On Windows Vista and later operating systems, User Account Control (UAC) is enabled by default, running in Admin approval mode.� Windows Explorer (explorer.exe) is run in the standard user context.�If you right-click on the Windows Explorer (explorer.exe) icon and select "Run as Administrator", it still runs in the standard user context.
Consider the following scenario:
User Account Control (UAC) is enabled on a Windows Server 2008�workstation in domain Contoso.com.� There is a domain user named contoso\test1, who is a local administrator of machine XYZ.� Contoso\test1 logs on to the domain at machine XYZ.� User Test1 opens Windows Explorer in "Run as Administrator" mode.�
��������������� 1. Click the Start button
��������������� 2. Click "All Programs"
��������������� 3.� Click Accessories
��������������� 4. Right click on "Windows Explorer" and select "Run as administrator" and supply the Local Administrator Credentials.
When you use Windows Explorer to start an application, the application is run in the standard user context, not�in the Administrator context.� For example, if you try to copy a file to the root of the system volume, you are prompted for elevation to complete the task, even though you right-click on Explorer.exe and select�"Run as Administrator" (and accept the prompts).
↑ Back to the top
When an administrator account logs on to a computer,�prior�to Windows�Vista, the user receives only one access token which includes data to grant the user access to all Windows resources.� To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the User Account Control�feature. Unlike previous versions of Windows, when an administrator logs on to a computer running Windows�Vista and later, the user�s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the "Windows Explorer" process (Explorer.exe) process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well. After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task.
When a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.
The problem is caused by the fact that User Account Control�can only elevate an application to a higher token when it is launching a new process.� It can not elevate an existing process.�
In this case, Windows Explorer is started in the standard user context when you logon.� It is always running in the background in order to display your desktop and it cannot be elevated because Windows Explorer is already an existing process.� When Contoso\test1 logs on, the Windows Explorer (explorer.exe) application is a parent process started in the standard user context.� If user test1 opens�Windows Explorer (explorer.exe) in "Run as Administrator" mode,� this Windows�Explorer process will also�run in the standard user context.
↑ Back to the top
This behavior is by design. If you do not want to be prompted, you can change the security policy setting�Behavior of the elevation prompt for administrators in Admin Approval Mode"�to "Elevate without Prompting". You�can also disable User Account Control (UAC).
↑ Back to the top
Windows Explorer was not designed to follow the User Account Control Guidelines for applications that "expect" to run in both contexts: Standard user context and Administrator context.� CMD.exe utility is an example of an application designed to follow User Account Control Guidelines to be run in Standard user context and Administrator context.
↑ Back to the top