You’re not the administrator. Not really.
Oh, sure, you may think you’re the administrator. Windows may even lead you to believe you’re the administrator.
However, a security feature in Windows that is on by default means you’re not the administrator.
But you can be.
Become a Patron of Ask Leo! and go ad-free!
Administrator … but not
By default, your login account — even if it’s the “administrator” account you created when setting up the machine — doesn’t give the programs you run administrative privileges.
The reason is simple: if it did, any program you run could do anything to your machine. That means if you accidentally run malicious software, it could do anything, perhaps even without your knowledge.
Instead, when you run a program that needs administrative privileges to work, you’ll either be denied with an error message, or you’ll be presented with the “User Account Control”, or UAC prompt, allowing you to decide whether or not to proceed.
By requiring you to take extra steps, UAC prevents malware from making administrative-level changes to your system without your knowledge.
An administrator account is “administrator-capable”
Let’s say you want to accomplish a function requiring administrative access: install a program, for instance.
If you are working within an administrator account, you’ll get the familiar UAC prompt, to which you need only respond Yes or No. Your account is what I’ll call “administrator capable”.
The account you set up when you installed Windows 10 is “administrator capable”. For most people at home or in small businesses, that’s the only account they use.
It’s also possible to set up so-called “limited user accounts” or LUA, that can be used to sign in instead. When presented with a UAC prompt, users signed in with limited accounts must enter the password (or PIN, if so configured) of an account that is administrator capable.
This proves the user is authorized to do something requiring administrative privileges. If they don’t know the password, they can’t run something as administrator.
That’s really the only difference: whether or not you’re asked for a password when the UAC prompt appears. In most other respects, all accounts (other than the hidden account called “Administrator”1), are, in a sense, running as limited accounts.
Programs that need administrative access
Normally, when a program needs administrative access to perform some function, there are two things Windows can do: deny the request, or ask for permission via UAC. Unfortunately, it’s not always possible to ask, which means the request is denied and the program fails to perform whatever task it was attempting. Running the System File Checker might be one example: if you run it in a regular Command Prompt window, you’ll get an error message that you must be administrator to run the program.
The solution is to run the program “as administrator“. Because your account is administrator-capable, you can run programs with full administrative privileges. Many programs have this option; I’ll use Windows Command Prompt as an example.
Locate the Windows Command Prompt icon in the Windows Start Menu and right-click on it. If present in the resulting sub-menu, click on More. You should now see a “Run as administrator” option.
Click on that and you’ll get the UAC prompt, confirming you want to run the program as administrator. If you are running an administrator account, it should only require clicking on “Yes”. If you’re running a limited account, you’ll need to provide the password of an administrator-capable account.
If there’s no “Run as administrator”
Not all programs have a “Run as administrator” option on their Start Menu or other shortcuts. If you’re logged in with an administrator-capable account, you can still attempt to run a program as administrator using Task Manager.
Run Task Manager (right-click on the clock and click on Task Manager). Under the File menu, click on Run new task . You’ll be prompted to enter a task to run, along with a checkbox that lets you run it as administrator.
You need to know the name of the program’s file (calc, in the example above), or use the Browse… button to locate the program.
Note: Windows File Explorer is a special beast. It’s always running, as it provides the Windows Taskbar and Start menu. As a result, attempting to run it again, with or without administrative privileges, will open a new Explorer window, but may not actually start a new copy, and may not cause that new copy to run as administrator.
You should think twice before running programs as administrator. There should always be a clear reason to do so.
If you run your mail, browser, word processing program, or instant messaging client as administrator, those programs will be able to do anything. That means if you open an attachment in email, for example, whatever that attachment is will also be run with full administrative privileges. If that attachment happens to be malware, you’ll have completely subverted the security measures UAC puts into place.
In addition, Windows treats file ownership and security differently depending on each user’s permissions and whether you have full administrative privileges. In other words, files you create while running a program with full administrative privileges may not be accessible later, when you run normally without those privileges.
In short, UAC security is there for an important reason, and helps keep your machine safe from many forms of malware and exploits. Use “Run as administrator” with caution, and only when you’re sure you need it. Close the program as soon as you no longer need those extra capabilities.
If you found this article helpful you'll love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and increase your confidence with technology.
Subscribe now, and I'll see you there soon,