运行,因为如果应用程序正在执行某些特殊操作,例如编辑系统文件或其他操作,则该应用程序被认为是不安全的。这就是为什么 Windows 需要管理员权限才能执行应用程序并通过 UAC 警报通知您的原因。并非所有应用程序都需要 Amnistrator 帐户才能运行,有些应用程序(例如您的应用程序)需要管理员权限。
If you execute the application with 'run as administrator' command, you are notifying the system that your application is safe and doing something that requires the administrator privileges, with your confirm.
如果您使用“以管理员身份运行”命令执行该应用程序,您将通过您的确认通知系统您的应用程序是安全的,并且正在执行一些需要管理员权限的操作。
If you want to avoid this, just disable the UAC on Control Panel.
如果您想避免这种情况,只需在控制面板上禁用 UAC。
If you want to go further, read the question Difference between "Run as Administrator" and Windows 7 Administrators Groupon Microsoft forum or thisSuperUser question.
如果您想更进一步,请阅读Microsoft 论坛上的“以管理员身份运行”和 Windows 7 管理员组之间的差异问题或此超级用户问题。
回答by Andrei
Things like "elevates the privileges", "restricted access token", "Administrator privilege" ... what the heck is administrator privilege anyway? are nonsense.
诸如“提升权限”、“受限访问令牌”、“管理员权限”之类的东西……无论如何,管理员权限到底是什么?都是废话。
Here is an ACCESS_TOKEN for a process normally run from a user belonging to Administrators group.
这是一个 ACCESS_TOKEN,用于通常从属于 Administrators 组的用户运行的进程。
0: kd> !process 0 1 test.exe
PROCESS 87065030 SessionId: 1 Cid: 0d60 Peb: 7ffdf000 ParentCid: 0618
DirBase: 2f22e1e0 ObjectTable: a0c8a088 HandleCount: 6.
Image: test.exe
VadRoot 8720ef50 Vads 18 Clone 0 Private 83. Modified 0. Locked 0.
DeviceMap 8936e560
Token 935c98e0
0: kd> !token -n 935c98e0
_TOKEN 935c98e0
TS Session ID: 0x1
User: S-1-5-21-2452432034-249115698-1235866470-1000 (no name mapped)
User Groups:
00 S-1-5-21-2452432034-249115698-1235866470-513 (no name mapped)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Mandatory Default Enabled Owner
03 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled
04 S-1-5-4 (Well Known Group: NT AUTHORITY\INTERACTIVE)
Attributes - Mandatory Default Enabled
05 S-1-2-1 (Well Known Group: localhost\CONSOLE LOGON)
Attributes - Mandatory Default Enabled
06 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
07 S-1-5-15 (Well Known Group: NT AUTHORITY\This Organization)
Attributes - Mandatory Default Enabled
08 S-1-5-5-0-85516 (no name mapped)
Attributes - Mandatory Default Enabled LogonId
09 S-1-2-0 (Well Known Group: localhost\LOCAL)
Attributes - Mandatory Default Enabled
10 S-1-5-64-10 (Well Known Group: NT AUTHORITY\NTLM Authentication)
Attributes - Mandatory Default Enabled
11 S-1-16-12288 (Label: Mandatory Label\High Mandatory Level)
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: S-1-5-21-2452432034-249115698-1235866470-513 (no name mapped)
Privs:
05 0x000000005 SeIncreaseQuotaPrivilege Attributes -
08 0x000000008 SeSecurityPrivilege Attributes -
09 0x000000009 SeTakeOwnershipPrivilege Attributes -
10 0x00000000a SeLoadDriverPrivilege Attributes -
11 0x00000000b SeSystemProfilePrivilege Attributes -
12 0x00000000c SeSystemtimePrivilege Attributes -
13 0x00000000d SeProfileSingleProcessPrivilege Attributes -
14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes -
15 0x00000000f SeCreatePagefilePrivilege Attributes -
17 0x000000011 SeBackupPrivilege Attributes -
18 0x000000012 SeRestorePrivilege Attributes -
19 0x000000013 SeShutdownPrivilege Attributes -
20 0x000000014 SeDebugPrivilege Attributes -
22 0x000000016 SeSystemEnvironmentPrivilege Attributes -
23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
24 0x000000018 SeRemoteShutdownPrivilege Attributes -
25 0x000000019 SeUndockPrivilege Attributes -
28 0x00000001c SeManageVolumePrivilege Attributes -
29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default
30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
34 0x000000022 SeTimeZonePrivilege Attributes -
35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes -
Authentication ID: (0,14e4c)
Impersonation Level: Anonymous
TokenType: Primary
Source: User32 TokenFlags: 0x2000 ( Token in use )
Token ID: d166b ParentToken ID: 0
Modified ID: (0, d052f)
RestrictedSidCount: 0 RestrictedSids: 00000000
OriginatingLogonSession: 3e7
... and here is an ACCESS_TOKEN for a process normally run by the same user with "Run as administrator".
...这里是一个 ACCESS_TOKEN,用于通常由同一用户以“以管理员身份运行”运行的进程。
TS Session ID: 0x1
User: S-1-5-21-2452432034-249115698-1235866470-1000 (no name mapped)
User Groups:
00 S-1-5-21-2452432034-249115698-1235866470-513 (no name mapped)
Attributes - Mandatory Default Enabled
01 S-1-1-0 (Well Known Group: localhost\Everyone)
Attributes - Mandatory Default Enabled
02 S-1-5-32-544 (Alias: BUILTIN\Administrators)
Attributes - Mandatory Default Enabled Owner
03 S-1-5-32-545 (Alias: BUILTIN\Users)
Attributes - Mandatory Default Enabled
04 S-1-5-4 (Well Known Group: NT AUTHORITY\INTERACTIVE)
Attributes - Mandatory Default Enabled
05 S-1-2-1 (Well Known Group: localhost\CONSOLE LOGON)
Attributes - Mandatory Default Enabled
06 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users)
Attributes - Mandatory Default Enabled
07 S-1-5-15 (Well Known Group: NT AUTHORITY\This Organization)
Attributes - Mandatory Default Enabled
08 S-1-5-5-0-85516 (no name mapped)
Attributes - Mandatory Default Enabled LogonId
09 S-1-2-0 (Well Known Group: localhost\LOCAL)
Attributes - Mandatory Default Enabled
10 S-1-5-64-10 (Well Known Group: NT AUTHORITY\NTLM Authentication)
Attributes - Mandatory Default Enabled
11 S-1-16-12288 (Label: Mandatory Label\High Mandatory Level)
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: S-1-5-21-2452432034-249115698-1235866470-513 (no name mapped)
Privs:
05 0x000000005 SeIncreaseQuotaPrivilege Attributes -
08 0x000000008 SeSecurityPrivilege Attributes -
09 0x000000009 SeTakeOwnershipPrivilege Attributes -
10 0x00000000a SeLoadDriverPrivilege Attributes -
11 0x00000000b SeSystemProfilePrivilege Attributes -
12 0x00000000c SeSystemtimePrivilege Attributes -
13 0x00000000d SeProfileSingleProcessPrivilege Attributes -
14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes -
15 0x00000000f SeCreatePagefilePrivilege Attributes -
17 0x000000011 SeBackupPrivilege Attributes -
18 0x000000012 SeRestorePrivilege Attributes -
19 0x000000013 SeShutdownPrivilege Attributes -
20 0x000000014 SeDebugPrivilege Attributes -
22 0x000000016 SeSystemEnvironmentPrivilege Attributes -
23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
24 0x000000018 SeRemoteShutdownPrivilege Attributes -
25 0x000000019 SeUndockPrivilege Attributes -
28 0x00000001c SeManageVolumePrivilege Attributes -
29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default
30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
34 0x000000022 SeTimeZonePrivilege Attributes -
35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes -
Authentication ID: (0,14e4c)
Impersonation Level: Anonymous
TokenType: Primary
Source: User32 TokenFlags: 0x2000 ( Token in use )
Token ID: ce282 ParentToken ID: 0
Modified ID: (0, cddbd)
RestrictedSidCount: 0 RestrictedSids: 00000000
OriginatingLogonSession: 3e7
As you see, the only difference is the token ID:
如您所见,唯一的区别是令牌 ID:
Token ID: d166b ParentToken ID: 0
Modified ID: (0, d052f)
vs
对比
Token ID: ce282 ParentToken ID: 0
Modified ID: (0, cddbd)
Sorry, I can't add much light into this yet, but I am still digging.
抱歉,我还不能在其中添加太多内容,但我仍在挖掘中。
回答by vextorspace
Windows 7 requires that you intentionally ask for certain privileges so that a malicious program can't do bad things to you. If the free calculator you downloaded needed to be run as an administrator, you would know something is up. There are OS commands to elevate the privilege of your application (which will request confirmation from the user).
Windows 7 要求您有意要求某些特权,以便恶意程序无法对您做坏事。如果您下载的免费计算器需要以管理员身份运行,您就会知道出了什么问题。有一些操作系统命令可以提升应用程序的权限(这将请求用户确认)。
A good description can be found at:
可以在以下位置找到一个很好的描述:
回答by user5244305
The Run as *Anything command saves you from logging out and logging in as the user for which you use the runas command for.
Run as *Anything 命令使您无需以使用 runas 命令的用户身份注销和登录。
The reason programs ask for this elevated privilege started with Black Comb and the Panther folder. There is 0 access to the Kernel in windows unless through the Admin prompt and then it is only a virtual relation with the O/S kernel.
程序要求此提升权限的原因始于 Black Comb 和 Panther 文件夹。除非通过管理员提示,否则对 Windows 中的内核的访问权限为 0,然后它只是与 O/S 内核的虚拟关系。
Hoorah!
万岁!
回答by user5244305
A little clearer... A software program that has kernelmode access has total access to all of the computer's data and its hardware.
更清楚一点...具有内核模式访问权限的软件程序可以完全访问计算机的所有数据及其硬件。
Since Windows Vista Microsoft has stopped any and all I/O processes from accessing the kernel (ring 0) directly ever again. The closest we get is a folder created as a virtual kernel access partition, but technically no access to kernel itself; the kernel meets halfway.
自 Windows Vista 以来,Microsoft 已停止任何和所有 I/O 进程再次直接访问内核(ring 0)。我们得到的最接近的是创建为虚拟内核访问分区的文件夹,但技术上无法访问内核本身;内核遇到了一半。
This is because the software itself dictates which token to use, so if it asks for an administrator access token, instead of just allowing communications with the kernel like on Windows XP you are prompted to allow access to the kernel, each and every time. Changing UAC could reduce prompts, but never the kernel prompts.
这是因为软件本身决定使用哪个令牌,所以如果它要求管理员访问令牌,而不是像在 Windows XP 上那样只允许与内核通信,每次都会提示您允许访问内核。更改 UAC 可以减少提示,但不会减少内核提示。
Even when you login as an Administrator, you are running processes as a standard user until prompted to elevate the rights you have. I believe logged in as the administrator saves you from entering the credentials. But it also writes to the administrator users folder structure.
即使您以管理员身份登录,您也是以标准用户身份运行进程,直到系统提示您提升您拥有的权限。我相信以管理员身份登录可以使您免于输入凭据。但它也会写入管理员用户文件夹结构。
Kernel access is similar to root access in Linux. When you elevate your permissions you are isolating yourself from the root of C:\ and whatever lovely environment variables are contained within.
内核访问类似于 Linux 中的根访问。当您提升权限时,您将自己与 C:\ 的根目录以及其中包含的任何可爱的环境变量隔离开来。
If you remember BSODs this was the OS shutting down when it believed a bad I/O reached the kernel.
如果您还记得 BSOD,这是操作系统在认为错误的 I/O 到达内核时关闭。
回答by user5244305
Okay, let's re-iterate...
好吧,让我们重新迭代......
The actual question(and an excellent one at that)
实际问题(也是一个很好的问题)
"What does 'run as admin' do that being a member of the administrators group does not?"
“什么是‘以管理员身份运行’这样做是管理员组的成员不?”
(Answer)1. It allows you to call on administrator rights while under a user session.
(答案)1。它允许您在用户会话下调用管理员权限。
Note: The question is wrongly put; one is a command and the other is a group object to apply policies.
注意:问题提错了;一个是命令,另一个是应用策略的组对象。
Open a command prompt and type runas /?.
打开命令提示符并键入runas /?.
This will list all the switches the runascommand line can use.
这将列出runas命令行可以使用的所有开关。
As for the Administrators Group this is based on GPEDIT or SECPOL and whether or not a Domain administrator is present or not or a network is present or not.
至于管理员组,这基于 GPEDIT 或 SECPOL,以及域管理员是否存在或网络是否存在。
Usually these things will apply restrictions on computers that the administrators group is not affected by.
通常这些东西会对管理员组不受影响的计算机施加限制。
The question should be
问题应该是
What does runas admin do that run as user does not?
runas admin 做什么,作为用户没有运行?
OR
或者
What does the Administrator group do that a customized user group can't?
管理员组有哪些自定义用户组不能做的事情?
You are mixing apples and oranges.
你正在混合苹果和橙子。
