Solved Local Administrator account profile folder created by entering UAC admin credentials?

After running Windows with my local Administrator account for a while, I decided to take the wise action of converting my local Administrator account to a standard account.

Here are the steps I took WITHOUT even signing in to the newly created local Administrator account:

1. While still being as the current Administrator, I created a new local Administrator account and only added the Administrator group under Membership tab and removed the Users group. Using Computer Management.

2. After this, went back to my current account and just removed the Administrator group and then only added Users group.

3. Once I signed out and signed back in to my current account, my account is now a standard account.

That's all good and from a security standpoint, gives me peace of mind.

However. I did a few admin elevations and after entering the newly created local Administrator account credentials from the UAC prompt, I noticed that the newly created Administrator account profile folder was added under the C:\Users directory.

Of course, when I attempted to open the folder I was prompted to provide the Administrator credentials from the UAC prompt.

My question is, is this normal behavior for a local Administrator account profile folder to be created just by entering the Administrator credentials just from the UAC prompt even without actually signing into the new Administrator account profile itself from the Windows login screen?

A user profile folder in Windows 11 (located at C:\Users\<username>) is automatically created the first time a user logs in to a new account. If using a Microsoft account, Windows typically creates the folder using the first five characters of the email address. A local account creation provides a custom folder name.

FreeBooter said:

A user profile folder in Windows 11 (located at C:\Users\<username>) is automatically created the first time a user logs in to a new account. If using a Microsoft account, Windows typically creates the folder using the first five characters of the email address. A local account creation provides a custom folder name.

Click to expand...

I never logged in with the new local Administrator account from the Windows login screen. I only entered the Administrator credentials only using the UAC prompt when performing the Run-As Administrator.

I even mentioned this from my original thread.

Just by entering the Administrator credentials from the UAC prompt is not considered logging in to an account. It's just considered an elevation of permissions.

Like i said the user profile folder only created when you create a new user and login to this user account the UAC won't create user profile folder also how can you use Admin login credentials if you only have one user account.

FreeBooter said:

Like i said the user profile folder only created when you create a new user and login to this user account the UAC won't create user profile folder also how can you use Admin login credentials if you only have one user account.

Click to expand...

I don't have one account. The only local user accounts I have is my Standard account and the just newly added administrator account.

The administrator account profile folder got added right after performing the Run As Administrator when I entered the administrator credentials from the UAC. Not by logging in to the admin account from the Windows login session itself in which I never did.

Yes, it's normal for Windows to create a profile any time a user's environment is needed for something, e.g. environment variables or the user's portion of the registry.

Some other times a profile might be created...

• running a service as a specific user account
• running a scheduled task as a specific user
• network logon, if the profile needs to be loaded. Doesn't normally happen when just connecting to a share though.
• RunAs-type logons
• remote management (WMI, PowerShell remoting, etc.)

pseymour said:

Yes, it's normal for Windows to create a profile any time a user's environment is needed for something, e.g. environment variables or the user's portion of the registry.

Some other times a profile might be created...

• running a service as a specific user account
• running a scheduled task as a specific user
• network logon, if the profile needs to be loaded. Doesn't normally happen when just connecting to a share though.
• RunAs-type logons
• remote management (WMI, PowerShell remoting, etc.)

Click to expand...

I meant when performing RunAs-type logons especially from within the UAC prompt, an account profile folder is automatically created in the C:\Users directory?

Just recreated the account by removing the entire account profile and then re-adding it again.

From my current account, just did a test with the RunAs with UAC and after entering the Administrator credentials the profile folder was added automatically to the Users directory.

Never had to actually login to the Admin account from the Windows login screen.

Will mark this as resolved.

Thanks to all.

win11freak said:

I meant when performing RunAs-type logons especially from within the UAC prompt, an account profile folder is automatically created in the C:\Users directory?

Click to expand...

Right, that's one of the things I specifically listed.

One last thing.

Is it dangerous to have the newly created Administrator account profile folder present even if it is asking for permissions?

I am not referring to the built-in Administrator account as that account is disabled by default.

I would say no, especially if you haven't messed with the permissions on that profile's folder. The most dangerous time is when the admin's credentials are in memory, when you'd be prone to mimikatz-type things. But that's uncommon, pretty much to the point of not worrying about for a home PC, or even really a business PC*.

You could, for example, set up a scheduled task to delete the admin account's profile whenever it's not loaded. But then the next time you do an elevation, it's just going to come back.

A lot of this stuff gets rather pedantic and super technical, arguing over minor details. At the end of the day, it's a balance between staying safe and being able to actually use the thing you're trying to use. The fact that you're even thinking about this topic puts you ahead of most home users, and sadly, even some businesses.

* : I mean a business where someone hasn't done something dumb, like give help desk and desktop techs domain admin. Yes, I've seen it; no I can't tell you the company's name.

Entering the credentials of an user into the UAC prompt, or the "run as another user" dialogs effectively logs in said user, thus creating its profile folder if not present. The newly spawned process runs as this user (as you can check in task manager) and that process (and not anything else) uses that profile folder for any activity it needs.

This is why, for example, settings for elevated programs differ from unelevated ones. Each uses a different user and each user uses his own private profile to store settings.

win11freak said:

Is it dangerous to have the newly created Administrator account profile folder present even if it is asking for permissions?

Click to expand...

I can't think any problem with that. Each user has his own profile folder and permissions are such that only the owner can read or write to them, so other users cannot tamper with them. Only admins can read and change what's there, but if you've a malicious admin capable of tampering profiles, that admin can already tamper with your entire system, so the presence of the profile doesn't creates an additional attack surface.