UAC for Administrators
UAC uses Admin Approval Mode to help protect administrators from malicious and potentially unwanted software. When an administrator logs on, Windows 7 generates two access tokens:
- Standard user access token This token is used to start the desktop (Explorer.exe). Because the desktop is the parent process for all user-initiated processes, any applications the user launches also use the standard user access token, which does not have privileges to install software or make important system changes.
- Full administrator access token This token has almost unlimited privileges to the local computer. This token is used only after the user confirms a UAC prompt.
Note As described in the section titled "How to Configure User Account Control" later in this tutorial, you can change the default behavior to suit your needs.
To test this, open two command prompts: one with standard privileges and one with administrative privileges. In each command prompt, run the command whoami /all. The command prompt with administrative privileges will show a membership in the Administrators group. The standard command prompt will not show that group membership.
If the administrator attempts to start an application that requires administrative rights (as identified in the application's manifest, described later), UAC prompts the administrator to grant additional rights using the consent prompt. If the user chooses to grant elevated privileges to an application, the Application Information service creates the new process using the full administrator access token. The elevated privileges will also apply to any child processes that the application launches. Parent and child processes must have the same integrity level. For more information about integrity levels.
Note The Application Information service must be running to start processes with elevated privileges.
By default, Windows 7 silently elevates privileges for Windows features that require administrator credentials when an administrator is logged on. Therefore, you can start the Computer Management console without responding to a UAC prompt if you are a member of the Administrators group. If you attempt to start a non-Windows application or if you manually start a Windows feature with administrator credentials that is not manifested for auto-elevation, such as Paint or a command prompt, you will still receive a UAC prompt.
Command prompts require special consideration, because UAC will not prompt you to elevate privileges if you attempt to run a command that requires administrative rights. To run a command with administrative rights, right-click Command Prompt on the Start menu and then click Run As Administrator. The command prompt that opens will include Administrator in the title, helping you identify the window on your taskbar.
Admin Approval Mode does not apply to the built-in Administrator account. To protect this account from attack, the built-in Administrator account is disabled by default. However, Microsoft Deployment Toolkit 2010 enables the Administrator account for use during the deployment process.
In this tutorial:
- Windows 7 Client Protection
- Understanding the Risk of Malware
- User Account Control in Windows 7
- UAC for Standard Users
- UAC for Administrators
- UAC User Interface
- Secure Desktop
- How Windows Determines Whether an Application Needs Administrative Privileges
- How to Control UAC Using Application Properties
- How UAC Examines the Application Manifest
- UAC Heuristics
- UAC Virtualization
- UAC and Startup Programs
- Compatibility Problems with UAC
- How to Configure UAC
- Group Policy Settings
- Control Panel
- How to Configure Auditing for Privilege Elevation
- Other UAC Event Logs
- Best Practices for Using UAC
- AppLocker Rule Types
- Auditing AppLocker Rules
- DLL Rules
- Custom Error Messages
- Using AppLocker with Windows PowerShell
- Using Windows 7 Defender
- Understanding Windows Defender
- Automatic Scanning
- Real-Time Protection
- Windows Defender Alert Levels
- Understanding Microsoft SpyNet
- Configuring Windows Defender Group Policy
- Configuring Windows Defender on a Single Computer
- How to Determine Whether a Computer Is Infected with Spyware
- Best Practices for Using Windows Defender
- How to Troubleshoot Problems with Unwanted Software
- Network Access Protection