browse other users directories with PowerShell

This topic contains 4 replies, has 3 voices, and was last updated by  Curtis Smith 1 month ago.

  • Author
    Posts
  • #77667

    Shane Lindberg
    Participant

    I am trying to understand some basics. How come am I able to browse another users home directory using a Powershell "Run as administrator", but I am unable to browse that same account using an explorer window from an admin account? It seems as if the Powershell has extra privileges.

  • #77668

    Curtis Smith
    Participant

    Hey Shane, that's not really a PowerShell thing, it's a UAC (User Access Control) thing. When you select "Run As Administrator" on a PowerShell console, you are instructing the system (UAC) to start PowerShell with additional "administrator" security privileges. Normal Windows Explorer is not run with these administrator privileges, and therefore the difference you experience. As evidence, try running PowerShell without using the "Run As Administrator" option. You will see you have the same restrictions as you do with Windows Explorer. So, again, it is not PowerShell, but rather UAC that you should look more into to understand what it is and how it functions.

  • #77698

    Shane Lindberg
    Participant

    Thanks for taking the time to respond. I am not so sure this is a UAC thing. It seems more to be about file permissions. The reason I say this is when I click try and view the files using Windows Explorer is says I don't have permission, but I can get permanent permission by click clicking the prompt. Then after I click the directory it goes through and changes all of the permissions so I can read them. Even if I run explorer as admin it also does not allow me to view the files without changing the permissions. It feels like it is running under NT Authority\SYSTEM, which I don't think is the case, but it appears like that since it can read other peoples directories without changing the file permissions first.

  • #77700

    Fredrik Kacsmarck
    Participant

    It's because explorer (the file browser) is old.
    I guess it's tied into so much that it's not easy to make major changes to it or it's simply because it's not a big priority.

    The main reason is that explorer can't switch user context.
    Meaning while logged in you can't change the user permissions in explorer on the local machine.
    There is a connection to UAC and it's that by default if your only permission to a folder or file is via Local Adminstratiors or Domain Admins it's supressed.
    Meaning UAC filter out that permission, hence you get the pop up to say continue or cancel when accessing one of those folders.
    If you select continue the OS will update the ACL on the folder and the files/folders below it with your user account.
    This is an issue if you e.g. use DFS and suddenly millions of files get their ACL's updated and then needs to be synched (which is why I've looked into this in the first place 🙂 )

    With command prompt and e.g. powershell you can select "Run As Administrator", there is no such option for explorer other than lowering the settings of UAC and then you have to take into account any issues with that.

    Some workarounds:

    1.
    Use applications e.g. powershell where you can select "Run As Administrator".

    2.
    Use another machine (haven't tried if it works if launched on the local machine) and browse to the share of those folders and files.
    Then the user context of explorer will not be used since it's actually the other machine that will verify and set user context based on your network credentials.

    3.
    Create a different group e.g. FileAdmins and then give that group e.g. full permissions on the folders and files.
    Add your account to that group, since it's based on something other than local admin and domain admins it's not suppressed.

  • #77706

    Curtis Smith
    Participant

    You actually can run Explorer.exe as an elevated process; however, it is not straight forward to do so. If you really want to see this issue in action I recommend using Notepad.exe

    Launch notepad.exe, go to File -> Open, then try to browse to one of the home directories. You should be blocked just like you are with explorer.exe

    Now, use RunAs Administrator to launch notepad.exe, go to File -> Open, then try to browse to one of the home directories. This time you should get the similar experience as PowerShell.exe when RunAs Administrator.

    Likewise, if you launch PowerShell.exe normally, without RunAs Administrator, you should get blocked just like you are with explorer.exe.

You must be logged in to reply to this topic.