Do you use an Admin account or Standard User Account?

[Guilhermesene]

All my tools (except DocumentsAntiExploit tool) are system-wide.

Thank you for answering me so quickly

 

[piquiteco]

Nice your report, I want to do this. One question: do you apply the @Andy Ful tools when you are logged in as an administrator account and the settings are applied to the entire system or do you need to apply them to each user of the system?

I ask this because I like to use Configure Defender settings in MAX (that's when I use Windows Defender) I just don't know if I have to apply this to each user or just the administrator account.

Thanks in advance for answering me

Thanks! Although @Andy Ful answered your question, just adding, yes it applies to the whole system and all users. You're welcome! Enjoy!

 

[Guilhermesene]

Hello everyone,

Sorry to the moderators if I resurrected this thread, forgive me (if it ever got to die).

Well, I am using SUA in my setup configuration for the year 2023 as mentioned here.

But, as I am new to using SUA I was wondering why certain programs can be installed on SUA and others can't (being required the administrator password). I have been searching the internet and reading the links cited here by other members and I realized that there is not a single answer, but a set of causes that can make it permissible to install apps on SUA.

My conclusions are the following:

THEY CAN BE INSTALLED USING THE DEFAULT ACCOUNT

• Applications that are installed in user-level directories (AppData, LocalAppDataDesktop)
• Applications that modify records only in HKEY_CURRENT_USER

CANNOT BE INSTALLED USING DEFAULT ACCOUNT

• Installation in system-level directories (Program Files, Program Files (x86))
• Applications that modify system-wide registry entries in (HKEY_LOCAL_MACHINE)
• Installing Device Drivers
• Installing ActiveX controls
• Applications that change/influence the Windows Update Settings
• Displaying or changing another user's folders or files
• Applications whose integrity level (System, High, Medium, Low and Untrusted) requires a higher level as high/system - conclusion from reading this article here

As I am new to using SUA (more that I am not going back to the old use as ADM) I would just like to confirm with the more experienced members like @Andy Ful , @upnorth , @blackice and any others who use SUA mode on the device.

Is there anything I can look at and already know that a certain program will not be installed using the default account? Is there an easy-to-view feature that I can look at and say "this program won't install, and that one will"?

Anyway, sorry for my ignorance, I'm just looking for new knowledge.

Thanks

 

[Andy Ful]

@Guilhermesene,

Most users will understand that your "default account" is an account that is created by default when installing Windows - but this account is an Administrator account, not SUA.

Your post can be slightly shortened.

1. Can be installed/updated by using only SUA (without inserting Admin credentials):

• installations that do not use/require high privileges.

2. Cannot be installed by using only SUA (without inserting Admin credentials):

• everything else.

You noted in your post some examples, but there are many more and there are also some exceptions. For example, some applications can modify only the HKEY_CURRENT_USER registry hive and still require an Administrator account to do it.
Some applications allow the user to choose if the installation must use only the current account or not. In the first case, the application will be accessible only from that particular account.
In the second case, the application will be accessible from any account (even if it does not exist yet). On the first run, some of these applications can create the needed folders and files in the %UserProfile% (usually in the user's AppData folder) and in the HKEY_CURRENT_USER registry hive. So, you can install the web browser for all users, but still, the browsing history will be limited to the concrete user.

Most applications can be installed/updated by executing the installer/updater from SUA. It is not in contradiction with point 2, because such installations use two accounts: SUA + Admin account. The windows and alerts are displayed during the installation/update on SUA, but some installation processes are running on the Administrator account with high privileges (after inserting the Administrator password).

 

[markstitovits]

Admin, we have UAC prompts that can tell us if any program needs privileged access.

 

[Templarware]

Admin. Easier to install programs and make changes to settings.

 

[Victor M]

Easier to install programs and make changes to settings.

The usual 'ease of use v.s. security' argument. The same can be said of many things security related, like 2nd factor authentication.

 

[piquiteco]

Admin, we have UAC prompts that can tell us if any program needs privileged access.

Using an admin account with UAC activated it can still be bypassed, and there is a lot of malware that does this, it is recommended to use SUA account for daily use which mitigates many vulnerabilities, this has been proven, I have used it for years and never had a problem.

 

[SirJon]

Standard User Account (SUA)

 

[oldschool]

I have used it for years and never had a problem.

I'm using SUA with Windows Hello PIN, which is new for me, and find using it a breeze. Much easier than password, which I used for a long time.

 

[Pixelman]

Two.
Admin for me.
Standard for friends and family.

 

[simmerskool]

I'm using SUA with Windows Hello PIN, which is new for me, and find using it a breeze. Much easier than password, which I used for a long time.

Doesn't that then mean that you are logged into MS account too, perhaps for using MS cloud or some MS feature. As secure, more secure, less secure??? ditto privacy???

 

[piquiteco]

I'm using SUA with Windows Hello PIN, which is new for me, and find using it a breeze. Much easier than password, which I used for a long time.

Yes, with Windows Hello using PIN is more secure than using a password in windows 10 and 11. I use a SUA Account since windows 7 and in windows 8.1, in this notebook I used to use fingerprint that it had. Now in windows 10 and 11 with Windows Hello it got even better and more secure going up to another level. PIN is more secure than password because it has hardware support more details -> Why a PIN is better than an online password (Windows)

Doesn't that then mean that you are logged into MS account too, perhaps for using MS cloud or some MS feature. As secure, more secure, less secure??? ditto privacy???

No, PIN with a local account works without major issues, you don't need to be logged into the Microsoft account in order to work. Regarding Windows Hello yes, in this specific case we are discussing Admin account vs Standard user account (SUA) I don't think @oldschool is concerned about his privacy of being logged into Microsoft account, I believe he is putting there security first and leaving privacy second.

 

[oldschool]

Doesn't that then mean that you are logged into MS account too, perhaps for using MS cloud or some MS feature. As secure, more secure, less secure??? ditto privacy???

@piquiteco is correct.

Edit: I missed his post #93 and had posted the same link here.

I don't think @oldschool is concerned about his privacy of being logged into Microsoft account, I believe he is putting there security first and leaving privacy second.

Correct. SAC is in evaluation mode here and MS insists users enable "Send optional diagnostics". No big deal to me. Everyone is tracking everyone. I take certain measures but never wear a tin hat!

 

[piquiteco]

Edit: I missed his post #93 and had posted the same link here.

Yes, I also miss many posts from members who have already replied to my comment, there are many and the MT forum is growing every day.

 

[simmerskool]

Yes, with Windows Hello using PIN is more secure than using a password in windows 10 and 11. I use a SUA Account since windows 7 and in windows 8.1, in this notebook I used to use fingerprint that it had. Now in windows 10 and 11 with Windows Hello it got even better and more secure going up to another level. PIN is more secure than password because it has hardware support more details -> Why a PIN is better than an online password (Windows)

I'm seeing something about Trusted Platform Module (TPM) chip. this pc might not have one of those, or if it does it's not the right one, ie, not authorized for win11 here. Good hardware that has aged. I need to read a little more about this. (no wonder I'm clueless about PIN and Windows Hello).

 

[piquiteco]

I'm seeing something about Trusted Platform Module (TPM) chip. this pc might not have one of those, or if it does it's not the right one, ie, not authorized for win11 here. Good hardware that has aged. I need to read a little more about this. (no wonder I'm clueless about PIN and Windows Hello).

Is yours a laptop or a desktop PC? Mine also does not support Windows 11 but has the TPM, my case is the CPU, my old notebook I also have the TPM, I think Microsoft shot themselves in the foot on the processor requirements, amazingly my computers have TPM, more CPUs are incompatible, not if it was the case for the members here in MT.

To find out if your notebook has Trusted Platform Module (TPM) type in search tpm.msc or run type tpm.msc it will open the management of the Trusted Platform Module (TPM) a window with information from the manufacturer of your TPM, its version, status if it is ready for use or not. If I am not mistaken if on your latptop, desktop you open tpm.msc in Windows and it shows as inactive it means that your computer supports TPM and just prepare your TPM or go into the bios and activate it. And then check again when you load Windows through tpm.msc. Just use this for reference.

 

[simmerskool]

Is yours a laptop or a desktop PC? Mine also does not support Windows 11 but has the TPM, my case is the CPU, my old notebook I also have the TPM, I think Microsoft shot themselves in the foot on the processor requirements, amazingly my computers have TPM, more CPUs are incompatible, not if it was the case for the members here in MT.

this is desktop. I read little about Windows Hello and PIN. I got just enough to be dangerous. I was able to create a PIN for this SUA account, and it's working, but I do not fully understand yet how shorter PIN is more secure despite listening to MS video. I think I was unfocused. No need to explain, this is of interest to me and I'll research it some more... thanks!! I've been told I can hack around this xeon chip with older TPM, but also told don't do it, sit tight a few years with win10, and buy a new motherboard and chip in 2025...

 

[piquiteco]

this is desktop. I read little about Windows Hello and PIN. I got just enough to be dangerous. I was able to create a PIN for this SUA account, and it's working, but I do not fully understand yet how shorter PIN is more secure despite listening to MS video. I think I was unfocused. No need to explain, this is of interest to me and I'll research it some more... thanks!! I've been told I can hack around this xeon chip with older TPM, but also told don't do it, sit tight a few years with win10, and buy a new motherboard and chip in 2025...

Yes, I understand, but your desktop can accept the Trusted Platform Module (TPM). See the image of a TPM chip below, what model is your motherboard?

Spoiler

but I do not fully understand yet how shorter PIN is more secure despite listening to MS video.

Forget TPM here now. The PIN is more secure because it is tied to your device. One important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your online password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too! Do you understand now?
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.

 

[oldschool]

but I do not fully understand yet how shorter PIN is more secure despite listening to MS video

In addition to what @piquiteco has posted, I'll add that because the PIN is tied to the machine, repeated attempts to brute-force the PIN will fail because the TPM anti-hammering technology will lock the machine, keeping it safe.