Thank you for answering me so quicklyAll my tools (except DocumentsAntiExploit tool) are system-wide.
Do you use an Admin account or Standard User Account?
- Thread starter blackice
- Start date
- Oct 16, 2022
- 624
Thanks! Although @Andy Ful answered your question, just adding, yes it applies to the whole system and all users. You're welcome! Enjoy!Nice your report, I want to do this. One question: do you apply the @Andy Ful tools when you are logged in as an administrator account and the settings are applied to the entire system or do you need to apply them to each user of the system?
I ask this because I like to use Configure Defender settings in MAX (that's when I use Windows Defender) I just don't know if I have to apply this to each user or just the administrator account.
Thanks in advance for answering me
Hello everyone,
Sorry to the moderators if I resurrected this thread, forgive me (if it ever got to die).
Well, I am using SUA in my setup configuration for the year 2023 as mentioned here.
But, as I am new to using SUA I was wondering why certain programs can be installed on SUA and others can't (being required the administrator password). I have been searching the internet and reading the links cited here by other members and I realized that there is not a single answer, but a set of causes that can make it permissible to install apps on SUA.
My conclusions are the following:
THEY CAN BE INSTALLED USING THE DEFAULT ACCOUNT
CANNOT BE INSTALLED USING DEFAULT ACCOUNT
As I am new to using SUA (more that I am not going back to the old use as ADM) I would just like to confirm with the more experienced members like @Andy Ful , @upnorth , @blackice and any others who use SUA mode on the device.
Is there anything I can look at and already know that a certain program will not be installed using the default account? Is there an easy-to-view feature that I can look at and say "this program won't install, and that one will"?
Anyway, sorry for my ignorance, I'm just looking for new knowledge.
Thanks
Sorry to the moderators if I resurrected this thread, forgive me (if it ever got to die).
Well, I am using SUA in my setup configuration for the year 2023 as mentioned here.
But, as I am new to using SUA I was wondering why certain programs can be installed on SUA and others can't (being required the administrator password). I have been searching the internet and reading the links cited here by other members and I realized that there is not a single answer, but a set of causes that can make it permissible to install apps on SUA.
My conclusions are the following:
THEY CAN BE INSTALLED USING THE DEFAULT ACCOUNT
- Applications that are installed in user-level directories (AppData, LocalAppDataDesktop)
- Applications that modify records only in HKEY_CURRENT_USER
CANNOT BE INSTALLED USING DEFAULT ACCOUNT
- Installation in system-level directories (Program Files, Program Files (x86))
- Applications that modify system-wide registry entries in (HKEY_LOCAL_MACHINE)
- Installing Device Drivers
- Installing ActiveX controls
- Applications that change/influence the Windows Update Settings
- Displaying or changing another user's folders or files
- Applications whose integrity level (System, High, Medium, Low and Untrusted) requires a higher level as high/system - conclusion from reading this article here
As I am new to using SUA (more that I am not going back to the old use as ADM) I would just like to confirm with the more experienced members like @Andy Ful , @upnorth , @blackice and any others who use SUA mode on the device.
Is there anything I can look at and already know that a certain program will not be installed using the default account? Is there an easy-to-view feature that I can look at and say "this program won't install, and that one will"?
Anyway, sorry for my ignorance, I'm just looking for new knowledge.
Thanks
- Dec 23, 2014
- 8,494
@Guilhermesene,
Most users will understand that your "default account" is an account that is created by default when installing Windows - but this account is an Administrator account, not SUA.
Your post can be slightly shortened.
1. Can be installed/updated by using only SUA (without inserting Admin credentials):
2. Cannot be installed by using only SUA (without inserting Admin credentials):
Some applications allow the user to choose if the installation must use only the current account or not. In the first case, the application will be accessible only from that particular account.
In the second case, the application will be accessible from any account (even if it does not exist yet). On the first run, some of these applications can create the needed folders and files in the %UserProfile% (usually in the user's AppData folder) and in the HKEY_CURRENT_USER registry hive. So, you can install the web browser for all users, but still, the browsing history will be limited to the concrete user.
Most applications can be installed/updated by executing the installer/updater from SUA. It is not in contradiction with point 2, because such installations use two accounts: SUA + Admin account. The windows and alerts are displayed during the installation/update on SUA, but some installation processes are running on the Administrator account with high privileges (after inserting the Administrator password).
Most users will understand that your "default account" is an account that is created by default when installing Windows - but this account is an Administrator account, not SUA.
Your post can be slightly shortened.
1. Can be installed/updated by using only SUA (without inserting Admin credentials):
- installations that do not use/require high privileges.
2. Cannot be installed by using only SUA (without inserting Admin credentials):
- everything else.
Some applications allow the user to choose if the installation must use only the current account or not. In the first case, the application will be accessible only from that particular account.
In the second case, the application will be accessible from any account (even if it does not exist yet). On the first run, some of these applications can create the needed folders and files in the %UserProfile% (usually in the user's AppData folder) and in the HKEY_CURRENT_USER registry hive. So, you can install the web browser for all users, but still, the browsing history will be limited to the concrete user.
Most applications can be installed/updated by executing the installer/updater from SUA. It is not in contradiction with point 2, because such installations use two accounts: SUA + Admin account. The windows and alerts are displayed during the installation/update on SUA, but some installation processes are running on the Administrator account with high privileges (after inserting the Administrator password).
Last edited:
marksti64
Level 2
- Sep 13, 2022
- 56
Admin, we have UAC prompts that can tell us if any program needs privileged access.
- Mar 13, 2021
- 462
Admin. Easier to install programs and make changes to settings.
- Oct 3, 2022
- 576
The usual 'ease of use v.s. security' argument. The same can be said of many things security related, like 2nd factor authentication.
- Oct 16, 2022
- 624
Using an admin account with UAC activated it can still be bypassed, and there is a lot of malware that does this, it is recommended to use SUA account for daily use which mitigates many vulnerabilities, this has been proven, I have used it for years and never had a problem.
Last edited:
SirJon
New Member
- Jun 29, 2022
- 4
- Mar 29, 2018
- 7,598
I'm using SUA with Windows Hello PIN, which is new for me, and find using it a breeze. Much easier than password, which I used for a long time.
- Jun 7, 2022
- 153
Two.
Admin for me.
Standard for friends and family.
Admin for me.
Standard for friends and family.
- Apr 16, 2017
- 2,576
Doesn't that then mean that you are logged into MS account too, perhaps for using MS cloud or some MS feature. As secure, more secure, less secure??? ditto privacy???
- Oct 16, 2022
- 624
Yes, with Windows Hello using PIN is more secure than using a password in windows 10 and 11. I use a SUA Account since windows 7 and in windows 8.1, in this notebook I used to use fingerprint that it had. Now in windows 10 and 11 with Windows Hello it got even better and more secure going up to another level. PIN is more secure than password because it has hardware support more details -> Why a PIN is better than an online password (Windows)
No, PIN with a local account works without major issues, you don't need to be logged into the Microsoft account in order to work. Regarding Windows Hello yes, in this specific case we are discussing Admin account vs Standard user account (SUA) I don't think @oldschool is concerned about his privacy of being logged into Microsoft account, I believe he is putting there security first and leaving privacy second.
Last edited:
- Mar 29, 2018
- 7,598
@piquiteco is correct.
Edit: I missed his post #93 and had posted the same link here.
Correct. SAC is in evaluation mode here and MS insists users enable "Send optional diagnostics". No big deal to me. Everyone is tracking everyone. I take certain measures but never wear a tin hat!I don't think @oldschool is concerned about his privacy of being logged into Microsoft account, I believe he is putting there security first and leaving privacy second.
Last edited:
- Oct 16, 2022
- 624
Yes, I also miss many posts from members who have already replied to my comment, there are many and the MT forum is growing every day.
- Apr 16, 2017
- 2,576
I'm seeing something about Trusted Platform Module (TPM) chip. this pc might not have one of those, or if it does it's not the right one, ie, not authorized for win11 here. Good hardware that has aged.Yes, with Windows Hello using PIN is more secure than using a password in windows 10 and 11. I use a SUA Account since windows 7 and in windows 8.1, in this notebook I used to use fingerprint that it had. Now in windows 10 and 11 with Windows Hello it got even better and more secure going up to another level. PIN is more secure than password because it has hardware support more details -> Why a PIN is better than an online password (Windows)
I need to read a little more about this. (no wonder I'm clueless about PIN and Windows Hello).
- Oct 16, 2022
- 624
Is yours a laptop or a desktop PC? Mine also does not support Windows 11 but has the TPM, my case is the CPU, my old notebook I also have the TPM, I think Microsoft shot themselves in the foot on the processor requirements, amazingly my computers have TPM, more CPUs are incompatible, not if it was the case for the members here in MT.I'm seeing something about Trusted Platform Module (TPM) chip. this pc might not have one of those, or if it does it's not the right one, ie, not authorized for win11 here. Good hardware that has aged.
To find out if your notebook has Trusted Platform Module (TPM) type in search tpm.msc or run type tpm.msc it will open the management of the Trusted Platform Module (TPM) a window with information from the manufacturer of your TPM, its version, status if it is ready for use or not. If I am not mistaken if on your latptop, desktop you open tpm.msc in Windows and it shows as inactive it means that your computer supports TPM and just prepare your TPM or go into the bios and activate it. And then check again when you load Windows through tpm.msc. Just use this for reference.
Last edited:
- Apr 16, 2017
- 2,576
this is desktop. I read little about Windows Hello and PIN. I got just enough to be dangerous. I was able to create a PIN for this SUA account, and it's working, but I do not fully understand yet how shorter PIN is more secure despite listening to MS video. I think I was unfocused. No need to explain, this is of interest to me and I'll research it some more... thanks!! I've been told I can hack around this xeon chip with older TPM, but also told don't do it, sit tight a few years with win10, and buy a new motherboard and chip in 2025...
- Oct 16, 2022
- 624
Yes, I understand, but your desktop can accept the Trusted Platform Module (TPM). See the image of a TPM chip below, what model is your motherboard?
Forget TPM here now. The PIN is more secure because it is tied to your device. One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! Do you understand now?
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
- Mar 29, 2018
- 7,598
In addition to what @piquiteco has posted, I'll add that because the PIN is tied to the machine, repeated attempts to brute-force the PIN will fail because the TPM anti-hammering technology will lock the machine, keeping it safe.
Similar threads
