Windows Server Backup Software

Windows Server Backup Software. Welcome to GRSoftware site

Windows Backup software: Run elevated (As Administrator) or Not?

How to decide what is the best approach to run a backup in Windows

Windows by default, runs any application as a normal user, i.e., without administrative permissions and thus with some limitations. This approach has been created to limit the problems that a malware can do to your system.

When we used Windows XP all applications were run with ALL the permissions of the current user. If the current user was an Administrator then all software would be run with administrative permissions. This approach is no longer allowed with more recent version of Windows.

Often a user of a backup software for Windows must decide what is the best backup strategy approach to take. The problem is that some operations cannot be executed as a normal application.

For example, if you want to use the Windows Shadow Copy Service to also back up locked files then you need to run As Administrator.

Another example is if you also want to take a copy of your registry hives.

In these cases, the backup software must be elevated... i.e. run as Administrator.

The user can change the backup software properties and set the check box that force the execution of the program to be Elevated (As Administrator) and thus every time the user clicks on the icon the program will start elevated.

This operation, however, adds an extra step to the sequence and Windows will issue the famous UAC prompt in this case.

What is UAC?

UAC is short for “User Account Control” and is a prompt that Windows issues every time the user tries to start a program elevated. The intent is to make the user aware that he/she is giving FULL Administrative permission to that application to freely act on the system!

Obviously, this can be dangerous.

In case of software that you not yet trust you are giving it permission to change your system files. This can lead to problems if that software is malware.

Going back to our original problem: we want to execute a backup of some Windows resources and this operation needs Elevation.

If we create a desktop icon or change the backup software exe file properties, we can force elevation at program start. This will mean that we get the annoying UAC prompt which can be acceptable or no—but for sure we get an extra step every time we want to run our Windows backup software!

Do we have some other choices so we can avoid this annoying UAC prompt every time we run our backup software? After all we trust our Windows backup software, so we can also accept a one time check but after this we don’t want any extra prompts!

An option that Windows give us is to totally disable UAC. This is not a perfect choice because then we won’t get the UAC prompt for ANY program!

We trust our backup software, but not all other programs, particularly if we have downloaded them from the network and not yet tested them.

By the way a suggestion for the smart user is to never try unknown programs on your computer! Instead, create a Virtual Machine and test new unknown software inside the VM. If anything goes wrong you can easily start over and recreate the Virtual Machine, but your computer is safe!

So we cannot totally disable UAC. Yes, we have the anti-virus software active, but we are at a high risk to get a new virus on our computer all the time.

What are the ways we can avoid UAC prompt?

Depending on the Windows Backup Software you have chosen you have some choices. Some programs, like GRBackPro (TODO: put link to it here), have the possibility to run as a Service.

A Windows service is software that is added to the system and starts automatically when you login. You are typing your PIN or password and all services are already running in the background.

The service normally doesn't have a user interface because it often runs on the SYSTEM account and doesn't have access to your desktop.

Backup programs like GRBackPro allow you to have a user interface while other programs may not. In the case of GRBackPro running as a service, the service starts a copy of your Windows backup software on your current user account and gains access to your desktop.

What are the advantages of running your Windows backup software as a Service? On the backup software you must specify an account the service should use when it starts. This is needed because as the service runs on the SYSTEM account it doesn't have access to some of the computer resources. For example, it cannot access your network shares. You can thus specify an Administrator account here to be sure to reach all your computer resources. But again, we have UAC in the middle. In this case we will not have any prompt but every user in the Administrator group will normally start program as normal user (i.e., not elevated) even if they all are Administrators! There is only one SPECIAL account that acts differently. This is the "Built-in" Administrator account. This is the only account that when used or impersonated will start any program elevated by default. If we specify that account in the Windows backup software service options/credentials, then we will be sure to get full permission to act on any computer resource.

Running a Windows backup software as a service is a common action when you install it on a Windows Server. This is because you want to run your backups nightly when no user is logged on and there are no active working users. For a workstation computer this is not a good choice because it adds complexity.

What other options we have?

We must first distinguish our needs. If our Windows backup software is GRBackPro then we can create many backup sessions and each one can have different needs. For example, we can have a daily backup and a weekly backup session. These will back up the same files. The daily backup will not backup the registry, for example, so it will not need elevation. The weekly backup, instead, will also back up the registry and might use a different destination folder or drive.

Here we have two options:

a. We want the Windows backup software always running and ready to start.

b. We run the Windows backup software only when we need to execute the backup.

In case (a) we have the option to create a task in the Windows Tasks Scheduler. This task has an option to execute our Windows backup software elevated. If we do this then we will have the Windows backup software always ready and elevated. We just need to open the user interface and hit the Backup button.

In case (b) we don't want to have a backup program always running doing nothing and we want to start it when needed. in this case we have two options:

1. Create a shortcut icon on the desktop that executes the Windows backup software and then edit the properties to force elevation when we double click on it. In this case we will get the usual UAC prompt every time we want to execute it. GRBackPro allow you to specify the settings file on the command line and we can take advantage to this feature creating an icon that supply daily setting and another one that supply the weekly settings. We can then force elevation only on the weekly one. This way when you double click the daily icon then the Windows backup software will start normally without UAC prompt while if we click the weekly one we will get the UAC prompt.

2. We can start the Windows backup software from the Windows Start menu. in this case the program will always start not elevate and thus no UAC prompt. This will be ok for the daily backup (again assuming that you have defined two backup sessions: daily and weekly). When you select the daily backup and run it you will not get any UAC prompt. When you select the weekly session backup then the Windows backup software will prompt you to restart itself (this is equivalent to the UAC prompt).

In conclusion: Being protected from possible malware is essential today. As suggested, it is best to try unknow program on virtual machines that you can easily reset or reinstall (or simply restore from a saved good copy). When you want to back up system files then you need to run your Windows backup software as Administrator (Elevated) so that you have access to system files and more. In this case you want to do that in a permanent way (no more UAC messages) because you are trusting your Windows backup software and you want it ready every time you need it. In all other cases the best is to have a Windows backup software that allows you to limit UAC prompts to a minimum.

We suggest GRBackPro professional Windows backup software as your best and trusted choice.