Why NOT to run Opus as Administrator under UAC

UAC Support

Directory Opus supports Windows UAC and will prompt for elevation when required to perform administrator actions. The program itself does not need to be run elevated, and doing so can actually cause problems (detail below).

Opus also has a unique Admin Mode -- unrelated to the general "Run as Administrator" setting provided by Windows -- which lets you click a toolbar button and then perform multiple administrator actions without repetitive UAC prompts.

Admin Mode is local to the Opus window it's used on, and does not affect the rest of the program/process. (External programs launched while in Admin Mode will usually be elevated, however. More on this below.)

For more information about Opus's general UAC support, please see UAC and Administrator Mode in the manual.

This FAQ is about something slightly different:

Why you should not normally launch dopus.exe as an elevated process

If you have UAC enabled then it is not a good idea to launch the whole Directory Opus (dopus.exe) process elevated via the "run as administrator" option.

You should instead run Opus at the standard level, as you would most other software, and use the built-in UAC support and Admin Mode functionality to elevate individual commands or windows when required.

Of course, if you have UAC turned off completely in Windows then the issues discussed below do not exist. (But that is hard to do on Windows 10. In the Windows UAC Settings UI, moving the slider to the lowest option no longer turns off UAC; it leaves UAC on and configures the OS to silently accept all UAC prompts before they are shown.)

Similarly, if UAC is on but you are using an account which is not subject to it (typically the hidden built-in administrator account) then the issues below become moot as well.

There's no issue with running Opus as administrator if the rest of your desktop is also running as administrator. Opus works just as well with admin rights as without them.

Problems occur when the whole Opus process is running at a higher elevation level than the rest of your desktop, since other parts of the desktop are then blocked from communicating with it.

Detail

The UAC security model prevents or limits interaction between elevated and non-elevated processes. As a consequence of this, if you run Opus elevated under UAC then:

  • Double-click on the Desktop to open Opus will not work at all.
  • Explorer Replacement will not work correctly (if at all).
  • Drag-and-drop between Opus and other programs may be blocked.
  • Network shares (mapped drives) created as a non-elevated user may not be available.
  • Other programs launched from Opus will inherit administrator privileges.

The ramifications of the last item may not be immediately apparent but are significant. Other programs which you launch from an elevated process will be elevated themselves and they will inherit the "non-interaction with non-elevated processes" limitation. This can mean things like keyboard-macro tools do not work with the elevated programs because they are blocked from sending messages to them.

There are also several programs which (due to registry/filesystem virtualization) will load and store their settings in a different place when launched elevated. For example, you may launch a program elevated and change its configuration, then run it again without elevation and discover your configuration changes are not reflected.

If you have set the whole Opus process to "Run as Administrator" then we recommend turning that off.

(Opus's per-window Admin Mode will also cause software it launches to be elevated. This means the last item, only, is also something to keep in mind when using Admin Mode. Programs launched from an Admin Mode window are elevated under the assumption that you may need them to modify files in a folder where admin rights are required. So you should turn off Admin Mode, or close the elevated window, once you are finished doing admin tasks.)

Quick ways to see if Opus is elevated

Starting with Directory Opus 11.17, Opus will detect the elevation mode and indicate it in the title bar.

Nothing extra appears when everything is normal:

When using Opus's Admin Mode, the word "Administrator" in the title bar indicates that the individual window, but not the whole process, has been elevated. This is fine:

But if you see "ADMINISTRATOR" in all-caps, as below, then the whole process has been elevated and you may run into problems:


On older versions of Opus, or if you wish to double-check:

To quickly test whether Opus is running normally or elevated, go to C:\Windows and try to create a new folder. If you are able to create a folder there without a UAC prompt then one of the following must be true:

  • UAC is off completely. (That's OK.)
  • UAC is on, but you have Windows set to automatically click 'yes' to all UAC prompts. (That's OK, but means the test was inconclusive.)
  • UAC is on, but you're using an account which is not subject to UAC. (That's OK, but a rare configuration.)
  • UAC is on, and the entire Opus process is elevated. (This is what can cause problems and should be avoided.)

For completeness, it's also possible that:

  • The Opus window you used was switched into Admin Mode. (Obviously, do the test without putting the lister into Admin Mode!)
  • Your C:\Windows folder permissions are messed up. (That would make the test inconclusive and may cause issues with Windows generally, but is unrelated to Opus.)

In newer versions of Windows, you can also check using Task Manager. This gives a more definitive answer, even if UAC is enabled but set to silently click 'yes' in all prompts. Open Task Manager, go to the Details tab, then right-click the header at the top of the list and click Select Columns. Add the Elevated column and see what it says for dopus.exe and explorer.exe:

Both should say No in the Elevated column.

How to turn off "Run as Administrator"

To turn off the "Run as Administrator" option, right-click on the Opus program shortcut and choose Properties.

On the Compatibility tab, make sure the "Run this program as an administrator" option is off.

While looking at the Compatibility tab, also verify that Opus is not set to run with compatibility mode for an older version of Windows.

On the Shortcut tab, click the Advanced button, and make sure the "Run as administrator" option is off there as well.

Finally, and if appropriate, make sure the thing you launch Opus from is not itself running as administrator. Anything launched by an admin process will inherit the admin elevation, unless the launching process goes out of its way to prevent it (and very few do).

1 Like