I've recently been confused by how UAC works between Standard accounts and Administrator accounts,

As we all know, when UAC is turned on, UAC allows Standard Accounts or Administrator accounts in Admin Approval Mode to gain access to the administrator token in order to perform tasks that require administrative access to the machine - allowing us to switch tokens without switching users,

However, it appears that switching tokens is not really what happens: A while ago, I ran an application that would modify the shell (explorer.exe). I ran the program in a Standard Account, but it needed elevated access: therefore, I used UAC to supply admin credentials so it could complete. I did not seen any change to the shell; I then logged into the administrator account whose credentials I used and I saw that the shell in that account had been changed, which was obviously not what I wanted

It appeared to me that UAC was just basically a "Run-as user" type deal where it actually ran the program as that user. This meant that I wasn't just running it elevated: I was literally running the program as that user,

My question is: is it possible for a standard account to use the administrator token but actually run the program as a standard user and use the current user's profile? Otherwise, it seems to me that if you need to do any administrator tasks, you are pretty much required to log in to an administrator account which defeats the whole purpose of UAC - since UAC runs a program as the administrator, rather than using just the administrator rights,

Is this separation of token and profile possible? Or do all users just have to be administrators in that case? It seems to me this would account for many organizations just granting full administrator access to all users,

Can someone please shed some light on this?

I would like to know if it would have been possible to supply an administrator token to the said program, but run that program in the current user account, not the user account of the administrator whose credentials were supplied - in other words, would it have been possible to modify the shell in the Standard account with that program? The goal would be to launch the process as the logged in user (regardless of current privileges) with administrative rights, not as a process under an account with admin rights.

Hope this makes sense,

CLARIFICATION: I am not referring to Admin Approval Mode or how UAC works. I already know that if UAC is set to a secure setting, even Administrators will be prompted and unless it is turned off, administrators use the standard token by default. I am talking about when the administrator token is gained, is it possible to still run the process as the logged in user, just with the admin token? (not using Run As 'user' but maybe something like run as/with 'token'), etc... In this way, it would be using generic administrative privileges rather than one user's administrative privileges.

Is this at all possible, or have I just pointed out a feature not in Window?

Would I, to achieve the goal described here, have to perhaps turn the standard account into an administrator account any time anything that requires elevation needs to be done, and then turn it back into a standard account when done? Based on comments, it appears that this is not possible and that seems to be a flaw in the OS because it makes UAC basically useless.

CASE IN POINT: A few years ago, I was trying to run a program that would change my computer's theme that needed to patch the system (one of those third-party programs). It required administrator rights. I didn't see any change, but then I logged into the administrator account whose password I had used, and found all the activity had been applied to that account!! I had to mess with it a few times to get it to work, but it was a really wonky process. Would the easiest solution be to just promote that standard account temporarily to an administrator, and then demote it afterwards?


I'm not certain that this answers your specific question but I wanted to pass along two resources for you to look into, think about, potentially test with, and so on just in case either help you resolve or workaround your issue. 1. http://windows.microsoft.com/en-us/windows7/how-do-i-run-an-application-once-with-a-full-administrator-access-token and 2. (Read All Answers) http://superuser.com/questions/327907/opening-explorer-shell-with-admin-privileges-on-xp-with-ie7-installed. I'm wondering if the Run this program as an administrator option being checked would work though as per #1

@JUICED_IT I read both of these articles. I already know how to run as administrator, as the first article discusses. The "Sudo for Windows" link was interesting and closer to what I was talking about- the goal would be to launch the process as the logged in user with administrator rights, not as a process under an account with admin rights, if you know what I mean – InterLinked – 2016-06-02T15:25:42.060

UAC does NOT run a program with an admin token by default. It only does it if the program asks for admin permissions AND if you grant it through the UAC prompt. – surfasb – 2016-06-02T19:23:16.640

Giving the non-admin account explicit access to file system objects, registry keys, and any other objects which the EXE would manipulate may do the trick as well rather than using the RUNAS, etc. if you can determine what all the EXE would need access to run successfully. As a systems admin I've found that some programs/apps are programmed logic wise to run on Windows assuming that the user account that runs it will be a local admin -- this is a definite problem in a corporate environment with security guidelines so that's another thing to consider potentially as well. – Pimp Juice IT – 2016-06-02T19:50:31.117

1I very much doubt a regular account could ever gain an elevated token. Because that’s what you’d need. – Daniel B – 2016-06-02T20:31:49.177



You cannot have a program running under a Standard account, but with Admin permissions.

You are mistaken that UAC is a "Run as another user". Programs running under an Admin's username run with standard permissions by default. It is only when a program is "elevated" does it gain admin permissions. This is even if your user account is an Admin.

UAC was created to solve the problem that all processes running under a user who was an admin had admin permissions.


1What you are describing here is Admin Approval Mode - I already know about all that; I am talking about when you do elevate the process, is it possible for the process to run as the logged in user, rather than the administrator whose credentials were used. That is what is so confusing. – InterLinked – 2016-06-02T20:13:11.963

Admin approval mode is different. And it is still impossible for a process to run with admin permissions but under the authentication of a standard user. – surfasb – 2016-06-06T02:49:49.477


Yes it is possible...
Open a console and type "runas"

use the /profile switch to select a profile to run the program...
use the /savecred switch to save the admin credentials you choose...



RUNAS [ [/noprofile | /profile] [/env] [/savecred | /netonly] ]
        /user:<UserName> program

RUNAS [ [/noprofile | /profile] [/env] [/savecred] ]
        /smartcard [/user:<UserName>] program

RUNAS /trustlevel:<TrustLevel> program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /profile          specifies that the user's profile should be loaded.
                     This is the default.
   /env              to use current environment instead of user's.
   /netonly          use if the credentials specified are for remote
                     access only.
   /savecred         to use credentials previously saved by the user.
                     This option is not available on Windows 7 Home or Windows 7 Starter Editions
                     and will be ignored.
   /smartcard        use if the credentials are to be supplied from a
   /user             <UserName> should be in form USER@DOMAIN or DOMAIN\USER
   /showtrustlevels  displays the trust levels that can be used as arguments
                     to /trustlevel.
   /trustlevel       <Level> should be one of levels enumerated
                     in /showtrustlevels.
   program         command line for EXE.  See below for examples

> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE:  Enter user's password only when prompted.
NOTE:  /profile is not compatible with /netonly.
NOTE:  /savecred is not compatible with /smartcard.


1Am I missing something here? I thought the whole point is to NOT use the Run As feature, which is basically what UAC is – InterLinked – 2016-06-02T20:43:48.550

Huuum... appears not possible.. from what i'va seen the UAC appears to be close to the Kernel so it can not be surpassed by some software trick... – ZEE – 2016-06-02T21:04:42.647

The administrator token is gain at login... and its valid for that session... I think it will be difficult... what I usually do is disable UAC and use runas... sorry for the mistake... :-( – ZEE – 2016-06-02T21:06:42.113

The administrator token is gained at login - I'm not sure if that makes sense, because standard accounts can still run a process as an admin if UAC is on. – InterLinked – 2016-06-02T21:17:04.513

Ughhh, this won't work. Just because a process authenticates as an admin, doesn't mean it has the authorization of an admin. And no, this isn't what UAC does. With UAC, the admin token (authorization) is not granted at login. Without UAC, the admin token IS granted at login. – surfasb – 2016-06-06T02:52:45.977