Some days ago, I stumbled across an article over at MS Windows Vista Compatible Software that explains how to enable or disable the Windows 7 built-in Administrator account. At first I thought that Microsoft must have changed something in Windows 7 with regard to the local administrator account. However, after reading the article, it became clear that everything is as is in Vista.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
But, this is not the topic of this post. It is about the "word of caution" at the beginning of the article. Sekhy, the author of the article, warns his readers not to "tamper around" with the Administrator account. Ever since Microsoft decided to disable the built-in Administrator account in Windows Vista, there is a myth about the magical powers of the "true administrator account" circulating on the net. Hence, those people who don't really know about these true powers should not dare to use the supersecret administrator account.
There are myriads of articles on the web that explain how to enable the built-in Administrator account in Windows Vista. Usually they tell you the "command line trick" (net user administrator /active: yes) which makes the whole thing look like even more of a secret, that is, knowledge only real hackers have. (You probably know this other myth that "true administrators" work on the command prompt.) Usually these articles don't tell you that the built-in Administrator account can also just be enabled through the Local Users and Groups snap-in or simply Computer Management, just like the Guest account which is also disabled by default. What I find interesting is that I wasn't able to find one article that also tells you what these magical, super secret, true administrator powers are.
Well, there are indeed a few differences between members of the administrators group and the built-in administrator account. Let's see how powerful they really are:
The built-in Administrator account and UAC (User Account Control)
Approval mode for the local Administrator account is disabled by default. There is a special Group Policy setting where this behavior can be changed: "Admin Approval Mode for the Built-in Administrator account". Running Vista in Admin Approval Mode is nothing other than running Vista with UAC enabled. Hence, this simply means that UAC is disabled by default for the built-in Administrator account.
Of course you can change these setting also for all other administrator accounts by disabling UAC through the User accounts applet in the Control Panel or by disabling the policy "Run all administrators in Admin Approval Mode". Note that this doesn't just disable the UAC prompts like if you set the policy "Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Elevate without prompting". It disables UAC altogether, which basically means that every program an administrator launches will be elevated automatically. You can test this if you save a file with notepad in the Windows folder. If UAC is enabled you can't do that if you didn't elevate notepad before.
Thus the main difference between the built-in Administrator account and all other admins is that every program will run with elevated privileges. Since these default settings can be changed for the built-in admin account and the other administrator accounts there are no super secret powers involved here.
The local Administrator account and the "run as administrator" function
Another myth is that every time you launch a program with admin privileges it runs under the built-in Administrator account. I suppose Windows’ "run as administrator" function is the origin of this myth. The fact that you can use this function even if the local Administrator account is disabled should make it clear that there is no such connection between the two. You also can't launch a program under the local Administrator account using the runas command line tool if this account is disabled. Perhaps the term "run as administrator" is a bit misleading. What this function really does is to run programs with elevated privileges or more precisely at the high integrity level, which can be done by every account that is a member of the Administrators group.
Modifying the built-in Administrator account
Another difference to other accounts is that the local Administrator account can't be deleted. Moreover, you can't remove this account from the built-in Administrators group. However, as noted above, it can be disabled which is the case by default. It is also possible to rename the local Administrator account.
Legacy applications and the built-Administrator account
There are some legacy applications that can only be installed or run using the built-in Administrator account. I haven't encountered such an application for a while. As far as I know, this behavior has nothing to do with special capabilities of the local Administrator account; it is just a matter of bad programming. If you rename the built-in Administrator account and create a new one called "Administrator" these programs will just use this new account.
Basically the super powers of the Administrator account boil down to the differences with regard to the default UAC settings. As far as I know, there is nothing that can be done with the built-in Administrator account which can’t be done with a member account of the administrators group. Please, tell me if I am wrong.
By the way, Vista really has this super powerful account, just that it is not the built-in Administrator. It is the TrustedInstaller service (Windows Module Installer service), which can modify everything on a Vista machine, in particular system files. However, that is the topic of another story.
Subscribe to 4sysops newsletter!
In one of my next posts, I will address a related myth, the myth about the standard user in Windows Vista.