Do you use an Admin account or Standard User Account?

Do you use and Admin Account or a Standard User Account

  • Admin Account

    Votes: 88 73.3%
  • Standard User Account (SUA)

    Votes: 33 27.5%

  • Total voters
    120

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Nice your report, I want to do this. One question: do you apply the @Andy Ful tools when you are logged in as an administrator account and the settings are applied to the entire system or do you need to apply them to each user of the system?

I ask this because I like to use Configure Defender settings in MAX (that's when I use Windows Defender) I just don't know if I have to apply this to each user or just the administrator account.

Thanks in advance for answering me 🙂
Thanks! Although @Andy Ful answered your question, just adding, yes it applies to the whole system and all users. You're welcome! Enjoy! 😉
 
G

Guilhermesene

Hello everyone,

Sorry to the moderators if I resurrected this thread, forgive me (if it ever got to die).

Well, I am using SUA in my setup configuration for the year 2023 as mentioned here.

But, as I am new to using SUA I was wondering why certain programs can be installed on SUA and others can't (being required the administrator password). I have been searching the internet and reading the links cited here by other members and I realized that there is not a single answer, but a set of causes that can make it permissible to install apps on SUA.

My conclusions are the following:

THEY CAN BE INSTALLED USING THE DEFAULT ACCOUNT
  • Applications that are installed in user-level directories (AppData, LocalAppDataDesktop)
  • Applications that modify records only in HKEY_CURRENT_USER

CANNOT BE INSTALLED USING DEFAULT ACCOUNT
  • Installation in system-level directories (Program Files, Program Files (x86))
  • Applications that modify system-wide registry entries in (HKEY_LOCAL_MACHINE)
  • Installing Device Drivers
  • Installing ActiveX controls
  • Applications that change/influence the Windows Update Settings
  • Displaying or changing another user's folders or files
  • Applications whose integrity level (System, High, Medium, Low and Untrusted) requires a higher level as high/system - conclusion from reading this article here

As I am new to using SUA (more that I am not going back to the old use as ADM) I would just like to confirm with the more experienced members like @Andy Ful , @upnorth , @blackice and any others who use SUA mode on the device.

Is there anything I can look at and already know that a certain program will not be installed using the default account? Is there an easy-to-view feature that I can look at and say "this program won't install, and that one will"?

Anyway, sorry for my ignorance, I'm just looking for new knowledge.

Thanks :)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
@Guilhermesene,

Most users will understand that your "default account" is an account that is created by default when installing Windows - but this account is an Administrator account, not SUA.

Your post can be slightly shortened.

1. Can be installed/updated by using only SUA (without inserting Admin credentials):
  • installations that do not use/require high privileges.

2. Cannot be installed by using only SUA (without inserting Admin credentials):
  • everything else.
You noted in your post some examples, but there are many more and there are also some exceptions. For example, some applications can modify only the HKEY_CURRENT_USER registry hive and still require an Administrator account to do it.
Some applications allow the user to choose if the installation must use only the current account or not. In the first case, the application will be accessible only from that particular account.
In the second case, the application will be accessible from any account (even if it does not exist yet). On the first run, some of these applications can create the needed folders and files in the %UserProfile% (usually in the user's AppData folder) and in the HKEY_CURRENT_USER registry hive. So, you can install the web browser for all users, but still, the browsing history will be limited to the concrete user.

Most applications can be installed/updated by executing the installer/updater from SUA. It is not in contradiction with point 2, because such installations use two accounts: SUA + Admin account. The windows and alerts are displayed during the installation/update on SUA, but some installation processes are running on the Administrator account with high privileges (after inserting the Administrator password).
 
Last edited:

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Admin, we have UAC prompts that can tell us if any program needs privileged access.
Using an admin account with UAC activated it can still be bypassed, and there is a lot of malware that does this, it is recommended to use SUA account for daily use which mitigates many vulnerabilities, this has been proven, I have used it for years and never had a problem.
 
Last edited:

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
I'm using SUA with Windows Hello PIN, which is new for me, and find using it a breeze. Much easier than password, which I used for a long time.
Yes, with Windows Hello using PIN is more secure than using a password in windows 10 and 11. I use a SUA Account since windows 7 and in windows 8.1, in this notebook I used to use fingerprint that it had. Now in windows 10 and 11 with Windows Hello it got even better and more secure going up to another level. PIN is more secure than password because it has hardware support more details -> Why a PIN is better than an online password (Windows) 👍

Doesn't that then mean that you are logged into MS account too, perhaps for using MS cloud or some MS feature. As secure, more secure, less secure??? ditto privacy???
No, PIN with a local account works without major issues, you don't need to be logged into the Microsoft account in order to work. Regarding Windows Hello yes, in this specific case we are discussing Admin account vs Standard user account (SUA) I don't think @oldschool is concerned about his privacy of being logged into Microsoft account, I believe he is putting there security first and leaving privacy second. 😉
 
Last edited:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,704
Doesn't that then mean that you are logged into MS account too, perhaps for using MS cloud or some MS feature. As secure, more secure, less secure??? ditto privacy???
@piquiteco is correct.

Edit: I missed his post #93 and had posted the same link here.

I don't think @oldschool is concerned about his privacy of being logged into Microsoft account, I believe he is putting there security first and leaving privacy second. 😉
Correct. SAC is in evaluation mode here and MS insists users enable "Send optional diagnostics". No big deal to me. Everyone is tracking everyone. I take certain measures but never wear a tin hat! ;):LOL:
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
Yes, with Windows Hello using PIN is more secure than using a password in windows 10 and 11. I use a SUA Account since windows 7 and in windows 8.1, in this notebook I used to use fingerprint that it had. Now in windows 10 and 11 with Windows Hello it got even better and more secure going up to another level. PIN is more secure than password because it has hardware support more details -> Why a PIN is better than an online password (Windows) 👍
I'm seeing something about Trusted Platform Module (TPM) chip. this pc might not have one of those, or if it does it's not the right one, ie, not authorized for win11 here. Good hardware that has aged. 💀 I need to read a little more about this. (no wonder I'm clueless about PIN and Windows Hello).:unsure::sleep:
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
I'm seeing something about Trusted Platform Module (TPM) chip. this pc might not have one of those, or if it does it's not the right one, ie, not authorized for win11 here. Good hardware that has aged. 💀 I need to read a little more about this. (no wonder I'm clueless about PIN and Windows Hello).:unsure::sleep:
Is yours a laptop or a desktop PC? Mine also does not support Windows 11 but has the TPM, my case is the CPU, my old notebook I also have the TPM, I think Microsoft shot themselves in the foot on the processor requirements, amazingly my computers have TPM, more CPUs are incompatible, not if it was the case for the members here in MT.

To find out if your notebook has Trusted Platform Module (TPM) type in search tpm.msc or run type tpm.msc it will open the management of the Trusted Platform Module (TPM) a window with information from the manufacturer of your TPM, its version, status if it is ready for use or not. If I am not mistaken if on your latptop, desktop you open tpm.msc in Windows and it shows as inactive it means that your computer supports TPM and just prepare your TPM or go into the bios and activate it. And then check again when you load Windows through tpm.msc. Just use this for reference.😉
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
Is yours a laptop or a desktop PC? Mine also does not support Windows 11 but has the TPM, my case is the CPU, my old notebook I also have the TPM, I think Microsoft shot themselves in the foot on the processor requirements, amazingly my computers have TPM, more CPUs are incompatible, not if it was the case for the members here in MT.
this is desktop. I read little about Windows Hello and PIN. I got just enough to be dangerous. I was able to create a PIN for this SUA account, and it's working, but I do not fully understand yet how shorter PIN is more secure despite listening to MS video. I think I was unfocused. No need to explain, this is of interest to me and I'll research it some more... thanks!! I've been told I can hack around this xeon chip with older TPM, but also told don't do it, sit tight a few years with win10, and buy a new motherboard and chip in 2025...
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
this is desktop. I read little about Windows Hello and PIN. I got just enough to be dangerous. I was able to create a PIN for this SUA account, and it's working, but I do not fully understand yet how shorter PIN is more secure despite listening to MS video. I think I was unfocused. No need to explain, this is of interest to me and I'll research it some more... thanks!! I've been told I can hack around this xeon chip with older TPM, but also told don't do it, sit tight a few years with win10, and buy a new motherboard and chip in 2025...
Yes, I understand, but your desktop can accept the Trusted Platform Module (TPM). See the image of a TPM chip below, what model is your motherboard?
1676045879824.png

but I do not fully understand yet how shorter PIN is more secure despite listening to MS video.
Forget TPM here now. The PIN is more secure because it is tied to your device. One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! Do you understand now? (y)
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device. 😉
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,704
but I do not fully understand yet how shorter PIN is more secure despite listening to MS video
In addition to what @piquiteco has posted, I'll add that because the PIN is tied to the machine, repeated attempts to brute-force the PIN will fail because the TPM anti-hammering technology will lock the machine, keeping it safe.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top