You’re not the administrator. Not really.
Oh, sure, you may think that you’re the administrator. And Windows may have even lead you to believe that you’re the administrator.
But, as the result of a new security feature introduced in Windows Vista and made less obnoxious in Windows 7, you’re not the real administrator by default.
But you can be.
Administrator … But Not
UAC, or User Account Control, is an important security feature that, in essence, makes the account that you’ve created to be the administrator not have administrative privileges by default.
The reason is that most users run as administrator on their own machine. That means that without this feature, any programs you run also have full administrative privileges.
The solution is to think of your administrator account more like “administrator capable”, rather than being the actual real-life administrator.
By administrator-capable, I mean that Windows will often ask you for permission before performing tasks that require true administrative access and you’ll just have to say yes or no.
Accounts which are not administrator-capable will have to supply the administrator password to prove that the user has the authorization to do something that requires administrative privileges.
Asking Versus Denying
Not all programs are written in such a way that they can ask and it’s not always possible to ask in every situation. The best that can happen then is to deny whatever it is you’re attempting if it requires administrative access.
The solution is to run the program as administrator. Because your account is administrator-capable, you can run a program with full administrative privileges.
Many programs have this option, including the Windows Command Prompt, which is where I most often use this trick. I’ll use the more commonly used Windows Explorer as an example.
Right-click on the Windows Explorer icon:
Now, right-click again, but this time, on the Windows Explorer line in that pop-up menu:
As you can see, there’s what we’re looking for: “Run as administrator”. Click on that. You’ll get the UAC confirmation prompt. After clicking Yes, that instance of Windows Explorer has full administrative privileges.
It’s tempting to just leave that Windows Explorer open and running so that you’ll never bump into the restriction, but this opens up risks.
Any program that you start from within that copy of Windows Explorer inherits administrative privileges. If you run your mail, your browser, your word processing program or instant messaging client by double-clicking on their icon in this instance of Windows Explorer, they’ll be able to do anything. And that includes any malware, such as emailed attachments, that they might “invite” onto your system. Essentially, you’ll have completely subverted the security measures that the UAC puts into place.
In addition, Windows treats file ownership and security differently, depending on what user you are and whether you have full administrative privileges. In other words, the files that you create with full administrative privileges might not be accessible to you without those privileges – even though you were logged in with the same administrator-capable account.
In short, the security put into place with the UAC is there for an important reason and helps keep your machine safe from many forms of malware and exploits. Use “Run as administrator” with caution and only when you’re sure that you need to use it. And even then, use it only for those things that require it. Close the program (Windows Explorer in our example above) as soon as you no longer need
the extra capabilities.