Thanks,
As you said, the "trusted installer" is the owner of the Program Files tree. But if I needed to, couldn't I just take ownership of it without using the hidden "Administrator" user?
I'm a bit puzzled by this, because both the "Administrator" user and my user account are members of the same Administrators group.
It's true that you could take ownership and then give yourself, as admin, (or even as a standard user), give yourself the rights you need, however people who have done this have reported strange issues at a later date.
As for the administrator account, I fully agree looking at the groups and rights it should be identical to an elevated admin account. However possibly through some "hard wired" differences in the security model this account does not trigger UAC prompts and is given higher access rights that any other user.
will have to see if I can find a definitive explanation of the differences and post back :)
That article falls in line with what I originally thought about Administrator users. However, I was not aware that group policy disables UAC for the built-in Administrator account. You brought that up earlier and it is good to know.
In older versions of Windows such as Windows XP and 2003, it was possibe to read/write system files and protected parts of the registry by aquiring SYSTEM level privileges. I would imagine that the SYSTEM account and TrustedInstaller have similar, if not the same permissions in Windows Vista/7.
Intresting. thanks for the info, will get the hidden admin sorted.
Thanks guys :)
Quote