Issued tokens are used for events such as process creation. The important thing here is that when a process is created after issuing a token, the administrator also executes the new process using the standard user access token.

Generally, explorer.exe which is the parent process of most user processes operates at medium integrity level, so most processes run at the same level to explorer.exe. But when a process requires a high integrity level, processes can obtain an elevated privilege if the user approves it.

This basically means that a process typically uses a standard user access token and uses the UAC to get the user’s authorization if an administrator access token is needed.

The following such actions are examples of events which trigger UAC:

Running an Application as an Administrator

Changes to system-wide settings

Changes to files in folders that standard users don’t have permissions for (such as %SystemRoot% or %ProgramFiles% in most cases)

Changes to an access control list (ACL), commonly referred to as file or folder permissions

Installing device drivers

Installing ActiveX controls

Changing settings for Windows Firewall

Changing UAC settings

Configuring Windows Update

Adding or removing user accounts

Changing a user’s account type

Turning on Guest account (Windows 7 and 8.1)

Turning on file sharing or media streaming

Configuring Parental Controls