Installing as Administrator vs User

Page 1 of 2 12 LastLast

  1. bawldiggle
    Posts : 1,002
    XP Pro (x86) | 7 HP (x86) & (x64) | 7 Pro (x64)
       New #1

    Installing as Administrator vs User


    When installing programs (.EXE files), is ...
    Log on as "User" > EXE file > RClick > "Run as Administrator" ?
    ... the same as...
    Log on as "Adminsitrator" > EXE file > "Run" ?
    About 12 months ago I installed an app (via User Account) and I have discovered it is installed in registry hives...
    HKEY_USERS and HKEY_CURRENT_USER

    Would I be correct in assuming an app installed when logged in as "Administrator" would only appear in HKEY_USERS only ?

    My current laptop installs are a hotch-potch of security levels (accounts)
    Most apps were installed as User, before I acknowledged Win7 superior security (as hard as it was to admit) and lately, several apps intentionally installed as Administrator.

    I would appreciate being enlightened.
    Thank You :)
    ----------
    SPECS
    Toshiba Satellite C665 (Laptop)
    OS:= Windows 7 Home Premium (32-bit), sp1 (Build 7601) OEM
    UI:=Classic Shell Start + Classic Explorer
    Single user (so far)
    Installing as Administrator vs User-c_drive_security-settings.png
    Last edited by bawldiggle; 09 Nov 2013 at 15:31. Reason: additional info
      My Computer
    Quote Quote

  3. Kari
    Posts : 17,545
    Windows 10 Pro x64 EN-GB
       New #2

    GrayGhost2 said:
    When installing programs (.EXE files), is ...
    Log on as "User" > EXE file > RClick > "Run as Administrator" ?
    ... the same as...
    Log on as "Adminsitrator" > EXE file > "Run" ?
    Let's start with this question: No, it's not the same.

    When a user, either a standard user or an administrative user selects Run as administrator, the command will be executed with elevated rights using a so called built-in administrator account rights.

    The built-in administrator account has more rights than a normal administrative account. even if you log in using your normal administrator account you sometimes have not enough rights for a certain task and need to run the command elevated, as a built-in administrator.

    Kari
      My Computer
    Quote Quote

  4. UsernameIssues
    Posts : 10,485
    W7 Pro SP1 64bit
       New #3

    Kari said:
    ~~~
    When a user, either a standard user or an administrative user selects Run as administrator, the command will be executed with elevated rights using a so called built-in administrator account rights.
    ~~~
    That is not my understanding of things...
    ...but i could easily be wrong :-(

    Selecting "Run as administrator" from a context menu to launch an app with elevated privileges does not make use of the Built in Administrator account (most of the time*). It passes the request to consent.exe - which looks at the current user's account type:

    If the user account type = standard, then the consent looks at the list of accounts to use in the prompt for an admin account password. Once a password for an admin account is supplied, I'm not positive that I can describe what access token is being used. But I'm pretty sure that only accounts that are enabled can be used. The built in Administrator account is disabled by default and yet "Run as administrator" still works for both standard and admin user accounts.

    If the user account type = admin and UAC is turned on, then consent merely prompts for the user's approval.

    *Certain OS upgrade situations might make the built in administrator account the only admin account.

    This is old...
    Getting Started with User Account Control in Windows Vista Beta 2
    ...but it mentions the upgrade situation and discusses access tokens. Maybe things have changed in W7.


    To the OP,
    I've only seen a hand full of applications that care which type of account was logged on during the install. Other users might have to manually setup desktop and Start Menu shortcuts. During installation, the registry keys should be created at the computer level and the current user's user level. Once another user logs on and starts the application in question, it should create the needed registry keys at that user's user level. I could be wrong about the registry stuff - I've not had to research it.
      My Computer
    Quote Quote

  6. Kari
    Posts : 17,545
    Windows 10 Pro x64 EN-GB
       New #4

    We can argue about the nuances but to put it very simply, an elevated command means it will be run with equal rights than the built-in administrator. That's why when you are logged in to this "super user" account you can run commands without elevating them because they are already elevated.
      My Computer
    Quote Quote

  7. Alejandro85
    Posts : 2,468
    Windows 7 Ultimate x64
       New #5

    For the most part, yes, it's the same permissions-wise. If "user" is an administrator, what the "run as administrator" option does is just to switch the same user to an administrator context, since it normally starts in a dual token context, one with admin permissions, and other striped of admin rights, but always under the same "user". When you log on as the built-in administrator, you get the same privileges as you would do under "run as administrator" but under a different user name.

    Now for the registry thing, HKEY_USERS is the key that hold data about each particular user account, where each one has full read/write permissions, and where often user-specific settings are stored. Each key you see under it belongs to one account in your computer, encoded with its SID. Now, HKEY_CURRENT_USER is nothing more than a sort of "shortcut" to the corresponding key in HKEY_USERS that belongs to the current user (really, to the user account that runs regedit). The data itself is always written there, and then only "reflected" in HKEY_CURRENT_USER as appropriate.

    The reason you're seeing a difference between administrator and a admin normal user is because that redirection. The "current user" while installing is in one case the built-in administrator and in other case the regular user. Normally, most programs that save settings in the registry will, after installation, write settings to registry in HKEY_CURRENT_USER during normal usage, so in the long run it doesn't matters who installs.
    It's normally recommended in Windows 7 to use a normal user account instead of switching, and rely on UAC elevation to get the required permissions. With UAC disabled, as well as in XP and earlier, the best security practice is effectively to logoff/logon as admin to perform admin-only tasks.
      My Computer
    Quote Quote

  8. Alejandro85
    Posts : 2,468
    Windows 7 Ultimate x64
       New #6

    UsernameIssues said:
    Selecting "Run as administrator" from a context menu to launch an app with elevated privileges does not make use of the Built in Administrator account (most of the time*). It passes the request to consent.exe - which looks at the current user's account type:

    If the user account type = standard, then the consent looks at the list of accounts to use in the prompt for an admin account password. Once a password for an admin account is supplied, I'm not positive that I can describe what access token is being used. But I'm pretty sure that only accounts that are enabled can be used. The built in Administrator account is disabled by default and yet "Run as administrator" still works for both standard and admin user accounts.
    That's true. "Run as administrator" under a standard user just ask to enter a user/password of a user that has admin privileges, and launch the elevated program under that account security context. For admin accounts, they run under a dual-context security, where one user token has full admin permissions, and the other is has limited permissions as it were outside the admin group, that is used to run every program by default. "Run as administrator" on those accounts just uses the full admin token to get the administative permissions, always under the same user account.


    Kari said:
    We can argue about the nuances but to put it very simply, an elevated command means it will be run with equal rights than the built-in administrator. That's why when you are logged in to this "super user" account you can run commands without elevating them because they are already elevated.
    The built-in administrator has no "super user" power, it's just one more administrator account. What's special about it is that it cannot be deleted and has a fixed, predefined SID. But the important point is that it's by default immune to UAC, so it doesn't run with dual tokens, but every program launched from it always has full admin permissions, that's why it never gets any elevation prompt. There is a system policy that can change that, making the administrator account totally equal to any other account.
      My Computer
    Quote Quote

  10. Kari
    Posts : 17,545
    Windows 10 Pro x64 EN-GB
       New #7

    I stand corrected :).
      My Computer
    Quote Quote

  11. UsernameIssues
    Posts : 10,485
    W7 Pro SP1 64bit
       New #8

    Sorry - I did not mean to start stuff. I was attempting to think about the registry question that the OP asked about. Running an app as a user (account type = admins) and using "Run as administrator" does not write install info to any other account's registry keys. That was my main point.

    As a side bar:
    I'm not sure how many tokens a user (account type = admin) gets when the UAC is off.
      My Computer
    Quote Quote

  12. Kari
    Posts : 17,545
    Windows 10 Pro x64 EN-GB
       New #9

    UsernameIssues, you have nothing to feel sorry for. Although my reply to the OP was meant to be a simplified version of the facts, it does not mean my basic facts were correct.

    That's the beauty of these forums, you always learn :).
      My Computer
    Quote Quote

  13. bawldiggle
    Posts : 1,002
    XP Pro (x86) | 7 HP (x86) & (x64) | 7 Pro (x64)
    Thread Starter
       New #10

    Thank you Kari, UsernameIssues, and Alejandro85 ... all ... for your responses, :)
    Kari said:
    The built-in administrator account has more rights than a normal administrative account
    I am unclear on what is "built-in" and "normal" administrator/s.
    -----
    It seems that Admin/User installations will deliver the same result as pure administrator installs. ?
    Pardon my lack of broader knowledge.

    My Toshiba is due for a clean-reinstall of Win7.
    The current Toshiba factory install includes a lot of extras that I never use.
    For over 15 years I have just pointed and clicked with no thought for maintenance other than AV and occasional malware scan.

    In my ignorance ... when any PC or laptop crashed I payed a guru to clean install, and then days (my weekends) reloading numerous programs and tweaking.

    In the next 3 months I am seriously looking at NAS (for 4 towers for AutoCad) with me as the IT person.
    At the moment I am (slowly) downgrading a Dell laptop from Win8 to Win7. (a learning experience, thank you to GregRocker and others)
    Once that is accomplished this Toshiba will get a clean install of Win 7 using ISO file to have more control over what is installed.

    Would I be right assuming a pure Administrator account and pure User account/s would be more clear cut than the current "generic" Admin/User account. (?)
    And I assume privileges would be easier to assign/apply ?

    Apologies for covering so much territory (PCs and laptops) in this thread.
    I would like to have my laptop setup so that there are no grey areas. (The PCs I will tackle in the future)

    My present focus is to get the Dell and (next) Toshiba laptops structured in the most appropriate way.
    (As a consulting engineer ... do it once do it right)

    The concept of installing everything as administrator really appeals ... ?

    Am I on the right track ? :)
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
There has long been, and I guess still is, advice to use a standard user rather than administrator account to limit the things that can be done by malware. Until recently I've always used an administrator account despite this advice. After recently seeing a report stating that an extremely...
Hello, Cousin has an old Toshiba he bought pre loaded with W7 Home Premium. He was running it as he got it and I had him add a standard user account for general use and a quasi-administator account for working. He has been running that way for a while. Today I needed him to look in the C:\ Users...
Hi, I'm running Win 7 Pro x64 and Office 2007. I installed a Bluetooth transceiver recently and developed a problem when replying to email in Outlook 2007. When I select an email to reply, the email editor pops up with a "Custom UI Runtime Error in Send to Bluetooth." The solution to this issue...
I tried to google this and it seems neither is possible but I wanted to hear the truths from the horses mouth. I have a Win 7 Pro x64 computer with 2 users who boths needs to be able (this really is a must) install software on the computer but they can't have access to each other's private...
An account on my Windows 7 installation cannot have its type changed from an administrator to a user account. I tried to change it using the cmd and I'm getting these messages: >net localgroup administrators AccountName /del System error 1377 has occurred. The specified account name is...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 06:00.
Find Us