RANU: smarter CPL and MSC

I wish that .CPLs and .MSCs were smarter about normal users.  I want to be a normal user, open a Control Panel applet, and have it prompt me for credentials if needed.  Same thing for the administrative tools.

Here’s what I do instead.

I create a set of shortcuts in a folder called “Control Panel”:

runas.exe /user:Administrator “control access.cpl”

I even set the icon by pointing it back at the .CPL file.

I do something similar with a folder called “Administrative Tools”:

runas.exe /profile /user:Administrator “mmc %windir%\System32\compmgmt.msc”

Both folders go into the “Admin Tools“ folder, along with

CMD w/ network

runas.exe /env /user:Administrator “runas.exe /user:%USERDOMAIN%\%USERNAME% /env /netonly \”cmd\””


There’s a bug in Windows XP where certain controls running in this mode just won’t paint.  It seems to be fixed in Windows Server 2003.  Don’t know about Windows XP SP2.



runas.exe /env /user:Administrator “cmd”


Explorer w/ network. Enable “Launch folder windows in a separate process”, as both yourself & Administrator.


runas.exe /env /user:Administrator “runas.exe /user:%USERDOMAIN%\%USERNAME% /env /netonly \”explorer\””


Task manager


runas.exe /user:Administrator taskmgr.exe




runas.exe /user:Administrator regedit.exe –m


The Admin Tools folder then becomes a toolbar on my taskbar.  With all this in place, I can get by as a normal user.

Comments (7)

  1. AT says:


    Completely agree

    Even more – no needs to ask Administrator account for user actions.

    But if user need to change something affecting not only his account – he must be prompted for login.

    Running select CPL’s as

    Administrator can change Administrator configuration instead of current user one.

    P.S> I wish ITG groups do not give Administrator password for Windows team development workstations or restrict Administrator account usage by time-limits (ex. 1 hour per day).

    This way Windows team will make it’s possible to run most of Windows apps without admin rights ;o))

  2. Bjoern Graf says:

    This is what OSX does and it makes it sooo easy to run as normal user and still being able to do administrative tasks without (fast-)swicthing users. Even the installer is smart enough to ask for roots password if it requires to do system canges (updates and friends).

  3. jaybaz [MS] says:

    Bjoern: I’m still not jealous.

  4. Drew says:

    "RANU" had me scratching my head for a minute. "Run(ning?) As (a) Normal User"? LUA, "Limited User Account", is the acronym de jour for this.

    On XP and Server 2003 (and maybe someone even backported the change to Win2k – I dunno), runas does "/profile" by default. If you’re trying to avoid the profile load you can use "/noprofile".

    The explorer and regedit tricks may not always work as expected. Explorer is single-instance per desktop by default, so you can end up spawning an explorer window in your LUA context instead of the admin’s. I’m pretty sure that regedit is always single-instance per desktop, so if there’s already one running you’ll only bring that to the front and focus on it. I don’t know whether taskman or the .cpls are single-instance.

    FUS (Fast User Switching) is probably the most painless way to avoid all of this hassle if the machine isn’t in a domain.

  5. jaybaz [MS] says:

    Drew: It looks like you’ve explored this pretty deeply. I’m glad to see that.

    regedit is single instance, unless you pass the -m flag.

    explorer is single instance unless you set the "Launch folder windows in a separate process" in the context that is doing the launching (administrator).

    RANU first mentioned in http://blogs.msdn.com/jaybaz_ms/archive/2004/06/21/161609.aspx.

  6. Bjoern Graf says:

    Oh, I didn’t meant to force anyone to switch or such a thing: I’m a happy XP user who happend to have the chance to play with OSX 🙂

  7. circuit_breaker says:

    anyone know of any good 3rd party file manager apps that would work well under an administrator secondary logon (that is what runas uses, right)? i want to find something portable to use so I don’t have to GP-enable every pc in my domain for explorer.exe ..