What precisely does 'Run as administrator' do?

windows windows-7 privileges administrator runas
Jonathan Hartley picture Jonathan Hartley · Jan 24, 2012 · Viewed 118.5k times · Source

On Windows 7, I have a command-line program that fails due to file write permission errors, and popping up annoying UAC dialogs every time I run command-line programs that are from an 'unknown publisher'.

However, if I start my console by right clicking and choosing 'run as administrator', then the install works fine, even if the UAC dialogs are still present.

My user is already a member of the 'administrators' group, so what precisely does 'run as administrator' do that makes my install work?

My specific question is precisely: What does 'run as administrator' do? Neither of the answers thus far address this. (for example, does it run the new process as the 'Administrator' user? Or does it run the process as the current user, but with elevated privileges? If so, what privileges? How does that differ from the privileges I get from my user being in the 'Administrators' group?

(Specifically, I'm using the 'Console' from SourceForge, not a regular CMD window, but I don't think that's important. This is all while installing the Python 'distribute' package by running 'python distribute_setup.py' on a newly installed Python3 MSI from python.org. It's a 32-bit Python on 64-bit Windows. See Installing Python and distribute on Windows 7 gives "Writing failed ... permission denied")

Answer

arx picture arx · Jan 24, 2012

When you log on Windows creates an access token. This identifies you, the groups you are a member of and your privileges. And note that whether a user is an administrator or not is determined by whether the user is a member of the Administrators group.

Without UAC, when you run a program it gets a copy of the access token, and this controls what the program can access.

With UAC, when you run a program it gets a restricted access token. This is the original access token with "Administrators" removed from the list of groups (and some other changes). Even though your user is a member of the Administrators group, the program can't use Administrator privileges.

When you select "Run as Administrator" and your user is an administrator the program is launched with the original unrestricted access token. If your user is not an administrator you are prompted for an administrator account, and the program is run under that account.

Related questions

What is the Difference Between Windows Administrator and Windows System Users

Is there any privilege difference between the Windows Administrator User and the System User? There have been some times, where I have to promote a cmd window to system privilege to delete some files. This may be due to files …

Read More
Taskkill /f doesn't kill a process

When I start up an Experimental instance of VS from VS for debugging and stop debugging (sometimes directly from the parent VS), a zombile devenv.exe process remains running which I am unable to kill. It holds on to many …

Read More
How to recursively delete an entire directory with PowerShell 2.0?

What is the simplest way to forcefully delete a directory and all its subdirectories in PowerShell? I am using PowerShell V2 in Windows 7. I have learned from several sources that the most obvious command, Remove-Item $targetDir -Recurse -Force, does not …

Read More