I installed a shell extension program today and the installer automatically killed and re-launched explorer.exe . Then I noticed every program I run had admin privilege. I understand this is the correct behavior under the new UAC system, but could we treat explorer.exe differently?Also, can I get the option to explicitly grant admin access (through the UAC prompt) when a privileged program start a new process? It's sometimes silly to allow privilege inheritance if the parent programm is a file manager or launcher.

Hi,The main idea behind UAC is that when you logon, Winlogon uses your standard user token to start explorer.exe (the session shell). If you start explorer.exe using the administrative token thus explorer.exe running with admin privileges and all other processes inheriting admin privs, it kinda defeats the whole purpose of UAC. Victor Constantinescu - MVP Security, MCTS

It's kind of what I mean. I just wonder if you can add some special treatment for explorer so even if it's launched by a privileged program, I still get the UAC prompt and the choice to run it as an unprivileged process. Or maybe you can even give an option in the properties dialogue to mark a program as never run as administrator.

Hi,Read this and see if it's still unclear. Victor Constantinescu - MVP Security, MCTS