Vista - "run as admin" question

vbimport

#1

To be honest I don’t get it.

I know that Vista installs itself under an “admin” account which is deactivated automatically and immediately after installation. Vista at the same time creates a “local admin” account which has somewhat limted rights and Microsoft even suggests to create a “user” account which is even much more limited.

Now to the “run as admin” function and my question:

When I run a program as “run as admin” a window appears and asks for the local admin account password. This is absolutely logical to me since this is the sense and essence of this function: Logged into a user account a program only has local admin rights and does things that need local admin rights when run with “run as admin”.

But!

When I’m logged into a “local account” why on earth does it make a difference for some programs if run with “run as admin” or not?? Why does “run as admin” appear at all when logged into a local admin account??

An example for this is newer versions of speedfan. This program now has local admin rights deactivated by default whereas earlier versions had it acivated by default. So new versions of Speedfan don’t show HDD SMART values if not run with “run as admin” function.

Does this mean that indeed local admin rights exist in two INDEPENDENT worlds: The local admin account on on hand and the program itself having it activated on the other hand??

So in the local admin account: How do I know which of my programs still to run with “run as admin” and which not? Should I run all my programs in general with “run as admin” in the local admin account?


#2

The reason is the Vindos Vista UAC (User Account control). In Vista even the administrative accounts are limited in (write) accessing the Windows System directories, program directory, registry tree “HKEY_LOCAL_MACHINE”, and a few other things. Therefore a lot system utilities need administrative previleges.
After publishing Windows 2000 and Windows XP Microsoft found out the most people using the own PC with administrative privileges. Therefore in Vista the administrative account is limited and you must confirm special actions before it can processed.

You can prevent this behaviour by disabling the Vista UAC. But this is not recommended (by Microsoft)


#3

Sorry for not reacting anymore. I had absolutely no time :(. Many thanks for reading and helping. :slight_smile:

Does this mean that the “run as admin” function enables higher rights than the “Local Admin” rights? Those full “Admin” rights that are deactivated after Vista installation?

If so, something doesn’t make sense to me: The password I have to enter after using the “run as admin” function is the one for the “Local Admin” account, isn’t it. What kind of logic is it, that the “Local Admin” account password activates “Admin” rights?


#4

[QUOTE=anikk;2131601]Does this mean that the “run as admin” function enables higher rights than the “Local Admin” rights? Those full “Admin” rights that are deactivated after Vista installation?[/QUOTE]
Yes, that is correct!

[QUOTE=anikk;2131601]If so, something doesn’t make sense to me: The password I have to enter after using the “run as admin” function is the one for the “Local Admin” account, isn’t it. What kind of logic is it, that the “Local Admin” account password activates “Admin” rights?[/QUOTE]
The sense is that there is no need to do the “normal work” on a computer with real administrative rights. Normally you need this only during setup or changing, machine specific settings or changing the confiuration like updating or installing a driver.

Basically there is no need for UAC if you use an administrative account for setup and all the stuff and for normal work an account with right below administrative privileges. This is the correct way using WinNT, Win2000, WinXP to prevent changing the system configuration by worms, trojans or stuff like that. If you do not have the right to make changes the “bad software” can’t infect the system.
The reality was that everyone used only administrative accounts (sure the life s mch easier) ad the PCs were easyly infected by “bad software”.

UAC was the answer to ths problem. Microsoft decreased the privileges of the administrative accounts and some parts of the system can’t be write accessed like the machine specific registry parts, window directories, programm directories. During the normal work you will not feel the “missing rights” (read access is possible!). The problem may be older programms not developed for Vista. There are a lot older programs using the machine specific registry trees for saving settings (that belongs to the user specific registry trees), save data in the programm directory (this data belongs to the user specific directories to be saved), … and so on. All this things are described in the “design guidlines for developing windows applications” in the MSDN and are years old. This guidlines are mostly from the good old WinNT4.0 times.
If you use Vista and you are i.e. surfing and you get an UAC notification I’d really think about confrming it. It could be a try to infect yor system with software you really do not want…