UAC uses Admin Approval Mode to help protect administrators from malicious and potentially unwanted software. When an administrator logs on, Windows 7 generates two access tokens:

• Standard user access token. This token is used to start the desktop (Explorer.exe). Because the desktop is the parent process for all user-initiated processes, any applications the user launches also use the standard user access token, which does not have privileges to install software or make important system changes.


• Full administrator access token. This token has almost unlimited privileges to the local computer. This token is used only after the user confirms a UAC prompt.

By default, Windows 7 silently elevates privileges for Windows features that require administrator credentials when an administrator is logged on. Therefore, you can start the Computer Management console without responding to a UAC prompt if you are a member of the Administrators group. If you attempt to start a non-Windows application or if you manually start a Windows feature with administrator credentials that is not manifested for auto-elevation, such as Paint or a command prompt, you will still receive a UAC prompt.

Command prompts require special consideration, because UAC will not prompt you to elevate privileges if you attempt to run a command that requires administrative rights. To run a command with administrative rights, right-click Command Prompt on the Start menu and then click Run As Administrator. The command prompt that opens will include Administrator in the title, helping you identify the window on your taskbar.