Can somebody explain the "run as administrator" thing to me?

[scottw182]

I understand HOW to use it. What I don't understand is WHY it's necessary, and WHEN it's necessary. Sometimes, people suggest installing a program as administrator by right-clicking the .exe and selecting run as administrator. Sometimes, people suggest running a program that's already installed as administrator if it's not working properly. I just don't get it, I'd like to know when I should do it and when it's not necessary. Can somebody please explain this? Or refer me to an article that elaborates on this topic? I looked through the stickies but I didn't see anything other than a guide showing you how to do it.

 

[Ijack]

It's quite simple. You "run as administrator" when you need administrative privileges.

Best practice for any OS is to normally log on as a user with restricted privileges (this prevents you - for example - from accidently deleting important files). But if you need to do something that requires an administrator (e.g. adding a new user), rather than logging off and logging on as an administrator you can just select "run as administrator" and supply the appropriate password. Just for that one program or command you are acting as an administrator. Once it's finished you're a restricted user again.

 

[scottw182]

The account I'm typically logged in under is an administrator account, but I still have to do this often, why is that?

 

[saint19]

Hi newcomer and welcome to the Tom's hardware forum.

The "Run as administrator" is used when you use a PC as normal user. The normal users don't have administrator permissions and can't install programs or remove programs.

Why is recommended use it? Because all the installation programs needs change some features in the regedit and for that you need be administrator.

 

[Ijack]

The account I'm typically logged in under is an administrator account, but I still have to do this often, why is that?

It is a little confusing in Windows 7 (used to be more obvious in earlier versions of Windows). There are administrator accounts, which are more powerful than ordinary users, and the Administrator account. This latter is usually hidden and is more powerful - basically it can do anything on the PC. The lesser administrator accounts can't do everything, but they are allowed to elevate their privilige level to full Administrator. When you "run as administrator" you are, for that command, using this more powerful administrator account.

 

[sminlal]

The account I'm typically logged in under is an administrator account, but I still have to do this often, why is that?

The reason is that under Windows XP everyone used Administrative accounts to do everything. The problem with that is if you're an administrator and you happen to, say, click on a malicious web page, the web page has full administrative rights too. It can go ahead and install anything it wants on your system - viruses, keystroke loggers, adware, etc. etc. etc. Same goes for e-mail attachments and a host of other risks.

Using an administrative account all the time is BAD security practice. Very, very bad. It's like leaving all your doors and windows unlocked because you can't be bothered to fish a key out of your pocket every time you come home.

It became fairly obvious that there just wasn't any way to convince people of how bad it was, so Microsoft invented "UAC" (User Account Control) for Vista and Windows 7. What UAC does is REMOVE your administrative privileges when you log on to an account that has them. If you run a program that requires administrative privileges, UAC warns you that a program is trying to acquire them and lets you permit or deny.

Now, if you click on a malicious web site or open an email attachment that contains a virus, you get warned that something is going on. It's up to you to be vigilant and not just blindly let programs do things unless you know what program it is and what it's trying to do.

It's like opening your door up to strangers. You'd do it if, for example, you made an appointment for someone to come and clean your carpets and the guy at the door is wearing a "Carpets 'R Us" uniform. But if a stranger shows up at your door unannounced, they'd better have a pretty convincing story before you open that door.

 

[amnotanoobie]

With XP also, it is quite a major annoyance if you made the users just a Restricted account. People regularly want to install stuff (good or bad), and annoying them by indicating that the user needs an Administrator account just made everyone else make themselves administrators.

sminlal already indicated what are the problems when you are using an admin account that has the capability to do everything.

With Vista and 7, they were trying to make it that you ran an application as an Admin on limited instances (not all the time). This could help with preventing some malicious or suspicious apps from elevating themselves and doing what they want.

This is more like sudo on *nix systems, but with a gui.

 

[scottw182]

Thanks, this is making a lot more sense now. I didn't realize the new administrator account was actually a limited administrator account.

However, I'm still not clear on why I've seen people suggest running .exe's as administrator (right-clicking on the executable and selecting "run as administrator" instead of just double-clicking it). If the .exe required administrator privileges, it would prompt you for them anyway, so what purpose would this serve? I've seen people suggest it on message boards when a person was having trouble with an installation.

Also, I've already ran into 1 program that doesn't run (not install, but run) correctly unless I run it as an administrator, which it won't prompt me to do, I have to manually do it. That program is Western Digital Data Lifeguard Diagnostics. When I just ran it regularly, I wasn't able to run diagnostics on any of the drives, they all came up as virtual drives. I had to run the program as administrator to get them to be listed as physical drives, and then I was able to run diagnostics on them. I've since learned that I can set something to always run as administrator in the future, but how do I know what needs this and what doesn't?

 

[Ijack]

I don't honestly know the answer to that question, but you can easily demonstrate it. Open a command prompt and type "bcdedit". Note the result. Now try the same thing but "run as administrator" the command prompt. Spot the difference!

(I'd recommend that you don't try to do anything with "bcdedit"!)

Clearly it's not simply UAC, but some programs just won't run properly without being the administrator.

 

[sminlal]

I'm still not clear on why I've seen people suggest running .exe's as administrator (right-clicking on the executable and selecting "run as administrator" instead of just double-clicking it). If the .exe required administrator privileges, it would prompt you for them anyway, so what purpose would this serve?

Here's the thing: A program that NEEDs administrative privileges has two ways to get them:

1) The ".EXE" file can be tagged by the programmer with a special flag that says it requires administrative privileges to run. When you double-click such a file, you immediately get the UAC prompt that requests privilege elevation. Resource Monitor (Start -> All Programs -> Accessories -> System Tools -> Resource Monitor) is an example of this.

2) A program can make a special request for privilege elevation only when it needs it. Task Manager (Ctrl + Shift + Esc) is an example of this - it normally doesn't issue a UAC prompt but it will if you select the "Processes" tab and click the "Show processes from all users" button.

Both these techniques require that the program be designed to use them. A lot of older programs that were designed before UAC don't do either of these - they just assume they already have the privileges they need. When you try to run these programs, they just don't work properly. For example, if you run the Firewall manager (Start -> All Programs -> Administrative Tools -> Windows Firewall...) it shows a message that says you need administrative privileges to use it. These older type of programs must be run with the "Run As Administrator..." option so that you can give them the privileges they need.

 

[Zoron]

When talking about User Account Control... it's handy to think of Windows like Linux. In Linux (and Unix for that matter), you have what's called the Root account and then your user accounts. To make major changes to the OS (installing drivers for example), you need to give the installer Root access. User accounts are usually administrator accounts (unless you specify otherwise).

When you're prompted for permission in Windows, you're basically being asked to grant Root access. Before Windows Vista, MS made no distinction between administrative access and root access... they were considered the same. Due to rising security concerns, they finally decided that perhaps it was time to make that distinction. Now, like Linux, there is a difference between being an administrator and being a "root" user.

People were of course annoyed by the UAC pop-ups (as I remember, some of those people were the very same ones demanding better security in Windows). However, when I used a Mac... I noticed the same type of pop-ups when trying to configure a network adapter... which made me laugh that much harder at those ridiculous Mac ads trying to poke fun at UAC.

 

[scottw182]

Best answer selected by scottw182.

 

[johnjames00]

I am trying to block a certain website on my own personal laptop (which someone else does use so don't want them to know that I am doing that, however, when I go through the notepad route as "run as administrator" it prompts me and asks do you want to make changes, I am not sure what will happen next if I say yes.... Will it be just this one time that will ask me to be adminstrator for or will i have to change this again and again so someone will know i have changed something on the computer...... I am confused - i am on windows 7 by the way.... and once I have blocked t under administrator route can I change it back again if i want to enable the website again???

The reason is that under Windows XP everyone used Administrative accounts to do everything. The problem with that is if you're an administrator and you happen to, say, click on a malicious web page, the web page has full administrative rights too. It can go ahead and install anything it wants on your system - viruses, keystroke loggers, adware, etc. etc. etc. Same goes for e-mail attachments and a host of other risks.

Using an administrative account all the time is BAD security practice. Very, very bad. It's like leaving all your doors and windows unlocked because you can't be bothered to fish a key out of your pocket every time you come home.

It became fairly obvious that there just wasn't any way to convince people of how bad it was, so Microsoft invented "UAC" (User Account Control) for Vista and Windows 7. What UAC does is REMOVE your administrative privileges when you log on to an account that has them. If you run a program that requires administrative privileges, UAC warns you that a program is trying to acquire them and lets you permit or deny.

Now, if you click on a malicious web site or open an email attachment that contains a virus, you get warned that something is going on. It's up to you to be vigilant and not just blindly let programs do things unless you know what program it is and what it's trying to do.

It's like opening your door up to strangers. You'd do it if, for example, you made an appointment for someone to come and clean your carpets and the guy at the door is wearing a "Carpets 'R Us" uniform. But if a stranger shows up at your door unannounced, they'd better have a pretty convincing story before you open that door.