But it depends on UAC features, such as UIPI. For example, it configures itself to start every time the user logs on. PMIE makes it more difficult for malware that infects a running instance of Internet Explorer to change the user's settings. By default, Protected Mode is enabled when a user browses sites in the Internet or Restricted Sites zones.
Windows Internet Explorer operates in low-privileged Protected Mode, and can't write to most areas of the file system or the registry. Protected Mode Internet Explorer (PMIE): PMIE is a defense-in-depth feature. Sending window messages, such as synthetic mouse or keyboard events, to a window that belongs to a higher-privileged process User Interface Privilege Isolation (UIPI): UIPI prevents a lower-privileged program from controlling the higher-privileged process through the following way: It receives a filtered token when the user logs on.It's a member of the Administrators group.An account is called a Protected Administrator account under the following conditions: The unfiltered token is associated only with elevated programs. By default, this filtered token is used to run the user's programs. The filtered token represents the user with the equivalent of standard user rights. The unfiltered token has all the user's group memberships and privileges. Programs can also be started with elevated rights by using a different user account so that an administrator can perform administrative tasks on a standard user's desktop.įiltered Token: When a user with administrative or other powerful privileges or group memberships logs on, Windows creates two access tokens to represent the user account. This same-user elevation feature is also known as Admin Approval Mode. And they can elevate only those programs that require administrative rights with the same user account. By combining elevation with UAC's Filtered Token feature (see the next bullet point), administrators can run programs with standard user rights. Same-desktop Elevation: When an authorized user runs and elevates a program, the resulting process is granted more powerful rights than those rights of the interactive desktop user. It enables many applications that required administrative rights on earlier versions of Windows to run successfully with only standard user rights on Windows Server 2008 and later versions.
These technologies include:įile and Registry Virtualization: When a legacy application tries to write to protected areas of the file system or the registry, Windows silently and transparently redirects the access to a part of the file system or the registry that the user is allowed to change. UAC includes several technologies to achieve this goal. UAC was designed to help Windows users move toward using standard user rights by default.
UAC is always disabled on the Server Core editions of Windows Server 2008 R2 and later versions.This guidance applies only to Windows Server operating systems.Administrators do other operations that should be done from a client operating system, such as Windows 7.
For example, web browsers, email clients, or instant messaging clients.
This article introduces how to disable User Account Control (UAC) on Windows Server.Īpplies to: Windows Server 2012 R2 Original KB number: 2526083 Summary