locked
Differences in Elevation Prompts For Standard Users and Administrators RRS feed

  • Question

  • Hello,

    In some scenarios, an elevation prompt occurs while using Administrator account, while for same action no prompt occurs while using standard account. For example, when we open Registry Editor, Event Viewer, Device manager etc while using administrator account, elevation prompt asks for permission to open it. But when we open them while using standard account, they open without prompt. Why is that? Why no prompt appears for them in Standard account? Isn't it a security risk? Some other system programs like gpedit and msconfig do show prompt but regedit, devmgmt, event viewer don't show any prompt. How can this be set so that prompt appears before opening every system program? Please help.

    Michael Harris

    Wednesday, April 20, 2011 11:35 PM

Answers

  • Michael,

    This isn't a security risk. REGEDIT.EXE uses the "highestAvailable" execution level (specified in its manifest XML) and you have the entire documentation for the execution levels here:

    http://msdn.microsoft.com/en-us/library/bb756929.aspx

    Look at the two tabular columns for "highestAvailable" execution level, it's self-explanatory.

    Whereas MSCONFIG.EXE uses "requireAdministrator" execution level.

    <requestedExecutionLevel
    	level="requireAdministrator"
            uiAccess="false"
              />
    </requestedPrivileges>
    

     


    Ramesh Srinivasan | The Winhelponline Blog
    Microsoft MVP, Windows Desktop Experience

    • Marked as answer by Niki Han Friday, May 13, 2011 3:07 AM
    Thursday, April 21, 2011 8:02 AM
    Answerer
  • Ramesh, you didn't need to make it so complicated.

    To put it simply, some applications like Windows Registry Editor simply request the highest available privilege for the user account in the context of which they run.

    The highest privilege available to a standard user is standard privileges. Hence, you see no prompt but you cannot edit certain parts of the registry such as HKEY_LOCAL_MACHINE.

    The highest privilege for an administrator is Administrative privileges. Hence, you see the UAC prompt.

    P.S. The advantage of this is that standard users CAN run Registry Editor but CANNOT affect system settings with it, while administrator CAN do anything they like with it. (They are supposed to, right?)

    As for MSCONFIG however, it purely edits system settings, so it always requires administrative privileges.


    The greatest moment of everyone's life is the moment of positive thinking.
    • Edited by Fleet Command Monday, May 9, 2011 5:42 AM Provided a reason
    • Marked as answer by Niki Han Friday, May 13, 2011 3:08 AM
    Monday, May 9, 2011 5:34 AM
  • Manifests are usually not separate files; they are inside the program itself and there is no way of editing them without some hacking.
    The greatest moment of everyone's life is the moment of positive thinking.
    • Marked as answer by Niki Han Friday, May 13, 2011 3:08 AM
    Monday, May 9, 2011 5:37 AM

All replies

  • Michael,

    This isn't a security risk. REGEDIT.EXE uses the "highestAvailable" execution level (specified in its manifest XML) and you have the entire documentation for the execution levels here:

    http://msdn.microsoft.com/en-us/library/bb756929.aspx

    Look at the two tabular columns for "highestAvailable" execution level, it's self-explanatory.

    Whereas MSCONFIG.EXE uses "requireAdministrator" execution level.

    <requestedExecutionLevel
    	level="requireAdministrator"
            uiAccess="false"
              />
    </requestedPrivileges>
    

     


    Ramesh Srinivasan | The Winhelponline Blog
    Microsoft MVP, Windows Desktop Experience

    • Marked as answer by Niki Han Friday, May 13, 2011 3:07 AM
    Thursday, April 21, 2011 8:02 AM
    Answerer
  • Hi Michael,

     

    For more information, you can refer to the following article. It has a detail explanation.

     

    http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

     

    Best Regards,

    Niki


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 22, 2011 10:30 AM
  • Thanks for the help. Where are these manifest files located? Or will I have to create it? and can I edit it? Michael
    Friday, April 22, 2011 12:31 PM
  • Hi,

     

    Regarding the Manifest, check if the following article is helpful.

     

    http://www.samlogic.net/articles/manifest.htm

     

    Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

     

     

    Niki

     

     


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, May 9, 2011 4:22 AM
  • Ramesh, you didn't need to make it so complicated.

    To put it simply, some applications like Windows Registry Editor simply request the highest available privilege for the user account in the context of which they run.

    The highest privilege available to a standard user is standard privileges. Hence, you see no prompt but you cannot edit certain parts of the registry such as HKEY_LOCAL_MACHINE.

    The highest privilege for an administrator is Administrative privileges. Hence, you see the UAC prompt.

    P.S. The advantage of this is that standard users CAN run Registry Editor but CANNOT affect system settings with it, while administrator CAN do anything they like with it. (They are supposed to, right?)

    As for MSCONFIG however, it purely edits system settings, so it always requires administrative privileges.


    The greatest moment of everyone's life is the moment of positive thinking.
    • Edited by Fleet Command Monday, May 9, 2011 5:42 AM Provided a reason
    • Marked as answer by Niki Han Friday, May 13, 2011 3:08 AM
    Monday, May 9, 2011 5:34 AM
  • Manifests are usually not separate files; they are inside the program itself and there is no way of editing them without some hacking.
    The greatest moment of everyone's life is the moment of positive thinking.
    • Marked as answer by Niki Han Friday, May 13, 2011 3:08 AM
    Monday, May 9, 2011 5:37 AM