Administrator Protection

<< Click to Display Table of Contents >>

Navigation:  Using SyncBackPro > Technical Reference >

Administrator Protection

 

Windows 11 (build 27718) introduced Administrator Protection which has an impact on any software that runs elevated. This is not to be confused with UAC (User Account Control).

 

acctprot

 

If Administrator Protection is enabled (via the Account protection security settings in Windows), then any software that is run elevated will require the user verify their identity (via Windows Hello or via the account password). With UAC, you only needed to verify you wanted to start the software elevated. Now you must re-authenticate. However, Administrator Protection adds another layer of security: the software will be run elevated but using a shadow/virtual administrator account and not your account.

 

For example, if you are a Windows administrator and your account name is BOB, then when you run any software elevated, and administrator protection is enabled, the software will be run by Windows as ADMIN_BOB, i.e. a different account. This can have a serious impact on software which is run elevated, such as SyncBackPro:

 

SyncBackPro will not have access to your profiles and settings as those are probably stored in your actual administrator account. To avoid this, SyncBackPro will start an un-elevated instance of SyncBackPro and get details on where the settings are. It will then have access to the profiles and settings (assuming Windows does not block access, e.g. due to NTFS security).

SyncBackPro is run as a different user account, so the environment variables are completely different (as you are running as a different user account).

SyncBackPro is run as a different user account, so your Documents folder, for example, is completely different (as you are running as a different user account).

SyncBackPro is run as a different user account, so you may not have access to files and folders you would be with your actual account.

 

If SyncBackPro is not run elevated, then these issues will not occur as it will be run using your account, as per normal.

 

Also, any existing scheduled tasks will run as the correct user account and not as the shadow/virtual administrator account. Unlike when software is run manually, any tasks started from the Windows Task Scheduler are run as the user account specified and not as the shadow/virtual administrator account.

 

 

SyncBack Settings

 

By default, if SyncBackPro is run as the shadow/virtual administrator account then a warning will appear. You can disable this in Global Settings -> Security.

 

Also by default, no profiles will run using the shadow/virtual administrator account. If you want to allow this then you need to allow it in the profiles settings (Misc. -> Elevation).

 

 

Task Scheduler

 

If you are using the shadow/virtual administrator account, then when you schedule a profile, SyncBackPro will schedule it to use your actual account.

 

Administrator Protection has an impact on how the Windows Task Scheduler works with elevated processes. Basically, an elevated scheduled task (i.e. run with highest privileges) cannot be run interactively, which means:

 

The trick to use a shortcut to run SyncBack elevated without a UAC prompt, via the Windows Task Scheduler, will not work if Administrator Protection is enabled.

 

SyncBack cannot be run elevated on login if Administrator Protection is enabled.

 

You cannot run a profile on login elevated if Administrator Protection is enabled.

 

Drag & drop may not work if Administrator Protection is enabled. For example, if SyncBack is elevated, and you try and drag a profile to the desktop (to create a shortcut), it may silently fail.

 

 

 

All Content: 2BrightSparks Pte Ltd © 2003-2025