PrivBar — An IE/Explorer toolbar to show current privilege level


[Aug 15 2008:  Click here for updated links and instructions.]

[Updated again:  Click here.]

I’ve long wanted a way to know at a glance whether I am logged in as a member of the all-powerful Administrators group, the slightly less-powerful Power Users group, or as an ordinary User. The more I use RunAs (including with Explorer)and MakeMeAdmin, the more I need to be able to distinguish privilege levels of various apps on my desktop. Someday I might try to come up with a robust way to do this for all windows on my desktop. For now, I’ve got PrivBar.

PrivBar is a toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is running. Here are some examples:


PrivBar with IE running as an administrator


PrivBar with IE running as a Power User


PrivBar with IE running as a normal User


PrivBar with IE running with a restricted token

PrivBar shows you roughly what your privilege level is by checking the current process’ token for membership in Administrators, Power Users, Users, or Guests.  The circle on the bar will be red if you are in Administrators, yellow if you are Power User, green otherwise.  If you are an admin, the bar’s background will be yellow.  Finally, if that instance is running with a restricted token (e.g., by using the RunAs dialog’s “protect my computer” option, which I will describe in detail in a future post), the circle will be green with a red line through it. (For the geeks: PrivBar uses the CheckTokenMembership API, so yes, it properly takes into account disabled or deny-only SIDs.)

If you click on the circle or the group name, PrivBar will display a dialog like the one below showing you detailed information about the current token, including its principal (the user account), logon ID, whether you are running with a restricted token, groups, restricted SIDs (if a restricted token), and privileges. The information that appears in the dialog is collected in a background thread so as not to slow down IE/Explorer startup. If it has not collected all the data yet, it will say so. Just close the dialog and click the circle again.

For more information about what this stuff actually means, check out any or all of the following:

System Requirements:

I have tested the current version of PrivBar on Windows XP SP1 and SP2 (RC2), and on Windows Server 2003. I tried installing it one time on Windows 2000 Server but there was some missing dependency that I haven’t bothered to track down yet.

Installation:

My sincerest apologies, but it’s a manual installation:

  1. Download the zip file
  2. Extract PrivBar.dll and put it somewhere where all users have Read access to it.
  3. At a command prompt (or the Run dialog), run
    regsvr32 path\PrivBar.dll
    where path is the folder location to which you extracted PrivBar.dll. You need to be running as an administrator or Power User to do this.
  4. Extract PrivBarReg.reg from the zip file and import it into the registry. The easiest way is to double-click the file in Explorer. Again, you need to be an administrator or Power User to do this.

You can now enable the bar in Explorer or IE by choosing View / Toolbars / PrivBar. Its initial, default location is not very good, but as far as I know there isn’t a way for PrivBar to dictate a better position unless it insists on using up an entire row (which isn’t worth it). You may need to unlock the toolbars so that you can place it somewhere better. If you want PrivBar always to be shown, note that there are three different per-user views that are separately configured: Internet Explorer, Explorer “Open” view, and Explorer “Explore” view. You need to enable and position PrivBar for each of these views, for each user. If anyone knows of a reliable way to automate this, please let me know! (One somewhat helpful tip: try double-clicking multiple times on the “handle” thing on the left edge of a menu or toolbar to see some useful pre-set sizes.)

 

Comments (103)

  1. boyd says:

    Nice thing.

    Do you thing there is a change we could get the source of it?

  2. JackoPlacko says:

    On Server 2003 Pl Std View / Toolbars / PrivBar is not present.

  3. Boyd – I think posting the source would be a good thing. I’ll try to get it presentable and post it.

    JackoPlacko – make sure that you have copied the DLL into a location in which all users have at least Read access. Make sure to regsvr32 the DLL in that location, and also import the .reg file in the zip file.

  4. JackoPlacko says:

    Aaron.

    All my steps (follow yours) are property executed – but View / Toolbars / PrivBar is not present.

    Just I send for You message with more info about fragments registry.

    Thx.

  5. Aaron,

    I’m in the same boat as Jacko…I’ve installed and registered the DLL in a location where the Users group has Read access, I’ve added the registry entries, and confirmed that the value was added to the correct key, and I’ve rebooted to ensure that the settings would be picked up. PrivBar is still not showing up in View > Toolbars. Any suggestions?

  6. Jacko & Andrew — I just built a fresh Server 2003, fully updated, added Office, SQL, RKs, tools, etc. Then regsvr32 privbar.dll and imported the additional reg key file. PrivBar was *not* in the View/Toolbars menu. I closed that Explorer window (the only Explorer window), opened a new Explorer window, and PrivBar *was* there. I enabled it and it works fine. I don’t know what the problem might be. Make sure that you are an admin when you register/import.

  7. Jacko & Andrew – make sure that this setting is enabled: Tools / Internet Options / Advanced / Enable third-party browser extensions (requires restart). If its checkbox is not checked, check it and close all instances of iexplore.exe.

  8. OK I’ve been doing security ‘way too long, but this never ceases to astound me. The Most Dangerous Thing most users can do is run as Administrator, especially while surfing the Net, but I hardly ever hear advice-givers address this issue, especially in vulnerable home users!

    I can generally talk my employer into giving me admin access to my desktop machine, but I never get a threat briefing on why I shouldn’t use it as part of my routine login account.

    I sould probably start a blog and rant there instead…

  9. Aaron,

    "enable third-party browser extensions" did the trick for me. PrivBar is now working as expected, with one minor exception…I don’t get the yellow background when the window is running with Administrator privileges. Still, this is a very useful tool, and I will most certainly be using and recommending this often.

  10. Andrew, I’ve already traded email with you about this, but I wanted to add to this thread that if you have a background bitmap defined for an account (per earlier posts), that it will override the background color for the toolbar.

  11. Aaron:

    I just wanted to thank you for taking the time to post these tips and tricks around how to run as LUA and still be able to get work done when applications require Admin privileges.

    It just happens that I also work for MS, but as a User Experience (UX) Program Manager and I will be working on a number of areas around the user experience associated with application security, including the UX for LUA users. As a result I decided that I should run as LUA if for no other reason than to gain first hand knowledge of the current UX and find all those "pain points" for myself. I don’t think I could have successfully gone forward without your list of tips and workarounds.

    Thanks again!

  12. David Candy says:

    And every time you create a rooted Explorer window with the /root, command line option (a.k.a., Explore from here), it gets its own, brand-new process.

    In experimenting I find All /root windows go into a third process not seperate processes most of the time.

    EG

    Start My Comp

    Start any number of /root from Start Run

    Max Process is 3

    and + but

    Start a /root from Start Run

    Start a second

    Max Process = 3

    Now start My Comp (from QL)

    Max Process = 3

    Start a /root

    Max Process = 4

    This is screwy. The rules don’t seem so simple.

  13. JackoPlacko says:

    Aaron,

    "Tools / Internet Options / Advanced / Enable third-party browser extensions (requires restart)" is not enabled in "pure" Server 2003. After enable PrivBar work fine :).

    Thanks for your help!

  14. Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions…

  15. Dot Wind says:

    A very interesting serie of postings over at Aaron Margosis’ WebLog showing the advantages of running as a limited user. A special interesting entry is the "Protect my computer" option, and the priviliges toolbar….

  16. nikki says:

    RunAsを使いまくって、いろいろなユーザーとしてエクスプローラを起動できるのは良いのだけれども、問題になってくるのは、今度は、どのエクスプローラがAdministrator権限で動いていたのか分からなくなること。実は、cmd.exeの場合には、 のように、キャプションに、別ユーザーであることが表示される。それにそもそも、背景色を青とか、別の色に変えることもできるので、cmd.exeに関して言えば、全く問題にならない。 じゃぁ、エクスプローラだとどうするのかといえば、現状では、PrevBarがある。これは、エクスプローラのツールバーに現在のユーザーを表示するよという試み。アイデアはいいのだけれども、ダサすぎるという問題がある。 Windows/UNIXのプログラマにありがちな、機能は良いのだけれども、デザインセンスに難があるという例だ。彼は日本人じゃないので、多分、ここで愚痴を書いても伝わらないのでしょうけど・・・。というか、これBlogみたいなのに、トラックバックできない。なんでだろう?? で、無いのなら作れということで、作ってみようと思った。参考になるサイトとしては、 Creating Custom Explorer Bars, Tool Bands, and Desk Bands ぐらいかな。Code Projectにもらしき物はあるけど、ちょっと違うようだ。 で、全然関係ないけど、おもしろいというか、プログラマじゃなくてもエクスプローラを拡張できるツールがあった。 Explorer Bar Maker これはこれでお手軽で良い。 で、現在、Sudo Toolsなるものを作成中。フォルダから簡単に別権限でExplorerやcmd.exeを開くためのコンテキストメニューという感じ。レジストリの編集だけでは立ち行かない、かゆい部分を保管するためのツール。ソースは、ここで、とりあえず作成したバイナリはここ。 ただし、まだ実装途中なので基本はほとんどありませんし、日本語のローカライズが終わっていませんのであしからず。…

  17. Matt Dronen says:

    Hi Aaron,

    In a previous comment you mentioned you were going to try and post the code to PrivBar. Are you still planning on doing this? I’d sure like to use the code. Thanks.

  18. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  19. Geno says:

    I think i have found 1 issue. If i open up explorer.exe and close before the privbar gets a chance to retrieve the token information, explorer.exe crashes.

    Any thoughts

  20. Geno – that’s interesting. So far I have not gotten it to repro. How reliable is your repro – rarely, sometimes, all the time? Does the crash data point to privbar.dll? How are you verifying that PrivBar has not retrieved token info at the time you close Explorer? Do you happen to know whether it is a new instance of Explorer.exe or another window owned by an existing instance of Explorer.exe?

    Thanks again.

  21. Johan says:

    Hi

    Greate utility, is it possible to dev. more?

    It would be really nice if i could be admin/poweruser on my pc and startup iexporer in "leaste privilege" (other utils makes it possible, yes) – and then change between user/administrator through this toolbar.

    /Johan

  22. Lawrence Steeger says:

    Just attended (via Webcast) your Tips and Tricks to Running Windows with Least Privilege presentation.

    Very good presentation!

    Could we get the source code for PrivBar?

  23. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  24. Keith says:

    Why is it that people that offer things for download put instructions on the download page but never in the download itself. This is fine for people that download it once and install it immediately but for those of us that tend to accumulate this stuff we end up with zip files containing programs and nothing in the zip file to remind us what it is and how to make it work.

    Argh

  25. Keith – re the instructions not being in the zip – valid complaint. Issue from this end is that this is a spare time effort as it is. I’ll try to do that in the future, though. (What I usually do is to download the zip into its own folder, then save the relevant web pages as .mht files in the same folder, and sometimes a shortcut file pointing back to the URL.)

  26. Alex Zimin says:

    >If anyone knows of a reliable way to automate this, please let me know!

    There is a relatively simple way to automate this , I can send you a script to do this if you want.

    In short – you can propagate ITBarLayout entries from the current user to all the local accounts (including "Default User"), and it will do the trick.

  27. Alex Mondale says:

    How do you uninstall? Also, there is on my XPSP2 IE installation a problem: the UUID or App ID is "crossed up" with that of my Google Toolbar. When I (un) select View, Privbar, my Google Toolbar goes away, and vice-versa. What’s up with that?

  28. Roger Safian says:

    Regarding the Google Toolbar. I just installed PrivBar, and I also had the Google toolbar. What I needed to do was uunlock the toolbar, and drag privbar from the right hand portion of the screen where it was hidden. I then relocked the toolbar, and everything was OK.

    BTW – Thanks for the tool Aaron.

  29. Anders says:

    Sourcecode?

  30. slang says:

    Dare I ask, and I’m not trying to start a flamewar here, does anyone know of a firefox version?

    I’ll definately be using this for IE etc., but would also like something similar for firefox.

    Any suggestions?

    Cheers –

  31. Colin says:

    Just installed on win2000 SP4 with no problems. I do have VS6 and VS.net 2003 installed, which might have resolved the dependency issue mentioned in the original post.

    Slick little tool. Thanks.

  32. Patrick says:

    Looks nice,

    But can’t get it to work.

    Getting a LoadLibrary Failed error: The specified module could not be found.

    Any ideas to solve this?

  33. I’ve updated this – the original version had dependencies on DLLs that ship with Windows XP. The version I posted on Oct. 13 had dependencies on updated DLLs that aren’t installed by default. The version I’ve just uploaded statically links all that stuff, so it should work on your machine! (Sorry for any inconvenience.)

  34. sak says:

    Thanks for this great toolbar

  35. travisowens says:

    Summary: This allows you to be administrator but run any program (ex: IE) in non Admin mode, protecting…

  36. I believe there’s some issue with XP Pro x64.

    I could succesfully add the toolbar to IE, but it never appears in the list of toolbars for Explorer.

    let me know if there is a fix @ kzu.net at gmail dot com.

  37. John says:

    It says I’m an administrator with a red circle but I know I’m not.  This is a domain user account in the backup operators group and the server operators group but I know I’m not an admin because I can’t change settings it let’s me know and I can’t install/uninstall programs.  Can you tell me why I’m listed this way?

    Groups:

       DOMAINDomain Users | mandatory enabled default

       Everyone | mandatory enabled default

       BUILTINUsers | mandatory enabled default

       BUILTINAdministrators | mandatory enabled default can_be_owner

       NT AUTHORITYINTERACTIVE | mandatory enabled default

       NT AUTHORITYAuthenticated Users | mandatory enabled default

       Logon SID (S-1-5-5-0-20167967) | mandatory enabled default logon_SID

       LOCAL | mandatory enabled default

       DOMAINInfo Techs | mandatory enabled default

       DOMAINRas | mandatory enabled default

       DOMAINInvestors | mandatory enabled default

    Privileges:

       SeChangeNotifyPrivilege | enabled, enabled by default

       SeShutdownPrivilege | disabled

       SeUndockPrivilege | enabled

       SeSecurityPrivilege | disabled

       SeBackupPrivilege | disabled

       SeRestorePrivilege | disabled

       SeSystemtimePrivilege | disabled

       SeRemoteShutdownPrivilege | disabled

       SeTakeOwnershipPrivilege | disabled

       SeDebugPrivilege | disabled

       SeSystemEnvironmentPrivilege | disabled

       SeSystemProfilePrivilege | disabled

       SeProfileSingleProcessPrivilege | disabled

       SeIncreaseBasePriorityPrivilege | disabled

       SeLoadDriverPrivilege | enabled

       SeCreatePagefilePrivilege | disabled

       SeIncreaseQuotaPrivilege | disabled

       SeManageVolumePrivilege | disabled

       SeImpersonatePrivilege | enabled, enabled by default

       SeCreateGlobalPrivilege | enabled, enabled by default

  38. John – it sure looks like you’re an admin.  It says you’re in the BUILTINAdministrators group, and you have a ton of privileges normally granted only to admins.

  39. Brooster says:

    Hey Aaron, been using it on Windows XP with no issue tried it now on WindowsXP x64 and it doesn’t want to work.

    Will you have an updated DLL that will be x64 compatable.

    If I put the dll is SysWOW64 I get "LoadLibrary("privbar.dll") failed – The specified module could not be found." when I try to register the dll.

    If I put it in System32 (the native x64 dir) I get the error when trying to register of the following: "privbar.dll" is not an executable file and no registration helper is registered for this file type.

  40. Brooster – Sorry, I haven’t built an x64 version yet.  I’ll try to line something up…

    Thanks.

  41. Ajay says:

    Another excellent tool! Here is problem I came across.  I set the "Launch folder windows in a separate process" checkbox in explorer.  Launching Explorer using RunAs works fine. I start explorer in my LUA and it shows that I am a User.  Then I run the MakeMeAdmin script from you previous post and launch "explorer" from there and it is still running as a User! What?  So I close down all my explorer windows and launch it from the MakeMeAdmin windows first.  OK – it is Admin.  Now I launch from the desktop and that is Admin too!  After some fiddling around a figured out that using "explorer /root,c:" option inside the MakeMeAdmin command window is VERY IMPORTANT.  I know you mentioned it in your MakeMeAdmin post (which I went back to re-read) but I don’t think it was emphasized enough how important it is.  Also the complete syntax of the /root option wasn’t provided and when I tried just "explorer /root" nothing happened so I stopped using it (not bothering to follow the link you gave until today).  Anyway, thanks to the PrivBat I saw that I was probaly running explorer windows in security contexts other than what I thought.

  42. derf says:

    Any word on a 64bit version?

  43. David says:

    Is anyone aware of anything similar for “all” genric windows — i.e., displaying the logged in user in the title bar?  I’ve seen a shareware app that adds a clock to the title bar near the close/minimize butttons systemwide — so I guess it’s not all that impossible to do.

    Anyone with leads on this — i’d love to hear from you at david (at) dcbarrycom  (add the dot!)

    David, this could be done, but it would involve injecting a hook into all processes on the desktop.  This can have performance and stability impact, which is why I shied away from ever doing it myself.  See the SetWindowsHookEx API and related documentation.  — Aaron

  44. Adam says:

    Has anyone tried his on IE7?  Is it compatible?

    I’ve used it with IE7 on versions of Windows Vista through Beta 2, and it seems to work fine.

    — Aaron

  45. lolomarx says:

    WINDOWS  XP GOODIES  

    Agent components provide animated characters (Genie, Merlin,…

  46. Thanks for sharing this great tool and the thoughts that lead to it. It’s been very useful for me indeed.

    I’m a command-line freak, often using Cygwin. It strikes me that it would be dead handy to have an executable that returned the current priv level on stdout and/or as an exit value.

    This would allow other tools in any scripting environment (DOS, Cygwin, Python, etc) to easily determine their own current priv level. This could then be used in login or startup scripts to change the window title, or the background color, etc.

    This would be the scripting world’s equivalent of PrivBar.

    Has anyone else done this? Is there an easier way than my current envisaged plan: compile my own command-line executable using the guts of PrivBar?

    Are the guts of PrivBar available for public consumption? If you posted the source, no matter what state it’s in, it would also allow other people to produce 64 bit versions, etc.

    Thanks!

     Jonathan Hartley
     user tartley at the domain tartley.com

    Command line tools you can use:

    IFMEMBER – in the Windows Resource Kit
    WHOAMI – in the Windows XP Support Tools.  (Installed by default on Windows Vista.)

    PrivBar source already posted:  http://blogs.msdn.com/aaron_margosis/archive/2005/10/13/480901.aspx

    — Aaron

  47. slang: Creating a firefox plugin to do this seems misguided. Surely the whole point of PrivBar and MakeMeAdmin is to avoid having to browse the web, and other user activities, with elevated privs. Surely the use of elevated priviledges should be restricted to system-admin type tasks, for which Explorer, and in some cases IExplorer, are required. Firefox is not.

    Am I missing something?

  48. I see you already posted the source. Thanks!

  49. Buenas a todos. La verdad es que decir que es definitiva … es un poco presuntuoso, pero no puedo pasar

  50. Buenas a todos. La verdad es que decir que es definitiva … es un poco presuntuoso, pero no puedo pasar

  51. I just upgraded to new PC and cannot get PrivBar to work under DropMyRights instances of IE6.0.

    All install steps go fine except that result is diff from other 4 PCs that use this combo:

    1) when in Admin mode – nothing can get background behind the red dot to go to YELLOW (and yes I have checked the tool bar background in registry)

    2) in User mode – the View/Toolbars allows me to “see” the PrivBar option and try to check it – but action fails – no checkmark, no PrivBar.

    Anyone out there with a Tip or 2 to go looking for root cause – would be appreciated.

    Irving:

    1) The yellow background appears with Windows classic style only.  (I can’t recall the exact settings that are involved, but there’s something about themes that overrides the older legacy background bitmap/color stuff.)

    2) I think I’ve seen that — probably an incompatibility or corruption issue involving another toolbar.  There’s a way to reset the toolbar stuff by whacking some registry keys – are you comfortable doing that?  Turning the others on/off might reset it as well.  (I’ll have to research — I don’t have an IE6 system handy at the moment.  IE7 is really nice.:-)

    HTH

    — Aaron

  52. What becomes of all my earlier non-admin tips, tricks and recommendations vis-à-vis RunAs, MakeMeAdmin, PrivBar and their interactions with IE and Explorer? The short answer is that Vista changes just about everything with respect to running with least

  53. da987 says:

    The toolbar is available in Maxthon (1.6), on XP SP2, IE6 SP1 + latest, but only the top 30% of,say, the circle and text are visible.

    In IE, these are fully visible.

    David L

  54. Dennis says:

    Hi Aaron!

    Try virustotal.com – two scanners reporting malware. Are these false positive???

  55. Dennis says:

    Hi Aaron!

    I’ve informed F-Secure, this my scanner. The answer from F-Secure:

    "The file you submitted is indeed clean. A database update will be released to resolve this issue."

  56. Philip Lo says:

    AVG Free Edition 7.5.524 with virus database 269.23.8/1413 dated 5/3/2008 is reporting that there is a trojan horse Click.NDK in PrivBar.dll

    [Aaron Margosis]  I can promise you that I did not write malware, and the zip file does not appear to have been tampered with since I uploaded it.  These reports appear to be false positives.  [Update]  On the virustotal site, F-Secure is now reporting the file as clean.  For AVG, please report the file to AVG for more scanning, per their instructions:  http://www.grisoft.com/ww.faq.num-1203 .  Thanks.

  57. philip lo says:

    I have sent privbar.dll to AVG for their analysis and I hope they will correct their database soon.

  58. philip lo says:

    Looks like AVG has corrected their database in the latest defintion files.

  59. mr.bryce says:

    any way to have privbar behave like the language bar in the taskbar ?

    privbar displays credentials only for internet explorer and explorer instances.

    the language bar is able to display the language setting for any window on the desktop, simply by changing focus.

    i know that the process ctfmon.exe is related to the language bar, is that what gives it its flexibility?

  60. Justin says:

    Avast Home 4.8 is highlighting PrivBar.dll as Adware.

    Is it adware or is a false positive?

    [Aaron Margosis]  Absolutely a false positive.  Another anti-virus package incorrectly flagged it a few months ago (see a few comments up from this one).  They got it corrected within a couple of days.

  61. Gregg says:

    You going to put a new download link so we can download privbar again? 🙂

  62. Eric says:

    As Gregg commented, the download link appears to be broken 🙁

    [Aaron Margosis]  My apologies — I switched internet service providers a little while ago, and forgot about the images and downloads that I had on their servers until it was too late.

    To make it up to you all, I’m going to revamp them and post both x86 and x64 versions of PrivBar.  (Soon.)

  63. Al says:

    Yes It’s works with Internet Expolorer 8 beta 2

    1.Unzip PrivBar to C:

    2.Run the command prompt as Administratorin for installation process

    3.A If you have version 64 Bit like me type or add these path in the windows command prompt:

    regsvr32 C:PrivBarX64.dll

    and

    regsvr32 C:PrivBar.dll

    3.B.If you version is 32Bit only this:

    regsvr32 C:PrivBar.dll

    4. Go to Internet options>

            Advanced>

            Browsing>

    uncheck the option:

            Enable third-party browser extensions

    Apply and OK

    5.Unlocked Toolbars in Menu Bar> View> Toolbars

    6.Close de Internet Explorer Browser if is Open

    7.Go to Internet options>

            Advanced>

            Browsing>

    CHECK the option:

            Enable third-party browser extensions

    Apply and OK

    8.Go to Menu Toolbars and check PrivBar toolbar

    9.Lock your Toolbars again.

    Done.

  64. Jakob says:

    This is interesting info, but it looks like almost four months have passed since the download was going to be posted again ‘soon’. That’s a shame.

    [Aaron Margosis]  Umm, yeah, it was about 3.5 months ago that I posted new versions, which include support for x64 also.  See the “update” link at the top of this post.

  65. Two Lenses says:

    I seem to be having a problem installing PrivBar. The instructions say:

     1. Download the zip file

     :

     4. Extract PrivBarReg.reg from the zip file and import it into the registry.

    I have no problem with instructions 1-3, but the zip file I downloaded doesn’t contain a  “PrivBarReg.reg” file, it only contains two files: “PrivBar.dll” and “PrivBarX64.dll”. Googling for the missing filename has not helped.

    Without that file, PrivBar “sort of” works: if I kick off Windows Explorer with MakeMeAdmin, the PrivBar has a yellow background, whereas if I kick it off straight from my Limited account it has the default Windows Explorer background. And it shows the account name correctly in both cases.

    But in both cases, the account name is followed by a _red_ circle followed by the word “Administrators”. (I would expect to see the green circle followed by “Users” in the second case.)

    Can anybody help?

    -Two.

    [Aaron Margosis]  There is no longer an extra .reg file.  Just regsvr32 the PrivBar.dll; regsvr32 the PrivBarX64.dll also if you’re running x64 version of Windows.

    The yellow background may or may not appear, depending (I think) on theme settings.  If the red circle appears, that instance of Internet Explorer or Windows Explorer is running with full admin rights.

  66. Shawn says:

    I installed PrivBar and have no problems with it being viewable, however, I did have a problem with the information provided.  I am opening an instance of explorer with a shortcut, ‘C:WINDOWSsystem32runas.exe /netonly /user:domainuser “%SystemRoot%explorer.exe path”‘.  I use runas for admin access to certain folders so I don’t have to log out and back in as switch users is disabled at my company.  I show my current non-admin domainuser regardless of whether I use runas or not and the Priveleges are shown as Administrator as well.  I have admin rights on my pc (only allowed because of my level  of ability), but not on the server where the folder is stored.  Even when PrivBar shows the lesser priveleged user info, I do have the correct priveleges via runas.  I thought the purpose of PrivBar was to show what level of privileges were being used for the window.

    [Aaron Margosis]  Why are you using /netonly?  That has you continuing to use the same security context locally, but using the alternate credentials when you authenticate to a remote machine via SSPI (essentially, using Windows authentication; e.g., to a SQL or IIS server).  PrivBar is looking only at the local token that is running the process, not at any alternate credentials.  PrivBar (and Explorer) have no way of knowing whether the remote server considers you an admin.

  67. Two Lenses says:

    This is my response to the answer you (Aaron) posted to my question two posts up. It probably only makes sense if you read my November 29 post and Aaron’s reply first.

    I’m confused, because I also see the red circle when I am logged into my Limited account. Let me explain….

    When I log in to my admin account and open Windows Explorer, it shows the red circle alongside the word “Administrators” as I expect, and shows the account name as “admin”. (I can confirm that my admin account has Administrator rights because “Control Panel” > “User Accounts” shows two accounts: “admin” as “Computer administrator” and “lweston” as “Limited account”.)

    But if I switch to my Limited account, Windows Explorer still shows the red circle and the word “Administrators” even though now it correctly shows the account name as “lweston”. And that account behaves like a Limited account as expected, because if I open Control Panel from this account and then open “User Accounts”, the resulting window only shows my “lweston” account. That’s the behaviour I would expect from a Limited account: it only shows the current account.

    So why do I still see the red circle in Windows Explorer when I’m logged in to my Limited User account. (Incidentally, I have ticked the option “Tools” > “Folder Options…” > “View” > “Files and Folders” > “Launch folder windows in a separate process” in Windows Explorer, so there shouldn’t be any chance of my Limited user’s explorer task seeing the memory of the one that admin is using.)

    [Aaron Margosis]  Click on the circle icon in the toolbar and it will list the groups and privileges it sees.  What does it report?

  68. Qtax says:

    The download link seems to be dead now (404).

    Any mirrors available?

  69. Scott says:

    Aaron, thanks for this, but you need to fix all your posts on RunAs, MakeMeAdmin, PrivBar, etc., which point to Speakeasy.net.  All of them are returning 404 errors.

  70. Scott says:

    Oooh.  I gotta read before I write.  Sorry, my previous question was already answered.