I observed an unusual behavior while running a Windows 10 setup, where a subdirectory was renamed at a certain point during the setup process. When I tried running the setup.exe
by right-clicking it and selecting “Run as administrator” in Windows Explorer, it failed due to a permission issue when attempting to rename the subdirectory.
However, when I opened cmd.exe as an administrator and ran the setup.exe from the command line, it completed successfully. I’m wondering what caused this difference in behavior and why running the setup as an administrator from two different sources led to different outcomes.
For context, the setup created a directory structure starting from c:\personal
, with the initial subdirectory path being c:\personal\platform\db
, and the renamed subdirectory path being c:\personal\platform\database
.
The user account running the setup was part of the Administrators group, and the user was the owner of the setup process in both cases.
2 Answers
Introduction
When it comes to running applications on Windows, there are different ways to launch them, such as from the Windows Explorer or from the command prompt. However, the behavior of an application can sometimes differ depending on how it is launched. In this blog post, we will explore the differences in Windows permissions when launching an application from Explorer versus cmd.exe. We will also investigate a specific scenario where a setup failed when launched from Explorer but succeeded when launched from cmd.exe.
Understanding Windows Permissions
To understand the behavior of Windows permissions, we first need to understand how Windows handles user accounts and permissions. Windows has a built-in security system that controls access to files, folders, and other system resources. The security system is based on user accounts, which are used to identify and authenticate users.
Each user account has a set of permissions that determine what actions the user can perform on the system. For example, a user may have permission to read, write, or execute certain files or folders. Windows also has built-in groups, such as Administrators and Users, which have predefined sets of permissions.
When an application is launched, it inherits the permissions of the user account that launched it. If the user account has the necessary permissions to perform the actions required by the application, then the application will run successfully. However, if the user account does not have the necessary permissions, the application may fail or behave unexpectedly.
Launching from Explorer
When an application is launched from the Windows Explorer, it inherits the permissions of the user account that launched Explorer. If the user account has limited permissions, the application may not be able to perform certain actions, such as renaming a directory.
In the specific scenario mentioned in the introduction, the setup was launched from Explorer by right-clicking on the setup.exe file and selecting “Run as administrator”. However, even though the user account belonged to the Administrators group, the setup failed because of a bad permission issue when trying to rename a subdirectory.
Launching from cmd.exe
When an application is launched from the command prompt, it inherits the permissions of the user account that launched cmd.exe. If the user account has administrative privileges, the application will also have administrative privileges and be able to perform actions that require elevated permissions.
In the specific scenario mentioned in the introduction, the setup was launched from cmd.exe by right-clicking on cmd.exe and selecting “Run as administrator”. The setup was then spawned from the command line. Since the user account had administrative privileges, the setup was able to complete successfully.
Why Launching from cmd.exe Succeeds
The reason why launching the setup from cmd.exe succeeded while launching it from Explorer failed is due to the way Windows handles user permissions. When an application is launched from Explorer, it inherits the permissions of the user account that launched Explorer. In contrast, when an application is launched from cmd.exe, it inherits the permissions of the user account that launched cmd.exe.
Even though the user account in the specific scenario belonged to the Administrators group, launching the setup from Explorer did not grant the setup administrative privileges. However, launching the setup from cmd.exe with administrative privileges allowed the setup to perform actions that require elevated permissions, such as renaming a directory.
Best Practices for Launching Applications on Windows
To avoid issues with Windows permissions when launching applications, it is best to always launch applications with administrative privileges when performing actions that require elevated permissions. This can be done by right-clicking on the application and selecting “Run as administrator” or by launching cmd.exe with administrative privileges and spawning the application from the command line.
It is also important to ensure that the user account launching the application has the necessary permissions to perform the actions required by the application. This may require adding the user account to the appropriate groups or granting specific permissions to the user account.
Conclusion
In conclusion, launching an application on Windows can have different results depending on how it is launched. When launching an application from Explorer, the application inherits the permissions of the user account that launched Explorer. When launching an application from cmd.exe, the application inherits the permissions of the user account that launched cmd.exe.
To ensure that an application has the necessary permissions to perform actions that require elevated privileges, it is best to always launch the application with administrative privileges. It is also important to ensure that the user account launching the application has the necessary permissions to perform the actions required by the application.
Windows Administrator Accounts have broad permissions in the Windows system, but they are not without limitations. For example, even with an Admin Account, it is not possible to modify files in the System 32 folder owned by Trusted Installer without first taking ownership of the files. Once ownership is obtained, the Admin Account can modify the files.
When launching an Administrator Command Prompt, any commands or services started within that session do not run with Windows Administrator privileges. Instead, they run with System privileges, which are similar to Admin privileges but with some additional bypassing of restrictions. As a practical difference, processes running as SYSTEM can access domain servers in the context of the computer’s domain account, while processes running as Administrator lack access to domain computers unless alternative credentials are explicitly provided.
It’s important to note that System is not an account that can be logged into. Instead, it is a set of permissions that represents the Operating System as a user.