Vista: UAC internals

Sun, October 8, 2006, 03:15 AM under Windows | Vista | UAC
I have explained before what you (a managed developer) has to do about User Account Control in Vista (and also expanded a bit on UAC policies).

The other day I got asked exactly how this works under the covers. Luckily, my mate Kenny covers this on his article (butchered quote):
When an administrator logs on to a computer ... the system ... creates ... two different tokens representing the same logon session. The first token grants all the permissions and privileges afforded to the administrator while the second token is a restricted token ... offering far fewer permissions and privileges. ... The system then creates the shell application using the restricted token.

Follow this link for the full unedited story.