Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Why do Administrators have to Run As an Administrator in Windows? - fixedByVonnie

Why do Administrators have to Run As an Administrator in Windows?

So here’s how the logic goes:

If any account in the Adminstrator group truly has carte blanche reign on the system then why is my Admin account still prompting me to Run as Administrator?  Doesn’t that mean I’m not really an Admin?

We all know what the Admin account is. In high school I remember wannabe hackers trying to wreak bedlam on the campus network so they could feel powerful.

Admin is that super account that has the singular right to modify security settings, install software and access every file on the computer.  Given this reality, you might find yourself confounded because some Windows functions still require Administrators to explicitly run them as an Administrator.

Whenever you see that little blue and yellow checked shield, you know you’ll need admin rights to execute the command.

Windows 8.1 Command Prompt Admin

The short answer is that the Run As command is there to protect Administrators from themselves and styme rogue processes seeking to run with the elevated privileges of the Admin user.

Every major operating system uses a security model known as Least Privilege which means that everyone has the bare minimum privileges but not more.  For example, a Standard User doesn’t need Admin rights and an Administrator doesn’t need every program to run with Admin rights.

There’s no reason why Notepad needs to run as an Admin so you should be wary if you happen to click an icon that looks like Notepad but suddenly the User Account Control (UAC) pops open; this is a portent that something is wrong.  Don’t run that program.

There’s no reason why Notepad should ever need tro assume the super powers of an Admin.

How it works

When an Admin logs in to a Windows Vista, 7 or 8 PC the user receives two files known as access tokens.  

These tokens have group memberships and show what resources the user can access.  The problem is that in earlier versions of Windows there was no failsafe to verify that an Admin really wanted an application to perform a task that needed the access token.  So you would have lots of people with Admin accounts unwittingly getting infected with viruses, trojans and worms.  Or even worse, sometimes malware would irreparably damage the system by altering the core files that the OS needed to run.

When the Admin logs into the system, he or she receives two token types:

  • Administrator
  • Standard User

Yep, that’s right the Admin account actually get’s a Standard User token at sign-on.  The Admin function doesn’t even kick in until the user attempts to execute a task that explicitly needs Admin rights.

This is the principle of Least Privilege in action because the user account account is only given the essential rights it needs to work.

As the Desktop loads, everything from the explorer.exe shell to the Desktop itself loads using the Standard User token.  All your actions are executed with the Standard User token that’s why if you try to execute a command that requires the Administrator token you’ll see an “Access Denied” message because, even as an Admin, your not invoking the Administrator token to run the application.

Only when you overtly run an application as an Administrator will you invoke the Administrator token.

Forcing Run as Administrator

So how can you manually get the Run as administrator option to display on your applications?

1. Press and hold the Ctrl key as you click the application and you should see the UAC prompt pop open to grant elevate privileges to the process.

2. If you typed the application name from the search bar in the Start Menu, then pressing Ctrl + Shift + Enter should do the trick.

3. Finally, you can right click the file, choose the Shortcut tab and click the Advanced Button to force the change.

Windows Advanced Shortcut Properties

Check off Run as administrator and click OK to confirm the change.

Advanced Properties Run as administrator

One note of caution is needed: just because you can manually force a shortcut to “always run as an Administrator” doesn’t mean you should force a shortcut to always run as an Administrator.

User Access Control may seem annoying but it does provide an additional layer of security to protect your system from unexpected problems.  For this reason, I recommend leaving it as it is.

About

Connect with Vonnie on Twitter

Posted in How To, Security, Windows 7
  • Sonia Nadar

    Hi,
    I have a user which has admin rights. I try running a bat file, but it does not work until I run it as “Run as administrator”.
    I used to run the file using a scheduler, But now I have to do it manually everytime.

    s there any solution to run the file with the current user OR any way where I can schedule with admin user??
    Please help.

  • Carl Oakley

    I’m sorry, but there are times when notepad needs to run as an administrator. What if you are changing a setting and the settings file you need to change is in the program directory which is in the program files folder? You have to save it to documents and then copy the saved file over. Not good productivity.

  • Sandhurst

    I think we need run as admin thing coz if a virus got into your computer and needed to run some system file it’d be difficult…coz it prompts the user to accept and he can choose not to…if this run as thing wasn’t there the virus or the rogue process would secretly execute ur system files.