Windows 7 / Security and Privacy

UAC for Administrators

UAC uses Admin Approval Mode to help protect administrators from malicious and potentially unwanted software. When an administrator logs on, Windows 7 generates two access tokens:

  • Standard user access token This token is used to start the desktop (Explorer.exe). Because the desktop is the parent process for all user-initiated processes, any applications the user launches also use the standard user access token, which does not have privileges to install software or make important system changes.
  • Full administrator access token This token has almost unlimited privileges to the local computer. This token is used only after the user confirms a UAC prompt.

Note As described in the section titled "How to Configure User Account Control" later in this tutorial, you can change the default behavior to suit your needs.

To test this, open two command prompts: one with standard privileges and one with administrative privileges. In each command prompt, run the command whoami /all. The command prompt with administrative privileges will show a membership in the Administrators group. The standard command prompt will not show that group membership.

If the administrator attempts to start an application that requires administrative rights (as identified in the application's manifest, described later), UAC prompts the administrator to grant additional rights using the consent prompt. If the user chooses to grant elevated privileges to an application, the Application Information service creates the new process using the full administrator access token. The elevated privileges will also apply to any child processes that the application launches. Parent and child processes must have the same integrity level. For more information about integrity levels.

Note The Application Information service must be running to start processes with elevated privileges.

By default, Windows 7 silently elevates privileges for Windows features that require administrator credentials when an administrator is logged on. Therefore, you can start the Computer Management console without responding to a UAC prompt if you are a member of the Administrators group. If you attempt to start a non-Windows application or if you manually start a Windows feature with administrator credentials that is not manifested for auto-elevation, such as Paint or a command prompt, you will still receive a UAC prompt.

Command prompts require special consideration, because UAC will not prompt you to elevate privileges if you attempt to run a command that requires administrative rights. To run a command with administrative rights, right-click Command Prompt on the Start menu and then click Run As Administrator. The command prompt that opens will include Administrator in the title, helping you identify the window on your taskbar.

Admin Approval Mode does not apply to the built-in Administrator account. To protect this account from attack, the built-in Administrator account is disabled by default. However, Microsoft Deployment Toolkit 2010 enables the Administrator account for use during the deployment process.

[Previous] [Contents] [Next]