什么是UAC(User Account Control)?
UAC是一个安全组件,它允许管理员在非管理账户会话中输入认证信息来执行一些管理任务。
标准账户和管理员帐户
执行普通任务时使用标准帐户。即使是管理员,在正常情况下也是以标准账户运行程序。
两个访问令牌
这就涉及了访问令牌(access token)的问题:当管理员登录到计算机(Windows 7 or Vista)时,他得到两个令牌:有全部管理员权限的令牌和只有标准帐号权限的令牌。
在登录过程中,鉴别管理员的认证和访问控制组件被移除了;标准帐号权限的令牌被用来开始桌面和explorer.exe进程。于是所有继承自桌面的应用都是以标准帐号运行的。
这里讲的其实就是Admin Approval Mode: Admin Approval Mode (AAM) is a UAC configuration in which a split user access token is created for an administrator. When an administrator logs on to a Windows Server 2008-based computer, the administrator is assigned two separate access tokens. When AAM is enabled, an administrator receives both a full access token and a second access token, called the filtered access token. During the logon process, authorization and access control components that identify an administrator are removed or disabled, to create the filtered access token. The filtered access token is then used to start Explorer.exe, the process that creates and owns the user's desktop. Because applications normally inherit their access token from the process that starts them, which in this case is Explorer.exe, they all run with the filtered access token as well
如果是标准帐号登录,那就只有标准帐号权限的令牌。
设置UAC
升级(以管理员权限)运行程序
设置一个程序总是升级运行
- 右击应用程序文件
- 点击属性,然后选择兼容tab
- 选择"Run this program as an administrator"。
设置UAC
关闭 UAC
- 进入控制面板的用户账户
- 点击“Turn User Account Control on or off.”
- 运行secpol.msc
- 进入本地策略->安全选项
- 找到并双击“User Account Control: Run all administrators in Admin Approval Mode.”
- 选择Disabled选项