UAC and Administrator Mode


I am wrestling with something with respect to the “Admin” mode. On Windows 10 and Windows Server 2016 the account I am logged into has admin privileges and is run under the policy of UAC = “Elevate without prompting” and Run all administrators in Admin Approval Mode = “enabled”.

So when I use the Directory Opus “Admin Mode”, programs I launch are launched correctly “as administrator” but for instance I cannot view a folder that has “Full control” for Administrators (but not for the specific user), yet if I elevate Dopus.exe (not recommended) I can access all the folders correctly.

Please explain? I would expect this to work fine?

Many thanks and best regards,

Admin mode doesn't affect directory reading at all.

Folders that you do not have read access to will need the whole program to be elevated (which we only recommend you do temporarily as it prevents other parts of Windows from being able to send messages to get Opus to do things, e.g. open new listers).

Ok understood, real shame as that is what I have most issues with....

Most folders that you can't read are ones you shouldn't mess around with in general, but I agree there are times when you need to look inside them.

We have some ideas about how this could potentially work better, but need to think on them longer and try some things, as there are side-effects that need to be worked out if you start doing elevated directory reads without the rest of the process being elevated.

Ok thanks, would love that sorting, of course if I turn off UAC I can see into those folders fine as I am an admin... good to understand that the behaviour I see is “normal”. I used to run as full admin but Windows does not like this with the new AppX apps...

I've run into this issue, although I'm not suggesting you do anything about it. I'm mostly interested in why it happens, and what's going on.

I have laptop and desktop Windows 10 PCs that are roughly configured the same way. My backup strategy uses disk cloning with Macrium Reflect. A few times a year I get into periods where I need to copy user presets and other documents from one machine's user folder to another.

If I use the Dopus stock UAC elevate, I find I'm blocked from doing this in my user directory of the externally mounted (via USB) clone drive. It seems that I'm also blocked if I used the "admin" feature on the menu bar.

If I run Dopus as administrator--that is, if I right-click on the opus.exe file and select "run as administrator"--I'm given a free pass to view and copy these files, which is what I want.

Is there a tech document somewhere that describes the difference between the "UAC Admin" state, and the state of Dopus elevated to Administrator?

Thanks! Charles Turner

That suggests you need admin rights just to be able to read the data you're trying to copy, not just to write it to the destination.

Admin Mode generally only affects writing, not reading. (It can affect both sometimes, but that's not really what it was designed for. Windows, at least until Windows Store apps came along, typically lets anyone read and only blocked non-admins from modifying certain areas. At least in terms of areas anyone was interested in.)

If you look at the permissions on your clone drive, they may be wrong (e.g. permissioned for a different account, or an unknown account on the computer you are using).

Right. In this specific case, I've mounted a clone of the desktop C: drive via USB as the E: drive of the laptop. Even though the User directory on both machines reference the same Microsoft account, my understanding is that \Users\cturner on the two drives are different. So the "cturner" that's logged onto my laptop isn't the "cturner" that owns a User directory on the desktop clone.

My question though is why the UAC features of Dopus don't elevate me to admin, and that I must start Dopus as administrator in order to read files on the mounted clone drive?

Best, C.

It shouldn't be a different user if it's a drive-image backup of the original C-drive, unless the backup/cloning tool has changed the user/computer SIDs. (That would normally only be done if the intention was to create an image which a separate PC would boot in parallel to the original which would be running on the original PC. It's not usually done for backups, only for when you want to mirror one PC to another and then run both PCs at the same time without them clashing because they both have the same identity.)

Admin Mode only elevates write operations. The main process stays running as the normal user.

Elevating everything to admin can cause other problems, and simply isn't needed in the vast majority of situations.

If you do need it, elevate the whole process, but keep in mind the issues discussed in the linked guide. It's OK to do that, as long as you understand what you're doing!

We might extend Admin Mode in the future with a way to elevate the read and write sides of things while still keeping the main process running as the normal user. That should solve your situation. But it's a very unusual situation.

Thanks for your detailed and thorough answer, which I’ll spend time reviewing. Perplexed by the SID issue you mention, but I’ll explore it further. And thanks for Directory Opus: by far my most used Windows application!

Hello again-

I did do a Powershell "whoami /groups" on my user directory on both machines and found they had the same SID, as you said they would. So there must be something else about the way the clone is presented to the system that's keeping its user directory from being readable.

I read your post about running Dopus as Administrator. The folks at Macrium suggested running Explorer++ with elevated permissions as a way to skirt my permissions issue. I presume that your cautions are generally applicable to any file utility, and there's no advantage to using Explorer++ if I'm careful?

My method would be to quit Dopus and re-launch as Administrator; copy my files from clone disk to system disk; and when done, quit Dopus and re-launch with normal user privileges. I tried this method as a test and was pleased to see that the resulting folder copy retained the permissions from the original computer.

Thanks again for your help, and please don't feel that I'm asking for any feature changes or additions to Dopus. Although my use of clones is at times intensive, it couldn't amount to more than a day's use over the course of a year. So as you say, an edge case.

Best wishes! Charles Turner

That should be fine.

No problem. It's something we've been thinking about for a while, since it can be a pain when you need to look in folders only admins can read. It's a rare pain, and not a high priority, but is something we'd like to cater to at some point. I think I have a good idea on how to implement it, too, so it's just a matter of finding the time.