Administrator Marking for Command Prompt


Besides reducing the number of prompts, one of the top requests we’ve gotten is a way to identify whether a window (particularly Command Prompt) is running with reduced privileges. If you asked for this, too, you’ll be happy to know that when Windows Vista Release Candidate 1 comes out you’ll be able to tell.


When you run cmd.exe as an administrator…

 
“Administrator” will be pre-pended to the title bar of the window…

 
This is designed for scenarios where you have multiple command windows open and you want to know which ones are elevated. You will also be able to tell which ones are elevated by looking at the taskbar…


This functionality is not enabled for all programs, but we got feedback that Command Prompt needed it most. Overall, our user experience goals with regards to UAC are:


(a) A user should be running as a standard user all the time.
(b) Elevation should be rare and for a very short duration.


As a result of these goals, a user should not have to keep track of what is running elevated and what is running normal, as in general, there should be nothing running elevated all the time.


In our research, we have not come across many applications that have valid scenarios where they should be running normal and elevated on a continuous basis for long durations. Command Prompt is one such application that people tend to run continuously as normal as well as elevated to perform mostly script- or batch-oriented tasks.


Therefore, based on feedback received, and just for Command Prompt, we have made changes such that if Command Prompt is running elevated, its title will be prefixed with “Administrator:” to help a user distinguish between a normal and elevated CMD.


Even though we provide this facility, from a security point of view, our recommendation remains that you keep the elevated CMD on your desktop for as short a duration as possible so as to avoid any inadvertent changes to your computer without further UAC prompts.


Comments (31)

  1. Licantrop0 says:

    I (beta tester) prefer the Shield Icon instead of that long "Administrator: ", it’s such a waste of space!

  2. Sean says:

    Not a beta tester…  

    In XP Pro, I run with limited privileges but keep a prompt open with elevated privileges.  A batch file sets up the environment in that console window and that batch file sets the caption using the ‘title’ command.  Would ‘Administrator:’ go away or be prepended to the title that is set via a batch file?

  3. Aaron says:

    Why not colour the window (some shade of red perhaps, but of course this would not work too well for Classic or Aero Basic views) or add a shield icon as Licantrop0 suggests?

  4. In previous builds, it was possible to set a different background color for the elevated command prompt (that’s much easier to recognize than just the little "Administrator:" text in the title bar).

    When I change the elevated backgorund color in 5472, the color also changes for the non-elevated prompt. Why did you make this change (or is this just a side-effect of other changes)? Please revert that change, different background colors are much better than just a text in the title.

    There’s also no way to see if an explorer window is elevated.

    You should really consider making elevated windows easier to distinguish from non elevated windows, not just for cmd.exe, but fo rall windows.

  5. onovotny says:

    The problem though, and it’s there even in 5472, is that processes that you run from that elevated command prompt do not get a full admin token; those apps still need UAC consent.  Other apps do not even run.

    One thing that I did all the time in XP was to launch another instance of Explorer.exe (or the control panel, control.exe) from that admin command prompt.  In Vista that no longer works — typing control does nothing.  

    Running services.msc or other apps that need full admin brings up a UAC prompt.  

    If someone has an admin command prompt, then any processes run from it should have the full admin token, not the lower-level one.   They should also be able to open another explorer / control panel process as that full admin to do other tasks.

    –Oren

  6. Aaron Margosis says:

    @Licantrop0:  Text will also appear in the task bar, Alt-Tab UI, etc.

    @Sean:  If you run "TITLE My Elevated Cmd" from an elevated command prompt, the title bar will show, "Administrator: My Elevated Cmd".

    @Aaron: Color is problematic.  In addition to accessibility issues (e.g., color blindness), don’t forget that people can and do change all aspects of their UI.

    @Mathias Raacke:  How are you changing the color?  If you make a permanent change in the Properties window for the CMD prompt, it will affect all CMD windows running under that account, whether elevated or not.  If you start a particular instance with "CMD /T:FC" or run "COLOR FC" from within the running instance, it will affect just that one.  ("FC" is one example – it gives you red text on a white background.)  Suggestion:  create a shortcut to cmd.exe, change the command line to "cmd.exe /t:fc", and change the advanced properties for the shortcut to run it as admin.  Now when you invoke that shortcut and consent to elevation, you’ll get a command prompt with red on white, and "Administrator:" in the title bar.

    @onovotny:  It depends on what process you’re trying to start.  Any process directly created from an elevated command prompt will also run elevated.  However, some processes – particularly Explorer – are designed to be single-instance programs.  When you start a new Explorer process, it checks to see whether there is an existing Explorer instance already running, and passes control to it.  (Control.exe invokes Explorer.)

  7. Aaron Margosis says:

    @onovotny:  BTW, when I run services.msc from an elevated command prompt, I don’t get a UAC prompt – it just runs as admin.

  8. I really believe that you need to have an at a glance indicator for all windows of elevated processes.

    I understand that you consider most usage scenarios that have long running elevated processes to be detrimental to system security. They probablly are. Users will do what they want to/have to, however.

    It is annoying to confuse your elevated and non elevated instances of applications. I do it all the time to test dynamic app functionality based on current token.

  9. onovotny says:

    Aaron,

    W.r.t. the Explorer issue, this is something that has changed since XP for the worse.  In XP I could have multiple explorer.exe processes, one as my regular user and one as admin.

    Having multiple instances of Explorer makes file operations far easier — I don’t want to have to use the command line to manipulate folders/files as an Admin — all I really want is an elevated Explorer window.  Given that this worked in XP, it seems like a huge step backwards in Vista.

  10. Luca says:

    Nice. I love UAC.

  11. Andy C says:

    Have to say I agree with those calling for all elevated applications to have some form of visual indication that they are indeed elevated. Couldn’t they have some sort of glow effect, similar to the one on the min/max/close buttons, but all around the window frame?

  12. Luca says:

    Another idea could be to change the default background colour of the title. With the basic interface the skin is coloured with light blue, so it could change to red for elevated windows, especially when you’re using a standard account.

  13. Newsha says:

    The Windows Explorer does not have a title at all (Vista Aero) – could you put “Administrator” in its title bar when applicable?

    The stated intent is that it shouldn’t be applicable — the plan is to make Explorer a truly single-instance process, always running in the same non-admin security context.

    — Aaron Margosis

  14. Luca says:

    @onovotny

    With Windows Vista Explorer you don’t need to open multiple instances because you have a tree view on the left.

  15. Licantrop0 says:

    @Aaron Margosis: you reply that Text "Administrator: " also appears in taskbar, but why 2 icons can’t appear in the same minimized window in taskbar?

    Where is all that WPF Microsoft is developing?

    I mean, something like this:

    http://img118.imageshack.us/img118/6181/admincmdru0.jpg

    (just a bad paint editing)

    Isn’t really better?

  16. mark says:

    I just want to know what about the new UAC security policy"Only elevate UIAccess applications that are installed in secure locations"?

    Thanks a lot:)

  17. Earlier today a colleague was in my office and he sharing his experiences with Vista.  One of his…

  18. Luca says:

    UAC should be hard coded enabled i.e. it should be impossible to disable by a registry trick otherwise a malware can disable it and security become useless.

    Please don’t allow UAC to be disabled.

    An idea should be makes some basic UAC functions hard coded enabled, and more advanced features optional.

  19. PSchuetz says:

    Hey,

    I like the idea from "Licantrop0" for an replacement or addition of the Shield Icon for an elevated command prompt!

    @Aaron Margosis and UAC team, why not set the Administrator marking for elevated cmd as default and give the users the option/ability to change this behavior in the settings. In order that you can set, that you want the Shield Icon instead of the Administrator marking, or additionally to the Administrator marking!

    So all users are happy and blind users/accessibility issues are supported.

    Thx in advance!

    best regards,

    PSchuetz

  20. Luca says:

    @PSchuetz

    if you make the admin indication optional, this means a trojan can modify this setting in order to masquerade something.

    And this is the main reason I would like UAC to be hard coded and not optional.

  21. PSchuetz says:

    Hey Luca,

    hmm, but you can’t protect it from change by an password requirement or something, or is this impossible?!

    Or you make it only selectable..(Between Administration marking and only the Shield Icon..!)

    If you hardcode both versions, and you can change the option only with an password or such thing, maleware can’t change it!

    Thx in advance!

    best regards,

    PSchuetz

  22. smisraindia says:

    ProgIDFromCLSID is getting failed for Administrator Marking for Command Prompt.

    To get an idea of issue,

    I have written a simple MFC appliaction with following code.When we open the vcproj file and run the appliaction from Administrator Marking for Command Prompt, pOleStr retruns as NULL.

     

    HRESULT hr;

    LPOLESTR pOleStr;

    CLSID clsid;

    LPOLESTR strCLSID = L"{7AABBB95-79BE-4C0F-8024-EB6AF271231C}";

    CLSIDFromString( strCLSID, &clsid );

    hr = ProgIDFromCLSID(clsid, &pOleStr);

    However, same code works fine for normal command prompt.

    Please note that I have also marked the appliaction with UAC manifest, but still ProgIDFromCLSID gets failed for Administrator Marking for Command Prompt.

     <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

       <security>

         <requestedPrivileges>

           <requestedExecutionLevel

             level="requireAdministrator"

             uiAccess="false"/>

           </requestedPrivileges>

          </security>

     </trustInfo>

    Could some body help me to find the casue of the issue?

    -Saurabh

     

  23. war59312 says:

    Very nice! Glad to see this in build 5563. 😀

  24. Dan Christensen says:

    Running the command line as Administrator is functional, but what I really want is the ability to execute certain commands as an administrator. I am a software developer and often use the command prompt to check code out from source control, build and then copy the executable to their target directory. The only one of these steps that requires elevated privileges is the last one. I don’t want to check out the code, or build the code using elevated privileges. This means that I need to keep two command shells open. A normal command shell to checkout and build and then an elevated command shell to copy the files. This is really aggravating.

  25. UACBlog says:

    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account…

  26. UACBlog says:

    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account…

  27. Here I am hacking about on the command line building some java stuff, and I decide I want to delete some tomcat log files – which requires admin.

    Now, I SHOULD be able to type ‘sudo del *.log’ and  OK the UAC confirmation, and then drop straight back to low-privs, however I have to instead spin up and keep track of and synchronize an entirely different new command prompt!

    WTF?!?!?! Unix has only had this for like 8000 years, and it’s easily enough done… so where is it?!

  28. If you try and install the Team Foundation Server Power Toys (or Tools) on a Vista machine, you may well

  29. kanagaraj.P says:

    how to run the cmd.exe without administrator privileges…