windows 8 - Why does the error "(app name) can't open while File Explorer is running with administrator privileges" occur?

24
2014-04
  • Thomas Levesque

    I'm getting this message when I try to start a Modern UI app after explorer was restarted with admin privileges (by a setup program).

    I know how to fix it (just restart explorer without admin privileges), but I'm curious: Why is it forbidden to run a metro app with explorer running with admin privileges? I can't think of any good reason.

  • Answers
  • Karan

    I faced this error myself some time back and looked into it a bit, and here's what I have understood about the cause. If any Windows programming expert sees any egregious mistakes, kindly edit and improve.

    Windows 8 and the introduction of the new Metro/Modern UI and apps necessitated several enhancements to the OS' security model. AppContainer is a new isolation method applied to Metro apps, which by default prevents them from both reading and writing to most of the Operating System, with the exception of the app’s own AppData folder.

    Metro applications can make declarations in their application manifest file about which OS capabilities they need to access. You can read a bit more about this in the Delivering reliable and trustworthy Metro style apps article on the Building Windows 8 blog.

    AppContainer is implemented through a new integrity level in Windows 8, supported by some additional changes to the OS. The AppContainer integrity level blocks both read and write access to objects marked with a higher integrity level. Now Windows Explorer normally runs in medium integrity mode, and explorer.exe is the parent process from which all other user-initiated processes inherit their access token. If Explorer is running with admin privileges i.e. at high integrity level, then any Metro apps it launches will inherit that administrative access token, which is obviously a strict no-no as it will violate the sandboxed environment provided by the AppContainer integrity level. Hence the error message thrown.


  • Related Question

    How do I run the Windows 7 Explorer shell with Administrator Privileges by default?
  • Barry Kelly

    The Windows 7 shell (Explorer) can be made to run with Administrator privileges by this manual process:

    1. Kill Explorer shell by holding down Shift+Ctrl, right-clicking the Shut down button in the Start Menu, and selecting Exit Explorer
    2. Start Task Manager with Ctrl+Shift+Esc
    3. Elevate Task Manager privileges by going to Processes tab and selecting Show processes from all users
    4. Then start up a new instance of the shell by File | Run in Task Manager, typing in explorer, and selecting the Create this task with administrative privileges.

    After following the above process, the Windows shell will be running with administrative privileges, and any programs it launches will also have administrative privileges. This makes performing tasks that require the privilege far easier, particularly for command-line applications, which usually fail silently or with an Access denied. message rather than giving an opportunity to use UAC to elevate the process's privileges.

    What I'm interested in, though, is creating an account which uses a privileged shell by default, rather than having to follow this laborious process every time. How can it be done?


  • Related Answers
  • Mark Allen

    As far as I know you can't create an account like this, but if you log in as "Administrator" (Not merely as an account that is a member of the Administrators group - that's not good enough.) then everything you launch will be launched elevated.

    Not something you should do normally, but if you need to then you need to.

  • davr

    This is a terrible idea. You want to go back to the Win XP days where everything runs as Administrator? You're giving up all the security gains made by Vista and Windows 7. GUI applications should all invoke UAC, so there's no need for this hack in that case.

    If you need to run command line apps as administrator, simply open an administrator command prompt. It's very easy, just press WIN, type 'cmd', then press ctrl+shift+enter. Or even simpler, you can make a shortcut to cmd, and in the settings set it to 'Run as administrator'

  • harrymc

    Why not turn on auto elevate for the built-in Administrator account?

    Launch Local Security Policy

    Go to: Local Policies \Security Options

    Look for: User Account Control: Admin Approval Mode For The Built-in Administrator Account and make sure it's disabled (this is the default value anyway).

    Now you can Fast Switch to the built-in Administrator account for all your admin needs.

  • AdamV

    If you turn UAC off then what is the remaining problem?

    You could try the methods in this article by Aaron Margosis, which is for Vista but may well work on Windows 7 (I have not tested this).

    @Andrew Some apps don't behave properly with UAC because they are not written properly to work with UAC, and often this is because they were not written properly in the first place. Usual suspects are things which try to write user-level registry settings under HKLM. UAC helps by virtualising this, but if a later part of the code which reads the setting is hard-coded it may bypass virtualisation, not find the setting and not behave as expected (this is also why it is a really bad idea to turn off UAC while you install and configure all your apps and then turn it back on afterwards, as the settings can end up in some strange places)

  • Langhard

    There is an option in the Explorer "folder options" to run every new explorer window as a seperate task. Whit this enabled you should be able to run a 2nd copy of explorer.exe elevated...

    Also possible is running an instance of eg. mspaint with the runas command (runas /user:yourdomain\youradminuser mspaint) and then go to file - open. Voila, you have your elevated explorer...