If my cmd.exe Window says "Administrator" in the title bar, indicating it was started with elevated privileges, does this mean anything I execute from this command window is also run with elevated privileges?
Specifically, if I run something like:
msiexec SomeProgram.msi
is my installer being run with elevated privileges because it was executed from a cmd.exe that was running with elevated privileges?
More specifically: I'm wondering if applications that present a UI and return the prompt in the cmd.exe window right away, like the msiexec
call up above, are executing with elevated privileges.
Best Answer
Yes, it does execute with elevated privileges.
Simple test:
You can test this quite easily by opening one elevated and one non-elevated command prompt. Run the command
notepad.exe
in both, and try saving a blank text file toC:\Windows
. One will save, one will throw a permissions error.Thorough test:
If that's not enough to confirm it for you (it didn't really satisfy me) you can use AccessChk from SysInternals. You'll need to run this from an elevated command prompt.
Lets start by checking out the two Notepad processes that are running:
Notepad: (
accesschk.exe -v -p notepad
)One is running under my domain username, the other is running under the Administrators built-in group. It also has a high mandatory level. You can also run with the
-f
flag for a breakdown of the privileges and tokens.MSIExec and MSI files
I thought things might get a little more complicated when running
msiexec
. I have a Google Chrome standalone installer that was handy to test.msiexec.exe launching Chrome installer from elevated prompt:
chrome_installer.exe spawned by MSI:
Not so cut and dry anymore! Looks like a
chrome_installer.exe
processes was run through the MSIServer service.This makes me wonder what behavior other installers might have, so I ran an Evernote.msi I had handy:
Elevated msiexec.exe launching an Evernote installer:
Interesting; there's an msiexec.exe that's run under system level this time. I used Process Monitor to find that the actual install window that pops up comes from the system level msiexec process. Killing the high mandatory level also killed the system level process.
Non-elevated msiexec.exe launching an Evernote installer:
Looks like Evernote will get system level access either way. Double-clicking the installer has the same result.
Conclusion:
I think it's pretty well demonstrated that a processes will inherit permissions unless otherwise specified. That doesn't guarantee
msiexec SomeProgram.msi
will run with a high mandatory level across all processes processes; it could run under system level or under MSIServer. Your mileage may vary, and I wouldn't be surprised to see many instances where these rules seem to be "broken".