Page 1 of 1

Windows Permissions or Run as Admin set UAC?

PostPosted: Mon Jan 18, 2016 4:59 am
by Steve Waite
Adjusting UAC or Running as Admin does not enable permissions.

Permissions are enabled per User or Group. If we don't have permission, we apply the permission to a User, or to a Group. When we log into Windows, we become a member of the Users group. So if we give permission to a folder or file for the Users group, then we automatically gain that permission when we log onto Windows.

"Run as Admin" may elevate permissions to members of the Admins group, which any first Windows user is a member of, so they can add more users. But Admins don't necessarily have permission or access rights to all things.

If we make our own folder, that folder becomes owned by the maker. If we are not the original User to create the folder, then unless we belong to a group with permission, we don't have permission. There are many circumstances where Admins do not have permission, and no adjustment on the UAC slider will make any difference either.

If we install software that wants to allow its program files to be written to or created by any user process, we add Modify permission to the Users group on that program folder. If we make a folder that we subsequently use Windows Installation routines to install apps, then we should add Modify to the Users group first. This way we can install software like FSX into the default program files location, add Modify to the Users group, and never run into permissions and rights issues with FSX, or its folder and anything in it.

The fact is, that making a folder outside program files or on another drive *only appears to fix* the permissions issue *in most cases*, and may fail to work as imagined, sooner or later.

Programs that make system changes, like NVidia inspector, elevate permissions when we run them. An installer may not necessarily be flagged as Admin Only, and run with regular permissions, but then it checks the permissions status of the process, and asks the user to accept elevated permissions to continue if required. Only then may the program create folders, copy files, and make system changes from there on.

A problem can arise with Run as Admin when programs interact with one another. If one program runs as admin, and interfaces with another process, they must both have the same permissions or certain operations cannot continue, even non-secure ones, for example where one app programmatically instructs another, maybe simply to update an edit box or control the appearance of a window.

1. Add modify permission to the users group on any folder I create that I intend to install software into. The Write permission is added automatically with the Modify permission.

2. Add modify permission to the Users group on any program folder I think may want to allow other programs write access to files and folders. For example "C:\Program Files (x86)\Lockheed Martin\Prepar3D v3".

3. If we run one program as admin, for example FSX, then we must ensue that other exe programs Run as Admin too, depending on what they do, some features may not work otherwise.

Windows permissions and security is very complicated, but the above advice will save us from 99% of problems.