When you’re the administrator… but not really.
You’re not the administrator. Not really.
Oh, you may think you’re the administrator. Windows may even lead you to believe you’re the administrator.
However, a security feature in Windows (that’s on by default) means you’re not the administrator.
But you can be.
Become a Patron of Ask Leo! and go ad-free!
All accounts, including the administrator account created when setting up your machine, run with limited — not administrative — permissions by default. The primary difference between your administrator account and a traditional “limited user account” is whether or not you need to supply a password to the User Access Control (UAC) prompt. Many programs can be run “as administrator” by right-clicking on their shortcut and looking for an option to do so. For those that can’t, you can use Task Manager to run it with administrative privileges. Think twice before doing so, as it bypasses much of Windows’ built-in security.
Administrator … but not
By default, your login account — even if it’s the “administrator” account you created when setting up the machine — doesn’t give the programs you run administrative privileges.
The reason is simple: if it did, any program you run could do anything to your machine. That means if you accidentally run malicious software, it could do anything, perhaps even without your knowledge.
Instead, when you run a program that needs administrative privileges to work, you’ll either be denied with an error message, or you’ll be presented with the User Account Control (UAC) prompt, allowing you to decide whether or not to proceed.
By requiring you to take extra steps, UAC prevents malware from making administrative-level changes to your system without your knowledge.
An administrator account is “administrator-capable”
Let’s say you want to do something requiring administrative access: install a program, for instance.
If you are working within an administrator account, you’ll get the familiar UAC prompt, to which you need only respond Yes or No. Your account is what I’ll call “administrator capable”.
The account you set up when you installed Windows 10 is administrator-capable. For most people at home or in small businesses, that’s the only account they use.
It’s also possible to set up so-called Limited User Accounts, or LUA, that can be used to sign in instead. When presented with a UAC prompt, users signed in with limited accounts must enter the password (or PIN, if so configured) of an account that is administrator capable.
This proves the user is authorized to do something requiring administrative privileges. If they don’t know the password, they can’t run something as administrator.
That’s really the only difference: whether or not you’re asked for a password when the UAC prompt appears. In most other respects, all accounts (other than the hidden account called Administrator,1) are, in a sense, running as limited accounts.
Programs that need administrative access
Normally, when a program needs administrative access to perform some function, there are two things Windows can do: deny the request or ask for permission via UAC. Unfortunately, it’s not always possible to ask, which means the request is denied and the program fails to perform the task it was attempting. Running the System File Checker might be one example: if you run it in a regular Command Prompt window, you’ll get an error message that you must be administrator to run the program.
The solution is to run the program “as administrator”. Because your account is administrator-capable, you can run programs with full administrative privileges. Many programs have this option; I’ll use Windows Command Prompt as an example.
Locate the Windows Command Prompt icon in the Windows Start Menu and right-click on it. If present in the resulting sub-menu, click on More. You should now see a “Run as administrator” option.
Click on that and you’ll get the UAC prompt, confirming you want to run the program as administrator. If you are running an administrator account, it should only require clicking on “Yes”. If you’re running a limited account, you’ll need to provide the password of an administrator-capable account.
If there’s no “Run as administrator”
Not all programs have a “Run as administrator” option on their Start Menu or other shortcuts. If you’re logged in with an administrator-capable account, you can still attempt to run a program as administrator using Task Manager.
Run Task Manager (right-click on the clock and click on Task Manager). Under the File menu, click on Run new task. You’ll be prompted to enter a task to run, along with a checkbox that lets you run it as administrator.
You need to know the name of the program’s file (calc, in the example above), or use the Browse… button to locate the program.
Note: Windows File Explorer is a special beast. It’s always running, as it provides the Windows Taskbar and Start menu. As a result, attempting to run it again, with or without administrative privileges, will open a new Explorer window, but may not actually start a new copy, and may not cause that new copy to run as administrator.
You should think twice before running programs as administrator. There should always be a clear reason to do so.
If you run your mail, browser, word processing program, or instant messaging client as administrator, those programs will be able to do anything. That means if you open an attachment in email, for example, whatever that attachment is will also be run with full administrative privileges. If that attachment happens to be malware, you’ll have completely worked around the security measures UAC puts into place.
In addition, Windows treats file ownership and security differently depending on each user’s permissions and whether you have full administrative privileges. In other words, files you create while running a program with full administrative privileges may not be accessible later, when you run normally without those privileges.
In short, UAC security is there for an important reason, and helps keep your machine safe from many forms of malware and exploits. Use “Run as administrator” with caution, and only when you’re sure you need it. Close the program as soon as you no longer need those extra capabilities.
Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.
I'll see you there!