User Account Control Basics

What is User Account Control?

You are likely familiar with User Account Control (UAC), most visible to the end user as a series of prompts that appear when they try to do something.  If they are unfamiliar with the benefits of UAC, you might hear muttering and expletives when these prompts appear:

The goal of UAC is simple: allow users to run as a standard user, rather than an administrative user, which follows from the principle of least privilege. Even an administrative user will run with standard privileges unless the application or user attempts to elevate privileges. In theory, this limits intentional or accidental damage a user can inflict on the system and other users of the system.

Administrative accounts

A common practice at many organizations is to provide multiple accounts for administrators. For example:

• CMONSTER – Standard account. I log in, check my e-mail, and surf the web with this account
• CMONSTER.SA – Administrative account used when access to servers and other important systems is required
• CMONSTER.DA – Administrative account used when access to desktops is required

So! If I log in to a computer as CMONSTER and want to run PowerShell as CMONSTER.SA, UAC provides me the following shortcut. Any time I ‘Run as Administrator’, I am prompted for credentials, authenticate with CMONSTER.SA, and get a process running as CMONSTER.SA with elevated privileges.

If CMONSTER is an admin on the computer, I cannot use this method. If UAC is disabled on the computer, I cannot use this method. In an organization where some admins give their standard account administrator privileges and/or disable UAC, complications can arise and instructions can get very messy.  Keep UAC on, consider using multiple accounts, and don’t give your standard account admin access.

Expected UAC behavior

The following table illustrates the behavior you should expect with UAC prompts.  I’ve bolded the two ways to open an application with administrator privileges when UAC is enabled:

Current logged in user	UAC	Opened with	Prompt	Credentials provided	End result
admin	Enabled	Run as Administrator	Yes/No	admin	Administrator privileges
admin	Enabled	Run as Administrator	Yes/No	non-admin	Standard user privileges
admin	Enabled	Run as	Credentials	admin	Standard user privileges
admin	Enabled	Run as	Credentials	non-admin	Standard user privileges
admin	Enabled	Double click			Standard user privileges
non-admin	Enabled	Run as Administrator	Credentials	admin	Administrator privileges
non-admin	Enabled	Run as Administrator	Credentials	non-admin	Standard user privileges
non-admin	Enabled	Run as	Credentials	admin	Standard user privileges
non-admin	Enabled	Run as	Credentials	non-admin	Standard user privileges
non-admin	Enabled	Double click			Standard user privileges
admin	Disabled	Run as Administrator			Administrator privileges
admin	Disabled	Run as	Credentials	admin	Administrator privileges
admin	Disabled	Run as	Credentials	non-admin	Standard user privileges
admin	Disabled	Double click			Administrator privileges
non-admin	Disabled	Run as Administrator			Standard user privileges
non-admin	Disabled	Run as	Credentials	admin	Administrator privileges
non-admin	Disabled	Run as	Credentials	non-admin	Standard user privileges
non-admin	Disabled	Double click			Standard user privileges

Common misconceptions with UAC

Run as Administrator does not mean “Run with the local administrator account.”  It means “Elevate to the highest privileges for the current account, and prompt me for credentials if I don’t have access to administrator privileges.”  The phrasing Microsoft chose isn’t straightforward to be fair, but it hasn’t changed for over seven years.

Run as… does not mean “Run with the full privileges of the account I specify.”  It means “Run with the lowest privileges for the account I specify.”  If I specify the local administrator, I still run with low privileges.

UAC Shortcuts

• Run PowerShell as Administrator, provide your admin credentials, open the application from there.  Because you already approved the privilege escalation, you get no prompt!  My PowerShell profile includes a number of helper functions for launching processes with my administrative account
• After following either of the following techniques, the application always tries to Run as Administrator per below:
  • If I log in with CMONSTER (not an admin), I am prompted for password when I double click the shortcut.  If I log in with CMONSTER.DA (admin), I am prompted yes/no
  • This will let you use Run as… and still run with admin privileges.  In all other cases Run as… will run with non-admin privileges
• For a shortcut:  Right click the shortcut, properties, Shortcut tab, Advanced…, check Run as administrator, OK, OK:
  • 
• For an executable: Right click the application, Properties, Compatibility tab, check Run this program as an administrator
  • 

How do I verify that UAC is enabled?

• GUI:  Click Start, type UAC, click Change User Account Control settings
  • 
• Programmatic
  • Write your own script that works with the UAC registry entries
  • Use Get-UACSetting, an old (and messy, sorry!) script of mine
    • 

How do I learn more?

This post glosses over the details behind UAC.  UAC also includes a number of mechanisms to allow for compatibility with poorly written software. To this day, over 7 years after the release of Windows Vista, you will still find developers releasing new software that does not play well with UAC.

A few articles with further information:

• Inside Windows 7 User Account Control
• Inside Windows Vista User Account Controls
• Engineering Windows 7 – UAC  Post 1, Post 2, Post 3, Post 4
• User Account Control Technical Reference