What is User Account Control?

You are likely familiar with User Account Control (UAC), most visible to the end user as a series of prompts that appear when they try to do something. If they are unfamiliar with the benefits of UAC, you might hear muttering and expletives when these prompts appear:

The goal of UAC is simple: allow users to run as a standard user, rather than an administrative user, which follows from the principle of least privilege. Even an administrative user will run with standard privileges unless the application or user attempts to elevate privileges. In theory, this limits intentional or accidental damage a user can inflict on the system and other users of the system.

Administrative accounts

A common practice at many organizations is to provide multiple accounts for administrators. For example:

CMONSTER – Standard account. I log in, check my e-mail, and surf the web with this account

CMONSTER.SA – Administrative account used when access to servers and other important systems is required

CMONSTER.DA – Administrative account used when access to desktops is required

So! If I log in to a computer as CMONSTER and want to run PowerShell as CMONSTER.SA, UAC provides me the following shortcut. Any time I ‘Run as Administrator’, I am prompted for credentials, authenticate with CMONSTER.SA, and get a process running as CMONSTER.SA with elevated privileges.

If CMONSTER is an admin on the computer, I cannot use this method. If UAC is disabled on the computer, I cannot use this method. In an organization where some admins give their standard account administrator privileges and/or disable UAC, complications can arise and instructions can get very messy. Keep UAC on, consider using multiple accounts, and don’t give your standard account admin access.

Expected UAC behavior

The following table illustrates the behavior you should expect with UAC prompts. I’ve bolded the two ways to open an application with administrator privileges when UAC is enabled:

Current logged in user UAC Opened with Prompt Credentials provided End result admin Enabled Run as Administrator Yes/No admin Administrator privileges admin Enabled Run as Administrator Yes/No non-admin Standard user privileges admin Enabled Run as Credentials admin Standard user privileges admin Enabled Run as Credentials non-admin Standard user privileges admin Enabled Double click Standard user privileges non-admin Enabled Run as Administrator Credentials admin Administrator privileges non-admin Enabled Run as Administrator Credentials non-admin Standard user privileges non-admin Enabled Run as Credentials admin Standard user privileges non-admin Enabled Run as Credentials non-admin Standard user privileges non-admin Enabled Double click Standard user privileges admin Disabled Run as Administrator Administrator privileges admin Disabled Run as Credentials admin Administrator privileges admin Disabled Run as Credentials non-admin Standard user privileges admin Disabled Double click Administrator privileges non-admin Disabled Run as Administrator Standard user privileges non-admin Disabled Run as Credentials admin Administrator privileges non-admin Disabled Run as Credentials non-admin Standard user privileges non-admin Disabled Double click Standard user privileges

Common misconceptions with UAC

Run as Administrator does not mean “Run with the local administrator account.” It means “Elevate to the highest privileges for the current account, and prompt me for credentials if I don’t have access to administrator privileges.” The phrasing Microsoft chose isn’t straightforward to be fair, but it hasn’t changed for over seven years.

Run as… does not mean “Run with the full privileges of the account I specify.” It means “Run with the lowest privileges for the account I specify.” If I specify the local administrator, I still run with low privileges.

UAC Shortcuts

Run PowerShell as Administrator, provide your admin credentials, open the application from there. Because you already approved the privilege escalation, you get no prompt! My PowerShell profile includes a number of helper functions for launching processes with my administrative account

After following either of the following techniques, the application always tries to Run as Administrator per below: If I log in with CMONSTER (not an admin), I am prompted for password when I double click the shortcut. If I log in with CMONSTER.DA (admin), I am prompted yes/no This will let you use Run as… and still run with admin privileges. In all other cases Run as… will run with non-admin privileges

For a shortcut: Right click the shortcut, properties, Shortcut tab, Advanced…, check Run as administrator, OK, OK:

For an executable: Right click the application, Properties, Compatibility tab, check Run this program as an administrator



How do I verify that UAC is enabled?

GUI: Click Start, type UAC, click Change User Account Control settings

Programmatic Write your own script that works with the UAC registry entries Use Get-UACSetting, an old (and messy, sorry!) script of mine



How do I learn more?

This post glosses over the details behind UAC. UAC also includes a number of mechanisms to allow for compatibility with poorly written software. To this day, over 7 years after the release of Windows Vista, you will still find developers releasing new software that does not play well with UAC.

A few articles with further information: