Why is my cmd.exe in windows 7, opening with Administrative privileges. (I won't say Running "as Administrator" 'cos i'm aware that Win7 "Run As Administrator" option, runs it with Administrative privileges rather than As Administrator, and that is what is happening here albeit automatically)
I go into Windows by clicking my username.
Now let's say I start cmd.exe and i'll do it in the most clear way to show that i'm not clicking a shortcut
So I go to c:\windows\system32 and I am definitely running cmd.exe from there.
But it comes up as this
And if you think oh maybe i'm logged in with the Administrator account, i'm not
And the cmd.exe that I opened from system32, directly, also shows that while it is running with administrative privileges for some reason. It is running from a user account.
added
In answer to some enquiries from commenter "scott". I do obviously have an account called "user", that should be clear.
Commenter 'scott' suggests the command-
C:\Users\User>net user %username% | find "Group"
Local Group Memberships *Administrators *HomeUsers
Global Group memberships *None
C:\Users\User>
(yes the user account is a member of the administrators group, though that wouldn't cause that behaviour).
commenter "scott", suggests I run this command showing the output .
C:\Users\User>whoami /priv | find "Enabled"
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
C:\Users\User>
Nothing unusual there. If you run cmd prompt with administrative privileges on a fresh install then it shows the same thing. Obviously in my case it's happening automatically. So, perhaps commenter scott can state what he might have been looking for there?
If you run that whoami /priv | find "Enabled"
command from a cmd prompt launched with administrative privileges, on a fresh install, then it also shows those same three items (from local security policy..user rights enabled), enabled.
So those commands don't show anything unusual beyond what i've already said/shown.
(and as to the other questions from commenter scott, i'm not in safe mode and it's not a fresh install, not that either of those things would cause this behaviour anyway. And as to the question asked by commenter of when it started. I don't know when this behaviour started. )
There were also some comments before that have now gone. One suggested a repair installation, though i'm interested in what setting might cause this.
Commenter scott asks "What happens when you run netplwiz?" Well, the same thing as if you do windows key + R(to get the old run dialog box) and type control userpasswords2<ENTER>
. It shows that screen where you set whether or not the user has to enter a password to log in, and which user can log in automatically.
All this is irrelevant though. I do have the Administrator account not hidden, but i'm not logging in as Administrator. As I showed with the echo %username%
i'm logged in as 'user'.
Commenter "HelpingHand" states "add the cols, "Elevated" and "UAC Virtualization". What is Elevated state of Explorer,the parent process of the cmd. Is that "Elevated=No", "UAC Virtualization-disabled"? Maybe focus on the parent proc rather than the child. I would also launch the cmd.exe with Process Monitor running. Confirm, In the Tree view, it is the child of the checked Explorer.exe process above and check the CreateProcess operation by Explorer.exe to launch cmd. Specifically the stack that is calling CreateProcess. It would be good to check there are no third party modules. Maybe paste a screenshot."
Windows 7 doesn't have an "Elevated" column! The Elevated column is specific to Windows 10(and maybe Win8 but who cares re Win8). In Win10 the columns are tab specific and it's associated with the details tab of Win10. In Win7 the columns aren't tab specific and there is no "Elevated" column.
Also you mention Process Monitor, great program, but I think when you mean a tree, you mean Process Explorer. Process monitor won't show a tree of processes. Process explorer will. Both programs are great programs by sysinternals/ Mark Russinovich, now available from MS. Where you mention an operation, (like filtering by operation), then you mean Process Monitor. There isn't a CreateProcess that I can see though there is a ThreadCreate
Looking at a fairly fresh, regular Windows 7 system that doesn't have the issue. Process explorer shows that the cmd.exe process is a child of the explorer.exe process it shows under "Explorer", and double clicking it it says the parent is the/an explorer.exe instance. Looking at various processes, some have UAC Virtualization set to Allowed, some to Disabled. Explorer has it set to Disabled. cmd has it set to Disabled.
Looking at the windows 7 system in question, looking at process explorer, I see two explorer processes. cmd isn't showing under either of them. But if I double click cmd then it says explorer.exe is the parent process. Looking at Task manager, no processes have UAC set to disabled. Explorer has it set to "Not Allowed", and cmd has it set to "Not allowed". Of the two explorer processes, one has a command line with "/factory....", the other is just a regular call to explorer.exe. Process Explorer shows the PPID(parent process ID/PPID) of cmd.exe and it matches to the instance of explorer.exe that is just called normally.
As for the process monitor info looking at the operation ThreadCreate, and the stack tab, here is a paste.
You mention to consider if there is a third party module there. I do not see any third party module/dll or exe there.
user
? Really? (1) I suspect that an account calleduser
could still be an administrator account. (1a) Please show us the output ofnet user %username% | find "Group"
. (1b) What happens when you runnetplwiz
? (For good measure, try running it both from CMD and from Explorer.) (1c)whoami /priv | find "Enab"
might also be interesting. … (Cont’d)