创建: 2024-01-11 17:37
https://scz.617.cn/windows/202401111737.txt
有时出于研究方便,高级用户可能想开管理员级资源管理器。但不知从哪个版本Win10开始,想开一个管理员级资源管理器,非常困难,不信你可以试试。
现在,explorer.exe缺省只有一个实例,Process Explorer中Integrity为Medium。正常情况下,无论后续开多少个资源管理器,都只有一个explorer.exe进程。若非要开多实例,可以这样:
$ explorer.exe /n,C:\
正常情况下无论从何处启动explorer.exe多实例,最终都交给某个svchost.exe作为父进程来启动它,从cmd、Win-R、任务管理器启动多实例都一样。
$ tasklist /svc /fi "pid eq <pid>"Image Name PID Services
========================= ======== ============================================
svchost.exe 768 BrokerInfrastructure, DcomLaunch, PlugPlay,
Power, SystemEventsBroker
不知具体是哪个服务启动explorer.exe,应该是DcomLaunch。靠多实例的思路解决不了管理员级资源管理器的问题,还是低权限。
各种排列组合不说了,说最后结论,必须杀掉所有已知explorer.exe实例,再指定一个特殊参数来启动管理员级资源管理器,比如在管理员级cmd中执行:
$ taskkill /f /im explorer.exe && pause && explorer /nouaccheck
在任务管理器GUI中操作也可以,同样需要杀实例,再指定"/nouaccheck"参数。
怎么判断拥有管理员级资源管理器?
Task Manager->Details->Select columns->Elevated (特权)
访列为Yes,表示提升至管理员级权限,反之为普通权限。也可用Process Explorer,Integrity为High即是。
进一步查看DCOM设置及相关注册表项:
dcomcnfg.exe
Console Root
Component Services
Computers
My Computer
DCOM Config
Elevated-Unelevated Explorer Factory
Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}]
@="Elevated-Unelevated Explorer Factory"
"AppIDFlags"=dword:00000001
"RunAs"="Interactive User"
[HKEY_CLASSES_ROOT\CLSID\{5BD95610-9434-43C2-886C-57852CC8A120}]
@="CLSID_ControlPanelProcessExplorerHost"
"AppId"="{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
[HKEY_CLASSES_ROOT\CLSID\{5BD95610-9434-43C2-886C-57852CC8A120}\LocalServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,\
65,00,20,00,2f,00,66,00,61,00,63,00,74,00,6f,00,72,00,79,00,2c,00,7b,00,35,\
00,42,00,44,00,39,00,35,00,36,00,31,00,30,00,2d,00,39,00,34,00,33,00,34,00,\
2d,00,34,00,33,00,43,00,32,00,2d,00,38,00,38,00,36,00,43,00,2d,00,35,00,37,\
00,38,00,35,00,32,00,43,00,43,00,38,00,41,00,31,00,32,00,30,00,7d,00,00,00
[HKEY_CLASSES_ROOT\CLSID\{682159d9-c321-47ca-b3f1-30e36b2ec8b9}]
@="CLSID_DesktopExplorerHost"
"AppId"="{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
[HKEY_CLASSES_ROOT\CLSID\{682159d9-c321-47ca-b3f1-30e36b2ec8b9}\LocalServer32]
@=hex(2):...
[HKEY_CLASSES_ROOT\CLSID\{75dff2b7-6936-4c06-a8bb-676a7b00b24b}]
@="CLSID_SeparateMultipleProcessExplorerHost"
"AppId"="{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
"SingleUse"=""
[HKEY_CLASSES_ROOT\CLSID\{75dff2b7-6936-4c06-a8bb-676a7b00b24b}\LocalServer32]
@=hex(2):...
[HKEY_CLASSES_ROOT\CLSID\{ceff45ee-c862-41de-aee2-a022c81eda92}]
@="CLSID_SeparateSingleProcessExplorerHost"
"AppId"="{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
[HKEY_CLASSES_ROOT\CLSID\{ceff45ee-c862-41de-aee2-a022c81eda92}\LocalServer32]
@=hex(2):...
--------------------------------------------------------------------------
LocalServer32中@的值是:
%SystemRoot%\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120}
%SystemRoot%\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9}
%SystemRoot%\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}
%SystemRoot%\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92}
{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}这个子键只有TrustedInstaller对之有"完全控制"权限,SYSTEM、Administrators组都是只读。可用WinPE、WinRE修改该处注册表项。也可临时将"所有者"改成当前用户,完成修改后再将"所有者"改回"NT SERVICE\TrustedInstaller"。假设已满足权限要求,可重命名或删除其下RunAs键值,比如改成"_RunAs_",据说可禁用前述explorer.exe安全防护措施,我未实测。