MakeMeAdmin follow-up

[Update Aug 6 2012: Attached the MakeMeAdmin.zip file to this blog post because the external hosting server is being decommissioned.]

 

Shortly after I first posted MakeMeAdmin, it was pointed out to me that it didn’t work correctly if the current user account had embedded spaces in the name.  I posted a correction in the comments of that post, but I never got around to updating the download version until now.

 

The updated MakeMeAdmin.zip contains three script files:  MakeMeAdmin.cmd and MakeMePU.cmd temporarily elevate to admin and to Power User, respectively, as before but now work correctly with embedded spaces in the user name.  The new script is MakeMeAdminSC.cmd.  MakeMeAdminSC works just like MakeMeAdmin but uses smart card authentication for the current user instead of password authentication, via the runas.exe /smartcard option.  Insert your smart card before running MakeMeAdminSC; it will prompt you for the admin password, then for your smart card PIN.  (In order to work, the smart card needs to be associated with the account you’re currently logged in under.)

 

More on “Default Owner”

 

In my first MakeMeAdmin post, there’s a section called “Objects created while running with elevated privilege,” the main parts of which I’ll recap here:

 

Normally, when a user creates a securable object, such as a file, folder, or registry key, that user becomes the “owner” of the object and by default is granted Full Control over it.  Prior to Windows XP, if the user was a member of the Administrators group, that group, rather than the user, would get ownership and full control….  Windows XP introduced a configurable option whether ownership and control of an object created by an administrator would be granted to the specific user or to the Administrators group.  The default on XP is to grant this to the object creator; the default on Windows Server 2003 is to grant it to the Administrators group….

 

If I use MakeMeAdmin to install programs, my normal account will be granted ownership and full control over the installation folder, the program executable files, and any registry keys the installation program creates.  Those access rights will remain even when I am no longer running with administrator privileges.  That’s not what I want at all.  I want to be able to run the app, create and modify my own data files, but not to retain full control over the program files after I have installed it.

 

I concluded by saying:

 

For this reason, I changed the “default owner” setting on my computer to “Administrators group”.

 

Today I would like to go further:  If you are going to use the same account for admin and non-admin activities (e.g., with MakeMeAdmin), I strongly recommend that you change the “Default owner” setting on your computer to “Administrators group”.

 

Why?  Well, the malware problem is not going away any time soon.  Running with limited privilege will not make the bad guys stop trying to own your computer – there is far too much profit on the line.  Today, running as a normal User instead of as an admin is tremendously effective against malware, because most malware is not designed for lower-privilege scenarios and it just fails.  But as more people begin running as non-admin, the miscreants will adjust accordingly.  Running as LUA, they will have to find new ways to hide their stuff and to get their stuff to run.  You don’t want to give them the ability to write to the folders containing the programs you run every day, especially if you also run the same programs as admin.

 

When setting up a new system, I would recommend changing the “default owner” setting as early as possible, and using the built-in Administrator account to install as much as possible.  Don’t create or log in with your normal account until after “default owner” has been changed.

 

Note that changing the security setting does not change the ownership or access control lists (ACLs) of existing objects, only objects created afterwards.  It might be wise to review the security attributes of folders, files and registry keys on your system, or even to consider wiping your system and starting over.  (Tip to get started:  “DIR /Q” displays the owner of listed files and folders.  Try this in your Program Files folder.)

 

For Windows XP Professional:

 

To change the setting on Windows XP Professional, open “Local Security Policy” in Administrative Tools, or run secpol.msc.  You need to be an admin to use this tool.  In the left pane, browse to Security Settings \ Local Policies \ Security Options.  The policy name is “System objects: Default owner for objects created by members of the Administrators group”.  The allowable settings are “Administrators group” or “Object creator”.  Change it to “Administrators group.”

 

For Windows XP Home Edition:

 

The “Local Security Policy” utility is not available on Windows XP Home Edition.  To change the setting on XP Home, you need to modify the Registry directly.  All caveats about mucking with the Registry apply here.  You need to make this change while running as admin, so if you mess up, you can really mess up!  In RegEdit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.  Find the value called “nodefaultadminowner”.  The supported values are “0” for “Administrators group”, or “1” for “Object creator”.  Set the value to 0.

MakeMeAdmin.zip

Comments

  • Anonymous
    March 13, 2005
    The comment has been removed

  • Anonymous
    March 15, 2005
    How to quickly and temporarily give your non-admin account administrator privileges, without having to log out.

  • Anonymous
    March 21, 2005
    Hey there. great blog and thanks for MakeMeAdmin. However, I was particularly struck by aaron's comment that: "Note that changing the security setting does not change the ownership or access control lists (ACLs) of existing objects, only objects created afterwards. It might be wise to review the security attributes of folders, files and registry keys on your system, or even to consider wiping your system and starting over."

    this all seems like mind blowingly difficult -- and of little use for anybody with an existing XP installation who wants to try to try to improve security by ratcheting down user permissions. I guess my question is: will there be features in Longhorn or some future release that makes it easier for folks who are upgrading (not starting clean) to change existing accounts to run as LUA without doing all the acrobatics you describe here?

  • Anonymous
    March 22, 2005
    The comment has been removed

  • Anonymous
    March 22, 2005
    Is there a posibility to modify the script so that the password for the administrator is also included and you don't need to enter it. E.g. we want to install automatically an application via a login script. It must be installed under the users-account (shortcuts,...) but the user need to be temporary local admin. The program to run field can it include unc names e.g. "\kemindataMovex Explorer v12JavaClientInstallWorkst Config v12Java.EXE" /S

  • Anonymous
    March 23, 2005
    p.f. roberts - Yes, you absolutely do improve security simply by removing yourself from the Administrators group. However, "security" is not a simple "on/off" setting. No matter what you do, there are always additional risks to consider. Whether you choose to live with the risk identified in this post or not is up to you. I'm just pointing out that it's there.

    Nik - runas.exe accepts passwords and smartcard PINs only through keyboard input. I'm not on the Windows team and never have been so I don't know for sure, but I suspect the reason for this is to discourage people from putting plaintext passwords in plaintext script files!

  • Anonymous
    March 26, 2005
    The ability to use your script with a smart card sounds intriguing.

    What is a good source for a small developer to purchase a smart card and card reader/programmer?

  • Anonymous
    March 27, 2005
    What is a good source doc for understanding & writing cmd scripts?

    There are many character combinations in MakeMeAdmin.cmd that are not obvious to me.

    Thanks!

  • Anonymous
    March 28, 2005
    Les, my main reference for command scripting is: %windir%Helpntcmds.chm. It's surprisingly powerful - they added a lot of functionality circa Windows 2000.

  • Anonymous
    March 28, 2005
    Aaron - I'm running W2k Server. When I double click on the ntcmds.chm, I get a msg of:

    This Help file contains topics integrated into the main Windows 2000 Help and is not meant for browsing. For overviews of features and help with specific tasks, click Start, and then click Help.

    The commands, such as "net localgroup", I can figure out.

    I'm mostly interested in the syntax of the special chars such as:
    %~s0

    I can see that it translates to the current program being called - but I'd love to see all this syntax spelled out in a help file or web page.

    Thanks!

  • Anonymous
    March 28, 2005
    The comment has been removed

  • Anonymous
    March 29, 2005
    Aaron - Do you think it would be possible to create a .NET app that could duplicate the functionality of MakeMeAdmin, and yet not require typing in passwords - and also verify that the local user has been removed from Administrators group?

    For example, could http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocesswithlogonw.asp
    be used to start a process as admin, then add the local user to Admin group (using other code), then start a process as the local user, and then remove the loca user from Admins group?

    The code could obtain encrypted passwords from some location (USB thumb drive, easy and cheap) and decrypt them, so as not to be so much of a security risk.

    Could you point me in the right direction on this - or put me in touch with someone who might find this interesting to code?

  • Anonymous
    April 18, 2005
    Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

  • Anonymous
    April 29, 2005
    Just so you know, there's a simple and free tool that solves just about every one of the issues I've seen raised here. PolicyMaker Application Security can make any change to a process token (add and/or remove any group and/or modify any privilge) on the fly as processes are launched. It can be targeted to specific users, computers, command lines, application hashes, etc. This solves just about every concern I've seen raised here and it's completely transparent to users. It doesn't use passwords or seperate user accounts. It's a group policy extension that's free when managed from Local GPO. No kiddng - it's listed on the wiki site.

  • Anonymous
    May 31, 2005
    As mentioned above PolicyMaker and its Registry Extension are FREE and work GREAT. I had an application that would not run under anything but Local/Domain Admin and the developers would not help with the issue. I installed PolicyMaker and now it works fine with the user logged in with normal User permissions. Thanks for all the info on this site, its a great help for getting applications to work in today's security context even though some developer's still think we're running Win98!!!!

  • Anonymous
    May 31, 2005
    The comment has been removed

  • Anonymous
    June 02, 2005
    I'm having a problem where VS 2003 run using MakeMeAdmin (xp pro sp2 all sec fixes) can single step an ASP.NET fine - but refuses to open IE when I hit continue.

    It also refuses to open IE when run from MakeMeAdmin if I tell it to 'start without debugging'.

    I can see an iexplorer.exe task getting created in the task manager.

    If I use RunAs Administrator, VS 2003 also refuses to start IE.

    If I log off and log in as Administrator - then VS 2003 will start IE.

    If I add my NonAdmin user to Administrators group (log off and log back in), then VS 2003 will start IE.

    How can I resolve this issue?

  • Anonymous
    June 10, 2005
    Get your friends and family, all those folks that come to you for computer help once their machines have...

  • Anonymous
    June 12, 2005
    Shame on me that I forgot last week to mention Robert Hurlbut's excellent Birds of a Feather session...

  • Anonymous
    June 23, 2005
    <p>Now I know that it was a stupid thing to do, but I jumped in without applying sufficient thought!<br/>So, whatever you do, <b>DO NOT RUN</b> MakeMeAdmin from an Admin account. ESPECIALLY if there is only one Admin account on your system!<br/>Aaron's advice page states:
    </p>
    <i>The bit that runs as local administrator does the following:<br/>

    <ol><li>Adds your current account to the local Administrators group (using NET LOCALGROUP, avoiding the problem of needing network credentials to resolve names);</li>
    <li>Invokes RunAs to start a new instance of cmd.exe using your current account, which is at this instant a member of Administrators;</li>
    <li>Removes your current account from the local Administrators group.</li></ol></i>

    <p>Unfortunately, what is missing is a stage that determines if the current account is a member of the Administrators group in the first place and a condition on the removal from that group at the end of the process.<br/>Aaron, please save others the stress and embarrassment that I have just been through.</p>

  • Anonymous
    June 24, 2005
    The comment has been removed

  • Anonymous
    July 29, 2005
    The comment has been removed

  • Anonymous
    August 04, 2005
    Mike Rickard writes:
    'Fortunately we don't want users running "Windows Update", so the fact that this is broken from a secondary logon in XP SP2 doesn't bother us.'

    Despite much searching, I have found very little mention of this (including on this blog) and no working solutions. I was hoping MakeMeAdmin might fix the problem, but reading the above comment makes me understand why it doesn't, since MakeMeAdmin depends on the Secondary Logon service even though you're re-logging-in as yourself. Windows Update is the final thing I'm forced to log out and re-log-in as Administrator for.

    Aaron, any insights on this one?

  • Anonymous
    September 23, 2005
    If your user account has a blank password, MakeMeAdmin won't work with the default security settings in XP.

    Below is an update for the code to allow for that. It replaces the contents of the else ( ) block in the script, which is most of the body.

    What it does is toggle the security setting "Accounts: Limit local account use of blank passwords to console logon only" to Disabled right before running the program. Then it switches the value back to Enabled right after running the program.

    ---
    ) else (
    echo Adding user %* to group %Group%...
    net localgroup %Group% "%" /ADD
    if ERRORLEVEL 1 echo. && pause
    echo.
    echo Allowing for blank passwords...
    reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v limitblankpassworduse /t REG_DWORD /d 0 /f
    if ERRORLEVEL 1 echo. && pause
    echo.
    echo Starting program in new logon session...
    runas /u:"%
    " %Prog%
    if ERRORLEVEL 1 echo. && pause
    echo.
    echo Limiting blank passwords...
    reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v limitblankpassworduse /t REG_DWORD /d 1 /f
    if ERRORLEVEL 1 echo. && pause
    echo.
    echo Removing user %* from group %Group%...
    net localgroup %Group% "%*" /DELETE
    if ERRORLEVEL 1 echo. && pause
    )
    ---

  • Anonymous
    November 14, 2005
    Aaaron, it might be of interest to you that the respected German computer magazine c't published an enhanced version of MakeMeAdmin. It's available on http://www.heise.de/ct/ftp/result.xhtml?url=/ct/ftp/05/23/112/default.shtml&words=MachMichAdmin

  • Anonymous
    November 19, 2005
    Anybody has English transation of this?
    I do not speak German & online translation is useless for this kind of docs

  • Anonymous
    November 19, 2005
    maybe you should ask the author: je@ct.heise.de (Mr. Johannes Endres)

  • Anonymous
    November 19, 2005
    maybe you should ask the author: je@ct.heise.de (Mr. Johannes Endres)

  • Anonymous
    November 21, 2005
    The comment has been removed

  • Anonymous
    December 03, 2005
    The comment has been removed

  • Anonymous
    December 17, 2005
    WARNING: If you (accidentally!) run this command as the same user that is already admin that the script is trying to change to (%ADMIN%) then that user is REMOVED from the users allowed to log on. I'm not sure how to restore this yet. Fortunately I have another admin user on this pc so can still logon etc.

  • Anonymous
    December 17, 2005
    The comment has been removed

  • Anonymous
    December 17, 2005
    Final post! The solution is only a partial solution. The issue is MakeMeAdmin removes the Admin user from the Administrators group. So if that user is only a member of the Administrators group, and then the user is removed, they cannot log on. I'm not sure how to test if a user is already a member of the Administrators group, but at least the solution avoid one common problem.

  • Anonymous
    December 17, 2005
    allank - Good catch, and already caught earlier (see earlier comments to this post). See also in an earlier comment the use of the /i switch when making the admin/user comparison -- /i makes it a case-insensitive comparison.
    Thanks.

  • Anonymous
    January 02, 2006
    Dan Kahler: though I like your proposition to cope with all cases, it won't work as is,because the way errorlevel is handled will lead the script to exit in all cases.
    Moreover, if the current user is locally logged on, and is member of the Administrators group, then "net localgroup %Group%" won't return "%User%", but "%USERNAME%" instead ;-)

    Thus, here is a new proposition, derived from yours:
    if /i %USERDOMAIN%==%COMPUTERNAME% (
    net localgroup %Group% | findstr /i /x "%USERNAME%"
    ) else (
    net localgroup %Group% | findstr /i /x "%User%"
    )
    if ERRORLEVEL 1 (
    goto Continue
    )
    echo Account "%User%" is already member of the "%Group%" group, aborting...
    pause
    goto Exit
    :Continue
    [... unchanged code]
    :Exit
    endlocal

  • Anonymous
    January 11, 2006
    For anyone having problems getting Visual Studio 2003 to debug ASP.NET these documents will help you out:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/tchDevelopingSoftwareInVisualStudioNETWithNon-AdministrativePrivileges.asp

    That article explains how to run ASP.NET with your own account instead of the ASPNET account. It explains what folderpermissions to set and how to adjust machine.config. The username and password are in plain text through (see the second link for a solution to that)

    And for the encryption in machine.config:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;329290

    It works like a charm now. Thanks for the excelent script!

  • Anonymous
    February 05, 2006
    The comment has been removed

  • Anonymous
    February 06, 2006
    Has anyone else recently noticed that MakeMeAdmin is not working on Windows XP Pro? I have had problems escalating privileges using this tool just within the past two weeks, on machines that I could previously use the tool on. I am thinking that a lately released Microsoft patch has rendered the program inoperable?

  • Anonymous
    February 06, 2006
    Dennis L - I haven't seen that problem, and my machine is fully up-to-date.  What error is it reporting?

  • Anonymous
    February 06, 2006
    Hi Aaron- The error I am getting is shown below. I am getting this on WinXP Pro with all Microsoft patches installed:

    Attempting to start C:DOCUME~1DENNIS~1DesktopMAKEME~1MAKEME~1.CMD OFFICEde
    nnis as user "OFFICEAdministrator" ...
    RUNAS ERROR: Unable to run - C:DOCUME~1DENNIS~1DesktopMAKEME~1MAKEME~1.CMD
    OFFICEdennis
    5: Access is denied.

  • Anonymous
    February 06, 2006
    Dennis L - try putting the CMD file in a location that is readable to all users rather than on one account's Desktop.  I created a "Utils" folder (as admin) under %ProgramFiles%, and have a shortcut to it on my Desktop.

  • Anonymous
    February 07, 2006
    The comment has been removed

  • Anonymous
    February 23, 2006
    Mike Rickard wrote :

    Because we don't give them a local admin account, we provide a related script "admin rights on-the-fly" which effectively runs a pause command rather than a secondary logon, so that if they plug in some USB device that pops up one of those authentication boxes asking for an admin level account, they can run that script, then authenticate as themselves. We also advise them that control panel access for administrative tasks is via this "explorer". They need this mainly for uninstalling software.

    My request : more info on how I achieve thsi please!

    Some background :

    I work for a university, and all of our student accounts are simply 'users' and I definatly do not want to change this, but ... we are encouraging them to use usb pens, usb hard drives etc, to carry personal audio/video files around that they are working on, but .. a majority will not install as a user, and we have to log out the student, log in as an admin, connect their device and then they can log back in.

    have you any ideas how I can make a script to help this situation? makemeadmin, looks good, but I dont know how I can apply this to a usb device that they are plugging in?

    All of the web searches, seem to come up with lots of ways to stop usb, but none to allow??

    any ideas?

    many thanks

  • Anonymous
    March 01, 2006
    How about autoadmin logon with read admin account with something like Driveshield (now Cornerstone Compuguard)
    Costs extra, but works in excellent way

  • Anonymous
    March 01, 2006
    Mike, did you try something like: cpau

    sebus

  • Anonymous
    March 02, 2006
    Has anyone found a solution to Les' problem detailed above?

    Recap:
    "I'm having a problem where VS 2003 run using MakeMeAdmin (xp pro sp2 all sec fixes) can single step an ASP.NET fine - but refuses to open IE when I hit continue.

    It also refuses to open IE when run from MakeMeAdmin if I tell it to 'start without debugging'.

    I can see an iexplorer.exe task getting created in the task manager.

    If I use RunAs Administrator, VS 2003 also refuses to start IE.

    If I log off and log in as Administrator - then VS 2003 will start IE.

    If I add my NonAdmin user to Administrators group (log off and log back in), then VS 2003 will start IE."

  • Anonymous
    March 08, 2006

    In today’s Webcast we first started off with a continuation from last week. &amp;nbsp;Last week we explored...

  • Anonymous
    March 27, 2006
    A systematic approach for working around LUA bugs that avoids unnecessary exposure - &quot;the rest of the story&quot;

  • Anonymous
    April 10, 2006
    PingBack from http://skmullen.wordpress.com/2006/04/10/makemeadmin/

  • Anonymous
    April 28, 2006
    PingBack from http://n3wjack.net/index.php/2006/03/10/running-windows-as-a-non-admin/

  • Anonymous
    May 01, 2006
    The comment has been removed

  • Anonymous
    May 10, 2006
    Pretty neat tool...  I am looking for a way to keep a group from running as admin, but also have the ability to run IIS as an admin.  The main limitation is that I cannot give these developers any passwords or use the "RunAs" command.  I've been told by Microsoft that this is not possible, but would like to know if you've ever explored doing this.

  • Anonymous
    May 11, 2006
    Mike - so you want to enable an otherwise unprivileged group to administer IIS - and inetinfo.exe runs as LocalSystem?  In other words - give an unprivileged group complete control over a process running as LocalSystem?  (Do you see the inherent contradiction?)

    Suggestion:  give the developers computers with Virtual PC (or Virtual Server), on an isolated network.  They can then run guest machines however they need to without putting your enterprise at risk.

  • Anonymous
    May 29, 2006
    PingBack from http://www.tedroche.com/blog/?p=1957

  • Anonymous
    May 31, 2006
    Hi Aaron,

    I have written a tool called "Launch Admin". It is designed to be used in conjuction with MakeMeAdmin. It adds an icon to the system tray and allows Administrative tasks to preformed quickly. I wrote the program because of my habit of closing open windows (in this case the admin command prompt). The tool can be downloaded from

    http://launch-admin.sourceforge.net

    Best Regards,

    Patrick

  • Anonymous
    June 01, 2006
    Note for W2K users: you can decompile ntcmds.chm and recompile it with auto generate table of contents. The resulting help file no longer refuses access.

    Brian Williams

  • Anonymous
    June 17, 2006
    Aaron,

    I'm not very comfortable with batch files that make global changes.

    Consider a situation when an unsophisticated user invokes MakeMeAdmin to run an app (that requires admin privilges) and a power interruption causes the computer to reboot.

    That user account will be left in the admin group.  Not a good idea.

    Is there a programmatic solution on a per-process basis?

    Thanks,
    Alex.

  • Anonymous
    June 18, 2006
    The comment has been removed

  • Anonymous
    June 18, 2006
    Alex & Patrick Ryhnart - there is some risk that those scenarios could happen.  If power fails at that stage, though, you could always log in as local admin at next startup and fix the Administrators membership.  (You could also do it while logged on with your erstwhile non-admin account, but you may have some apps running at startup - like IM - that you don't want running with admin privs.)

    Re KB 165194, that's obsoleted in XPSP2 if you use the CreateProcessWithLogonW API.  The resulting token shares the same Logon SID as the caller, so DACLs don't need to be adjusted.

    Personally, I'd feel a lot more uncomfortable about having my password in a plain text file on my hard drive.

  • Anonymous
    June 18, 2006
    Thanks Aaron - Good point about the DACLs :)

    What if the password on the hard drive was encrypted ? This could be used to prevent other LUA users from decrypting the password.

    (Administrator's would be able to attach a debugger and see the CreateProcessAsUser() call and password however.)

  • Anonymous
    June 18, 2006
    The comment has been removed

  • Anonymous
    June 18, 2006
    The comment has been removed

  • Anonymous
    June 20, 2006
    Hi Aaron,

    There's a better way to prevent a LUA user from remaining a member of the administrators group which doesn't involve obfuscating passwords.

    The solution is to write an application to be invoked (as before) via runas /u:Administrator

    The application:

    1) Determines the LUA user on winsta0default
    2) Prompts for their password (to be supplied using the keyboard - not read from a file)
    3) Promotes the LUA user to the administrators group
    4) Executes the required app with elevated privileges using the CreateProcessAsUser() API
    5) Removes the LUA user from the administrators group

    In other words, the application performs the same steps as MakeMeAdmin, except that (in the case of MakeMeAdmin) steps 2 and 3 are reversed. Since steps 3-5, above, are completed almost instantaneously, the likelihood of a LUA user remaining a member of the administrators group, in the event of a problem, is significantly reduced.

    Regards,

    Patrick. Pretty close to how I'd do it if I wrote it as an exe instead of a cmd:  Prompt for the name of the admin account that you'll use to do the group manipulations, the password for that admin account, and the password for the non-admin account you're logged in with (I wouldn't get it from winsta0default - just get the current context).  Call LogonUser with the local admin creds and ImpersonateLoggedOnUser with the resulting token to get admin privs.  Add the user to admins.  RevertToSelf and then launch the target app with CreateProcessWithLogonW (not CreateProcessAsUser for reasons mentioned in an earlier comment-reply).  Impersonate again to local admin, remove the current user from the admins group and RevertToSelf again.The hinted-at LUA Buglight (coming soon!) does something very similar to this to get the "this-user-as-admin" context to get through LUA bugs during app analysis.  Lots more on that soon... -- Aaron

  • Anonymous
    June 21, 2006
    Thanks for that Aaron - I've coded your suggestion up and it works fine!

    Cheers,

    Patrick

  • Anonymous
    July 22, 2006
    Hey,

    First of all thank you so much for making this i love the idea but how it works thats a problem for me... when i open up the MakeMeAdmin file it comes into a cmd.exe type window and then asks for the admin password...the problem is idk it thats why i got it so i could bypass that... how do i do this? email me at afw22792@aim.com if anyone has an answer.

    Thanks,
    Drew Well, yeah, MakeMeAdmin doesn't allow arbitrary elevation of privilege by unauthorized users.  You need to have admin credentials in order to use it. -- Aaron

  • Anonymous
    July 22, 2006
    Hey agian,

    Ok. So I figured out something. For those of you like me looking for a way to bypass the admin and unlock a website from your routers. All you have to do is restart in Safe Mode by pressing F8 and hiting the Safe Mode then just continue through the restart as normal. When you get to the login stage click on the Administrator account that doesnt have to have a password. From there go to My Computer then to your C Drive. From there click on the "WINDOWS" folder and then click "System32" folder, "drivers" folder and finaly the "etc" folder. Then finaly open the "Hosts" file with wordpad or notepad just some text editor. Then take off the IP address and the website and save. WALA! You have done it!...gotta love determined 15 year olds huh!


    Drew Having a blank password for the admin account makes sense only if you trust everything who has physical access to the console.  Gotta love sysadmins who misconfigure a system that way when the users aren't supposed to be able to have admin privileges.  BTW - if you can log in to Safe mode with a blank-pwd admin account, then you can do that from the normal logon screen as well.  (Precisely how is left as an exercise for determined 15 year olds.) -- Aaron

  • Anonymous
    July 25, 2006
    I use the fingerprint reader in my laptop to log onto Windows (by way of third-party software from Wave Systems, which was included it), and I'd prefer to use it for elevation as well, rather than having to fall back to typing the password. Is this possible, or is a smartcard the only alternative to a password? I'm pretty sure that RUNAS.EXE is unaware of that fingerprint reader as an authentication mechanism.  If you can replace "RUNAS.EXE" in MakeMeAdmin with an equivalent that uses the reader, it might work. -- Aaron

  • Anonymous
    September 14, 2006
    PingBack from http://bgbennyboy.wordpress.com/2006/09/15/windows-user-accounts-putting-theory-into-practice/

  • Anonymous
    September 15, 2006
    This is all very good information thank you, and that application "PolicyMaker Application Security" is very good.  I have been fighting all these issues you discuss here, and this application seems to do the trick.  It was mentioned in earlier post here.  What do you think about this app Aaron? I've written a number of posts (and an article) about approaches to fixing "LUA bugs", including using the PMAS approach, which is referenced in this post.  IMHO, it should be a last resort.  See this TOC for links to the rest of the Identifying and Fixing LUA Bugs series. -- Aaron

  • Anonymous
    October 31, 2006
    I've been using MakeMeAdmin with: set Prog="C:Progra~1Intern~1iexplore.exe file:///c:/" to start regular Windows Explorer as an administrator. This allows me to run setup programs, the Control Panel, etc. Under Windows XP SP2 Home and IE 6, everything works great. But I upgraded to IE 7 and IE refused to be launched this way; I think it just displayed my home page. The release notes for IE 7 mention the removal of the telnet and gopher protocols, but no mention of the file protocol. Any ideas on how to restore this functionality? John:  With IE7, iexplore.exe no longer browses the file system.  If you direct it to, iexplore.exe will send a DDE message to the desktop shell, which then opens an explorer.exe window for the requested folder.  See the blog post RunAs with Explorer for another way to browse the file system in a different security context. HTH -- Aaron

  • Anonymous
    November 02, 2006
    PingBack from http://blog.donnael.com/?p=1318

  • Anonymous
    November 13, 2006
    I've been somewhat remiss of late in my focus on what I consider to be a very important aspect of the

  • Anonymous
    November 22, 2006
    PingBack from http://darkness.codefu.org/wordpress/2006/11/22/250

  • Anonymous
    January 05, 2007
    PingBack from http://keycruncher.com/blog/2005/08/23/makemeadmin-windows-xp-admin-escalation-tool/

  • Anonymous
    January 10, 2007
    Most of our machines have two smart card readers.  I tried MakeMeAdminSC and it failed.  There was a message about 'no card in sc reader x' then it prompted me for a pin anyway...then I don't think it could resolve the credentials.   (WinXP Pro on domain)

  • Anonymous
    January 29, 2007
    The comment has been removed

  • Anonymous
    February 23, 2007
    The comment has been removed

  • Anonymous
    March 30, 2007
    Im having problem with this. My father having a pc for office. One of the staff had make the PC admin with her user name n others user name is not an admin. How to go about this.

  • Anonymous
    March 31, 2007
    Paul, you cannot use this without knowing the admin password. I suggest you read the preceding blog for better understaning of MakeMeAdmin: http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

  • Anonymous
    July 10, 2007
    Viruses and Spyware are annoying to deal with that’s why the following is a bit of a guide to make sure

  • Anonymous
    July 10, 2007
    PingBack from http://eyhfernwiniwini.wordpress.com/2007/07/10/running-as-limited-user-the-easy-way/

  • Anonymous
    July 11, 2007
    PingBack from http://sebastiancarlin.wordpress.com/2007/07/12/running-as-limited-user-the-easy-way/

  • Anonymous
    July 12, 2007
    PingBack from http://xrmulric.wordpress.com/2007/07/13/running-as-limited-user-the-easy-way/

  • Anonymous
    August 25, 2007
    PingBack from http://kirbyalisasai.wordpress.com/2007/08/26/running-as-limited-user-the-easy-way/

  • Anonymous
    August 25, 2007
    PingBack from http://kirbyalisasai.wordpress.com/2007/08/26/running-as-limited-user-the-easy-way-2/

  • Anonymous
    August 25, 2007
    PingBack from http://kirbyalisasai.wordpress.com/2007/08/26/running-as-limited-user-the-easy-way-4/

  • Anonymous
    August 25, 2007
    PingBack from http://kirbyalisasai.wordpress.com/2007/08/26/running-as-limited-user-the-easy-way-3/

  • Anonymous
    August 25, 2007
    PingBack from http://kirbyalisasai.wordpress.com/2007/08/26/running-as-limited-user-the-easy-way-6/

  • Anonymous
    August 25, 2007
    PingBack from http://kirbyalisasai.wordpress.com/2007/08/26/running-as-limited-user-the-easy-way-5/

  • Anonymous
    February 22, 2008
    From the "doesn't just saying it make it true?" department: I was reading the March 2008 issue of Maximum

  • Anonymous
    August 24, 2008
    2wThank's.6q I compleatly agree with last post.  jwh <a href="http://skuper.ru">ламинат и паркет</a> 7o

  • Anonymous
    August 28, 2008
    I've found a new way to break MakeMeAdmin.  To keep it from being used for smart malware, after creating another account with administrative privileges, I deleted the original "Administrator" account.   Now when I try to run MakeMeAdmin, it wants the password for a nonexistent "Administrator" account.   I figured, OK, I'll create a new "Administrator" account. Oops.  In XP home, I can't create another "Administrator" or "administrator" account: I get "An account named 'Administrator' already exists.   Type a different name." This was possible in NT4, though it was a different account from the original "Administrator" account, FWIW.   IS there an easy way to change the default name for the local "Administrator" account?? Thanks for creating and updating this! [Aaron Margosis]  Edit MakeMeAdmin.cmd and change the Admin variable to reference the available admin account instead of "Administrator".

  • Anonymous
    November 10, 2008
    The comment has been removed

  • Anonymous
    November 11, 2008
    The comment has been removed

  • Anonymous
    December 03, 2008
    I have a problem with Visual studio 2003. i am trying to debug a source code located on visual source safe. if i am running as a local admin it works. but when i used the makemeadmin tool - debug is finished but the IE windows won't show-up in order for you to debug. i even tried Sudowin and runas admin all with the same result. if i open the page i am debugging manually it opens. but this is frustrating. Help please Thanks

  • Anonymous
    May 06, 2010
    Hi! This is funny to have all those posts for an essential feature "become a temporary admin” Windows should have for a longtime now. [Aaron Margosis] And it has had it ever since Windows Vista shipped.  The UAC "Protected Admin" same-user elevation feature is essentially MakeMeAdmin, but better. Anyway, here is my problem, how can I launch a new system tray with makemeadmin ? I need to control parameters for system tray apps and it's not possible without admin privileges. Thank you Chris

  • Anonymous
    June 17, 2014
    The comment has been removed

  • Anonymous
    February 22, 2015
    hi. I've got an issue with the MakeMeAdmin. The cmd prompt asks for the administrator password, and i'm just no t able to type anything, my keyboard simply doesn't work in this (only in the prompt). What should I do? [Aaron Margosis] First of all, are you still running XP?  UAC (Vista/2008 and newer) gets rid of the need for MakeMeAdmin.  You shouldn't be running XP anymore. Second, if for some reason you still need to run XP or Server 2003, runas.exe does not echo the password characters that you type into the console.  Most utilities don't.  E.g., if you run NET USE ... and it prompts for a password, it doesn't echo the characters you type to the console either.

  • Anonymous
    February 27, 2016
    Whenever I use UAC to elevate a command prompt, I always end up with a command prompt with the administrator account, not an elevated LUA. What am I doing wrong? It seems the only way to get my account as an administrator is to add it to the administrator group, log out, log in, do the elevated work, remove myself from the administrator account and log out and in again. I'd hoped MakeMeAdmin would help but the script failed giving an Access Denied error message, so I assume it's not allowed in Windows 7. [Aaron Margosis] Follow this link to see why Vista [and everything newer, including Windows 7] renders MakeMeAdmin obsolete.

  • Anonymous
    March 01, 2016
    Thanks for the info. I'd not realised how UAC worked until I tried adding my LUA to the administrator account. Now I can do things properly.