User Account Control Basics

What is User Account Control?

You are likely familiar with User Account Control (UAC), most visible to the end user as a series of prompts that appear when they try to do something.  If they are unfamiliar with the benefits of UAC, you might hear muttering and expletives when these prompts appear:

CredPrompt

The goal of UAC is simple: allow users to run as a standard user, rather than an administrative user, which follows from the principle of least privilege. Even an administrative user will run with standard privileges unless the application or user attempts to elevate privileges. In theory, this limits intentional or accidental damage a user can inflict on the system and other users of the system.

Administrative accounts

A common practice at many organizations is to provide multiple accounts for administrators. For example:

  • CMONSTER – Standard account. I log in, check my e-mail, and surf the web with this account
  • CMONSTER.SA – Administrative account used when access to servers and other important systems is required
  • CMONSTER.DA – Administrative account used when access to desktops is required

So! If I log in to a computer as CMONSTER and want to run PowerShell as CMONSTER.SA, UAC provides me the following shortcut. Any time I ‘Run as Administrator’, I am prompted for credentials, authenticate with CMONSTER.SA, and get a process running as CMONSTER.SA with elevated privileges.

If CMONSTER is an admin on the computer, I cannot use this method. If UAC is disabled on the computer, I cannot use this method. In an organization where some admins give their standard account administrator privileges and/or disable UAC, complications can arise and instructions can get very messy.  Keep UAC on, consider using multiple accounts, and don’t give your standard account admin access.

Expected UAC behavior

The following table illustrates the behavior you should expect with UAC prompts.  I’ve bolded the two ways to open an application with administrator privileges when UAC is enabled:

Current logged in user

UAC

Opened with

Prompt

Credentials provided

End result

admin

Enabled

Run as Administrator

Yes/No

admin

Administrator privileges

admin

Enabled

Run as Administrator

Yes/No

non-admin

Standard user privileges

admin

Enabled

Run as

Credentials

admin

Standard user privileges

admin

Enabled

Run as

Credentials

non-admin

Standard user privileges

admin

Enabled

Double click

 

 

Standard user privileges

non-admin

Enabled

Run as Administrator

Credentials

admin

Administrator privileges

non-admin

Enabled

Run as Administrator

Credentials

non-admin

Standard user privileges

non-admin

Enabled

Run as

Credentials

admin

Standard user privileges

non-admin

Enabled

Run as

Credentials

non-admin

Standard user privileges

non-admin

Enabled

Double click

 

 

Standard user privileges

admin

Disabled

Run as Administrator

 

 

Administrator privileges

admin

Disabled

Run as

Credentials

admin

Administrator privileges

admin

Disabled

Run as

Credentials

non-admin

Standard user privileges

admin

Disabled

Double click

 

 

Administrator privileges

non-admin

Disabled

Run as Administrator

 

 

Standard user privileges

non-admin

Disabled

Run as

Credentials

admin

Administrator privileges

non-admin

Disabled

Run as

Credentials

non-admin

Standard user privileges

non-admin

Disabled

Double click

 

 

Standard user privileges

Common misconceptions with UAC

Run as Administrator does not mean “Run with the local administrator account.”  It means “Elevate to the highest privileges for the current account, and prompt me for credentials if I don’t have access to administrator privileges.”  The phrasing Microsoft chose isn’t straightforward to be fair, but it hasn’t changed for over seven years.

Run as… does not mean “Run with the full privileges of the account I specify.”  It means “Run with the lowest privileges for the account I specify.”  If I specify the local administrator, I still run with low privileges.

UAC Shortcuts

  • Run PowerShell as Administrator, provide your admin credentials, open the application from there.  Because you already approved the privilege escalation, you get no prompt!  My PowerShell profile includes a number of helper functions for launching processes with my administrative account
  • After following either of the following techniques, the application always tries to Run as Administrator per below:
    • If I log in with CMONSTER (not an admin), I am prompted for password when I double click the shortcut.  If I log in with CMONSTER.DA (admin), I am prompted yes/no
    • This will let you use Run as… and still run with admin privileges.  In all other cases Run as… will run with non-admin privileges
  • For a shortcut:  Right click the shortcut, properties, Shortcut tab, Advanced…, check Run as administrator, OK, OK:
    • image
  • For an executable: Right click the application, Properties, Compatibility tab, check Run this program as an administrator
    • clip_image001

How do I verify that UAC is enabled?

  • GUI:  Click Start, type UAC, click Change User Account Control settings
    • image
  • Programmatic

How do I learn more?

This post glosses over the details behind UAC.  UAC also includes a number of mechanisms to allow for compatibility with poorly written software. To this day, over 7 years after the release of Windows Vista, you will still find developers releasing new software that does not play well with UAC.

A few articles with further information: