{
	"id": "ec328f0e-567a-4118-b843-6f4fc638305d",
	"created_at": "2026-04-06T01:29:14.220905Z",
	"updated_at": "2026-04-10T03:21:13.911517Z",
	"deleted_at": null,
	"sha1_hash": "494066c19a5851e30d8208a2b8c166aab9624ce7",
	"title": "How User Account Control works",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51138,
	"plain_text": "How User Account Control works\r\nBy officedocspr5\r\nArchived: 2026-04-06 00:27:26 UTC\r\nUser Account Control (UAC) is a key part of Windows security. UAC reduces the risk of malware by limiting the\r\nability of malicious code to execute with administrator privileges. This article describes how UAC works and how\r\nit interacts with the end-users.\r\nWith UAC, each application that requires the administrator access token must prompt the end user for consent.\r\nThe only exception is the relationship that exists between parent and child processes. Child processes inherit the\r\nuser's access token from the parent process. Both the parent and child processes, however, must have the same\r\nintegrity level.\r\nWindows protects processes by marking their integrity levels. Integrity levels are measurements of trust:\r\nA high integrity application is one that performs tasks that modify system data, such as a disk partitioning\r\napplication\r\nA low integrity application is one that performs tasks that could potentially compromise the operating\r\nsystem, like as a Web browser\r\nApplications with lower integrity levels can't modify data in applications with higher integrity levels. When a\r\nstandard user attempts to run an app that requires an administrator access token, UAC requires that the user\r\nprovides valid administrator credentials.\r\nTo better understand how this process works, let's take a closer look at the Windows sign in process.\r\nThe following diagram shows how the sign in process for an administrator differs from the sign in process for a\r\nstandard user.\r\nDiagram that describes the UAC Windows sign-in process.\r\nBy default, both standard and administrator users access resources and execute apps in the security context of a\r\nstandard user.\r\nWhen a user signs in, the system creates an access token for that user. The access token contains information\r\nabout the level of access that the user is granted, including specific security identifiers (SIDs) and Windows\r\nprivileges.\r\nWhen an administrator logs on, two separate access tokens are created for the user: a standard user access token\r\nand an administrator access token. The standard user access token:\r\nContains the same user-specific information as the administrator access token, but the administrative\r\nWindows privileges and SIDs are removed\r\nIs used to start applications that don't perform administrative tasks (standard user apps)\r\nhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works\r\nPage 1 of 3\n\nIs used to display the desktop by executing the process explorer.exe. Explorer.exe is the parent process\r\nfrom which all other user-initiated processes inherit their access token. As a result, all apps run as a\r\nstandard user unless a user provides consent or credentials to approve an app to use a full administrative\r\naccess token\r\nA user that is a member of the Administrators group can sign in, browse the Web, and read e-mail while using a\r\nstandard user access token. When the administrator needs to perform a task that requires the administrator access\r\ntoken, Windows automatically prompts the user for approval. This prompt is called an elevation prompt, and its\r\nbehavior can be configured via policy or registry.\r\nWhen UAC is enabled, the user experience for standard users is different from administrator users. The\r\nrecommended and more secure method of running Windows, is to ensure your primary user account is a standard\r\nuser. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC\r\nelevation component, standard users can easily perform an administrative task by entering valid credentials for a\r\nlocal administrator account.\r\nThe default, built-in UAC elevation component for standard users is the credential prompt.\r\nThe alternative to running as a standard user is to run as an administrator in Admin Approval Mode. With the built-in UAC elevation component, members of the local Administrators group can easily perform an administrative\r\ntask by providing approval.\r\nThe default, built-in UAC elevation component for an administrator account in Admin Approval Mode is called\r\nthe consent prompt.\r\nThe credential prompt is presented when a standard user attempts to perform a task that requires a user's\r\nadministrative access token. Administrators can also be required to provide their credentials by setting the User\r\nAccount Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy\r\nsetting value to Prompt for credentials.\r\nScreenshot showing the UAC credential prompt.\r\nThe consent prompt is presented when a user attempts to perform a task that requires a user's administrative access\r\ntoken.\r\nScreenshot showing the UAC consent prompt.\r\nThe UAC elevation prompts are color-coded to be app-specific, enabling for easier identification of an\r\napplication's potential security risk. When an app attempts to run with an administrator's full access token,\r\nWindows first analyzes the executable file to determine its publisher. Apps are first separated into three categories\r\nbased on the file's publisher:\r\nWindows\r\nPublisher verified (signed)\r\nPublisher not verified (unsigned)\r\nThe elevation prompt color-coding is as follows:\r\nhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works\r\nPage 2 of 3\n\nGray background: The application is a Windows administrative app, such as a Control Panel item, or an\r\napplication signed by a verified publisher\r\nScreenshot showing the UAC credential prompt with a signed executable.\r\nYellow background: the application is unsigned or signed but isn't trusted\r\nScreenshot showing the UAC consent prompt with an unsigned executable.\r\nSome Control Panel items, such as Date and Time, contain a combination of administrator and standard user\r\noperations. Standard users can view the clock and change the time zone, but a full administrator access token is\r\nrequired to change the local system time. The following is a screenshot of the Date and Time Control Panel item.\r\nScreenshot showing the UAC Shield Icon in Date and Time Properties.\r\nThe shield icon on the Change date and time... button indicates that the process requires a full administrator\r\naccess token.\r\nThe elevation process is further secured by directing the prompt to the secure desktop. The consent and credential\r\nprompts are displayed on the secure desktop by default. Only Windows processes can access the secure desktop.\r\nFor higher levels of security, we recommend keeping the User Account Control: Switch to the secure desktop\r\nwhen prompting for elevation policy setting enabled.\r\nWhen an executable file requests elevation, the interactive desktop, also called the user desktop, is switched to the\r\nsecure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be\r\nresponded to before continuing. When the user selects Yes or No, the desktop switches back to the user desktop.\r\nNote\r\nStarting in Windows Server 2019, it's not possible to paste the content of the clipboard on the secure desktop.\r\nThis behavior is the same as the currently supported Windows client OS versions.\r\nMalware can present an imitation of the secure desktop, but when the User Account Control: Behavior of the\r\nelevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent, the\r\nmalware doesn't gain elevation if the user selects Yes on the imitation. If the policy setting is set to Prompt for\r\ncredentials, malware imitating the credential prompt might be able to gather the credentials from the user.\r\nHowever, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware\r\nfrom taking control of the user interface even with a harvested password.\r\nWhile malware could present an imitation of the secure desktop, this issue can't occur unless a user previously\r\ninstalled the malware on the PC. Because processes requiring an administrator access token can't silently install\r\nwhen UAC is enabled, the user must explicitly provide consent by selecting Yes or by providing administrator\r\ncredentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.\r\nSource: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works\r\nhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works"
	],
	"report_names": [
		"how-user-account-control-works"
	],
	"threat_actors": [],
	"ts_created_at": 1775438954,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/494066c19a5851e30d8208a2b8c166aab9624ce7.pdf",
		"text": "https://archive.orkl.eu/494066c19a5851e30d8208a2b8c166aab9624ce7.txt",
		"img": "https://archive.orkl.eu/494066c19a5851e30d8208a2b8c166aab9624ce7.jpg"
	}
}