So here’s how the logic goes:
If any account in the Adminstrator group truly has carte blanche reign on the system then why is my Admin account still prompting me to Run as Administrator? Doesn’t that mean I’m not really an Admin?
We all know what the Admin account is. In high school I remember wannabe hackers trying to wreak bedlam on the campus network so they could feel powerful.
Admin is that super account that has the singular right to modify security settings, install software and access every file on the computer. Given this reality, you might find yourself confounded because some Windows functions still require Administrators to explicitly run them as an Administrator.
Whenever you see that little blue and yellow checked shield, you know you’ll need admin rights to execute the command.
The short answer is that the Run As command is there to protect Administrators from themselves and styme rogue processes seeking to run with the elevated privileges of the Admin user.
Every major operating system uses a security model known as Least Privilege which means that everyone has the bare minimum privileges but not more. For example, a Standard User doesn’t need Admin rights and an Administrator doesn’t need every program to run with Admin rights.
There’s no reason why Notepad needs to run as an Admin so you should be wary if you happen to click an icon that looks like Notepad but suddenly the User Account Control (UAC) pops open; this is a portent that something is wrong. Don’t run that program.
There’s no reason why Notepad should ever need tro assume the super powers of an Admin.
How it works
When an Admin logs in to a Windows Vista, 7 or 8 PC the user receives two files known as access tokens.
These tokens have group memberships and show what resources the user can access. The problem is that in earlier versions of Windows there was no failsafe to verify that an Admin really wanted an application to perform a task that needed the access token. So you would have lots of people with Admin accounts unwittingly getting infected with viruses, trojans and worms. Or even worse, sometimes malware would irreparably damage the system by altering the core files that the OS needed to run.
When the Admin logs into the system, he or she receives two token types:
- Standard User
Yep, that’s right the Admin account actually get’s a Standard User token at sign-on. The Admin function doesn’t even kick in until the user attempts to execute a task that explicitly needs Admin rights.
This is the principle of Least Privilege in action because the user account account is only given the essential rights it needs to work.
As the Desktop loads, everything from the explorer.exe shell to the Desktop itself loads using the Standard User token. All your actions are executed with the Standard User token that’s why if you try to execute a command that requires the Administrator token you’ll see an “Access Denied” message because, even as an Admin, your not invoking the Administrator token to run the application.
Only when you overtly run an application as an Administrator will you invoke the Administrator token.
Forcing Run as Administrator
So how can you manually get the Run as administrator option to display on your applications?
1. Press and hold the Ctrl key as you click the application and you should see the UAC prompt pop open to grant elevate privileges to the process.
2. If you typed the application name from the search bar in the Start Menu, then pressing Ctrl + Shift + Enter should do the trick.
3. Finally, you can right click the file, choose the Shortcut tab and click the Advanced Button to force the change.
Check off Run as administrator and click OK to confirm the change.
One note of caution is needed: just because you can manually force a shortcut to “always run as an Administrator” doesn’t mean you should force a shortcut to always run as an Administrator.
User Access Control may seem annoying but it does provide an additional layer of security to protect your system from unexpected problems. For this reason, I recommend leaving it as it is.