User Account Control (UAC)

User Account Control (UAC) is a feature that enables a consent prompt for elevated activities.

Applications have different integrity levels, and a program with a high level can perform tasks that could potentially compromise the system.

When UAC is enabled, applications and tasks always run under the security context of a non-administrator account unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run.

This is why a CMD/Powershell "runned as Administrator" gives less restrictions, even if we're already logged in as an Administrator.

This page details the UAC process in details => https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works

"When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The Administrator can sign in, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured via policy or registry."

UAC can be configured by Administrators with Local Security Policies or GPO in AD:

Group Policy Setting

Registry Key

Default Setting

User Account Control: Admin Approval Mode for the built-in Administrator account

FilterAdministratorToken

Disabled

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

EnableUIADesktopToggle

Disabled

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

ConsentPromptBehaviorAdmin