windows - What makes c:Program Files UAC-protected?

Question

I know that c:Program Files is UAC-protected, and if I allow a user to install to d:Program Files, this is not, by default, UAC protected. What makes c:Program Files UAC protected other then the directory security settings? Is it simply directory security, or is there something else that Windows does to make it special?

I am trying to advise someone if it is possible to make d:Program Files sort of as equivalently secure as c:Program Files. If I were to create d:Program Files with the same directory security as c:Program Files, would these folders be equivalent?

Answer 1

Directory security alone dictates what a user can or can't do in regards to adding, deleting or changing files in that folder. UAC only comes into play in that even for users in the Administrators group in Windows, you now (by default) DON'T have the admin token attached to your login session. When you try to do a privileged action, Windows doesn't let you and begins the process to try and get a user that does have admin access. Since your account is a member of Adminstrators, UAC will show the Allow /Deny dialog, and FOR THAT ACTION ONLY the admin token will attach to your logon session. Since you're a member of admin, you can click just OK or cancel. If you were not, you'd be prompted for logon credentials for an account which does have admin privileges.

You can read more about UAC and what's going on behind the scenes here: http://technet.microsoft.com/en-us/library/dd835561(v=ws.10).aspx