One of the thing that come back often is: do I need admin rights or not ?!. While most of the people will think that this question can only be asked for a user context, it is not true and this apply to device context too.
People think that device context means admin rights or super user everywhere.
This belief come from the XP and before era where, indeed, executing something in SYSTEM context meant to have full right on everything.
However, since the infamous Windows Vista, Microsoft have introduced the User Account Control (UAC) (infamous too…) which don’t give full right by default. Which lead to this 🙂
What is UAC ?
UAC is a system based on a theory that a user or a device should be able to do some configuration or file change across the operating system, without further right unless it might impact the stability or the security of the OS itself, in this case it will have to ask for admin rights also called super token.
The super token is the key to modify secure folders, drivers, system settings, etc. For example, modifying the time is an admin action requiring the super token because it can affect security systems.
The secure locations are the following :
- \Program Files\ including subdirectories
- \Windows\system32\
- \Program Files (x86)\ including subdirectories for 64-bit versions of Windows
UAC is doing more than asking for credentials and you can check it in the source links at the bottom of the article. You can also change the behaviour of UAC but this not part of this article and we assume that Windows is in the default configuration.
Admin right or not ?
Now that we have in mind how Windows will react in terms of access. We just need to analyze the application to see whether the admin right will be required or not.
Most of the time the application install in “Program Files” because it’s the default folder. However most of the applications can be installed elsewhere. It is true for user context application which might need to be installed only in the user area, i.e: User folder.
For installation modifying system settings or installing drivers, admin right are required to be able to modify the necessary folders and settings.
Bottom line, know exactly what the installer is doing and where, then you will know if admin rights are required or not.
I’ve designed a simple flowchart to help with the decision-making.
Sources :
- Secure locations : https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations
- UAC Architecture : https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works#uac-architecture