Microsoft fact: Most users log on to Windows with a administrator (Administrator) account. With this account, the user has little or no access to important system resources because the account is granted very high permissions. Once a user such a privileged account is logged in to a Windows operating system prior to Vista, a security token is created. Whenever a code tries to access a protected security resource, the operating system uses (presents) this security token. This token is associated with all newly created processes. The first process is Windows Resource management, which then hands the token to all its child processes, and so on. In such a configuration, if a program is downloaded from the Internet, or a malicious script in an e-mail message begins to run, it inherits the high privileges of the Administrator account (because their hosting application is running under this account)----- Because any content on the machine is changed, you can even start another process and have the initiating process inherit the same high privilege.
Conversely, in Windows Vista, if a user logs on with a highly privileged account such as administrator, a filtered token (filtered token) is created in addition to the security token corresponding to the account. The latter will only be granted the standard user's permission. Later, all new processes initiated by the system on behalf of the end user are associated with this filter token. The first process is still Windows Explorer. You may soon question this: Since all applications have only a standard user's permission set, how can you access restricted resources? A short answer is that a process with restricted permissions cannot access security resources that require higher rights to access.
Talking about Windows user Account Control (username Control,uac)