UAC, integrity levels, and secure desktop
Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.
Related labs
Hands-on exercises for this area — in the browser or on a Windows machine.
View all labsGuided paths in this branch
Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.
Security deep dive
From identity (tokens) to object policy (DACL/SACL), through kernel access checks (SRM), ending with UAC and integrity boundaries.
Step 5 of 5 in this path
Official Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
UAC and MIC explain a huge amount of modern Windows behavior: why prompts appear, why services can't show UI, and why a process can't just write anywhere even if ACLs look permissive.
Mental model
Windows separates 'who you are' from 'what level you're running at'. UAC creates filtered vs elevated contexts, and MIC enforces trust boundaries using integrity labels.
Windows building blocks
Names and paths you can look for in Task Manager, Explorer, or documentation.
- Processconsent.exe
UAC elevation prompt on secure desktop
Go one level deeper
Extra detail for readers who want more precision before opening a child topic.
- Split token: standard user gets a filtered admin token until elevation.
- UIPI blocks lower-integrity windows from sending messages to higher-integrity HWNDs.
How it works
- 1Standard user operations run with a standard token; admin operations require an elevated context.
- 2UAC prompts are shown on the secure desktop to reduce prompt tampering.
- 3MIC uses integrity labels in tokens and object SACLs to prevent lower-integrity writes to higher-integrity targets.
Key terms
- UAC
- User Account Control, the elevation/consent system for admin operations.
- MIC
- Mandatory Integrity Control, integrity-based restrictions beyond DACLs.
- Secure desktop
- A protected desktop used for elevation prompts and sensitive UI.
Why a browser can't write to system locations
Even if a path has permissive ACLs, MIC and integrity policy can still prevent a lower-integrity process from writing to higher-integrity objects.
Common misconception
UAC is not 'a popup'. It is a security design that changes token/elevation behavior and uses MIC and secure desktops for isolation.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
intermediate
Security descriptors & ACLs
Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.
Related topic
expert
Access checks & Security Reference Monitor
How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.
Natural next depth in this branch
intermediate
Window stations & desktops
The session-side objects that organize visible desktops, input, and GUI isolation.
Related topic
Related topics
Window stations & desktops
The session-side objects that organize visible desktops, input, and GUI isolation.
Winlogon, LogonUI, and session sign-in
The visible and semi-visible path from secure attention to a fully signed-in session.
Security descriptors & ACLs
Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.