This is described on MSDN:

这在 MSDN 上有描述：

Basically, "asInvoker" will use the user's default security settings. It's described as "The application runs with the same access token as the parent process.", which means the same security token is used as the calling process, which is typically the desktop shell (or the process that launches this, if you launch your app from another program).

基本上，“asInvoker”将使用用户的默认安全设置。它被描述为“应用程序使用与父进程相同的访问令牌运行。”，这意味着使用相同的安全令牌作为调用进程，通常是桌面 shell（或启动它的进程，如果你启动你的进程）来自另一个程序的应用程序）。

Using "highestAvailable" will cause the application to run using the highest priveledges the user can obtain. If they're an administrator, for example, they'll get a UAC prompt and the app will run with admin rights. However, if they're a normal user, they'll get normal security settings, etc.

使用“highestAvailable”将使应用程序使用用户可以获得的最高权限运行。例如，如果他们是管理员，他们将收到 UAC 提示，应用程序将以管理员权限运行。但是，如果他们是普通用户，他们将获得普通的安全设置等。

In general, you'll want to use "asInvoker" unless you have a specific reason to request more rights.

通常，除非您有特定的理由请求更多权限，否则您会希望使用“asInvoker”。

A good example of "highest available"is someone who is a member of the Backup Operatorsgroup.

“最高可用”的一个很好的例子是备份操作员组的成员。

Starting with Windows Vista, it is not just "Administrators"who are stripped of their privileges and given a split-token. The system looks to see if you are:

从 Windows Vista 开始，不仅仅是“管理员”被剥夺了他们的特权并获得了一个拆分令牌。系统会查看您是否：

• a member of certain groups
• have certain privileges

• 某些团体的成员
• 有一定的特权

A good example of "highest available"is someone who is a member of the Backup Operatorsgroup. If you are a member of the Backup Operatorsgroups, your security token is filtered exactly like it is for members of the Administratorsgroup.

“最高可用”的一个很好的例子是备份操作员组的成员。如果您是Backup Operators组的成员，则您的安全令牌将像为Administrators组的成员一样进行过滤。

From MSDN Magazine article:

来自 MSDN 杂志文章：

Least Privilege
Teach Your Apps To Play Nicely With Windows Vista User Account Control
by Chris Corio

UAC starts working when a user logs onto a machine. During an interactive logon, the Local Security Authority (LSA) takes the user's credentials and performs the initial logon, evaluating the user's token to see if it has what are defined as elevated privileges. If the LSA determines that the user has elevated privileges, it will filter this token and then perform a second logon with the filtered token.

Least Privilege
教你的应用程序使用 Windows Vista 用户帐户控制很好地发挥作用
作者：Chris Corio

当用户登录机器时，UAC 开始工作。在交互式登录期间，本地安全机构 (LSA) 获取用户的凭据并执行初始登录，评估用户的令牌以查看它是否具有定义为提升的权限。如果 LSA 确定用户具有提升的权限，它将过滤此令牌，然后使用过滤后的令牌执行第二次登录。

User Account Control defines the following groups as having elevated privileges:

• Built-In Administrators (S-1-5-32-544)
• Power Users (S-1-5-32-547)
• Account Operators (S-1-5-32-548)
• Server Operators (S-1-5-32-549)
• Printer Operators (S-1-5-32-550)
• Backup Operators (S-1-5-32-551)
• RAS Servers Group
• BUILTIN\Pre-Windows 2000 Compatible Access (S-1-5-32-554)
• BUILTIN\Network Configuration Operators (S-1-5-32-556)
• Domain Admins (S-1-5-21-domain-512)
• Domain Controllers (S-1-5-21-domain-516)
• Cert Publishers (S-1-5-21-domain-517)
• Schema Admins (S-1-5-21-root domain-518)
• Enterprise Admins (S-1-5-21-root domain-519)
• Group Policy Administrators (S-1-5-21-domain-520)

Therefore, if the LSA notices that any of those group memberships or privileges are listed in the user's initial token, a filtered token will be created during an interactive logon, using a version of the CreateRestrictedTokenAPI, and the fully privileged token is saved by LSA. These two tokens are linked and the fully privileged token can be obtained from the filtered token using the Get-Token-Infor-mationAPI with the new TokenLinkedTokeninformation type. Note, however, that UAC does not affect service, network, or batch logons.

用户帐户控制将以下组定义为具有提升的权限：

• 内置管理员 ( S-1-5-32-544)
• 高级用户 ( S-1-5-32-547)
• 帐户操作员 ( S-1-5-32-548)
• 服务器操作员 ( S-1-5-32-549)
• 打印机操作员 ( S-1-5-32-550)
• 备份操作员 ( S-1-5-32-551)
• RAS 服务器组
• 内置\Pre-Windows 2000 兼容访问 ( S-1-5-32-554)
• 内置\网络配置运算符 ( S-1-5-32-556)
• 域管理员 ( S-1-5-21-domain-512)
• 域控制器 ( S-1-5-21-domain-516)
• 证书出版商 ( S-1-5-21-domain-517)
• 架构管理员 ( S-1-5-21-root domain-518)
• 企业管理员 ( S-1-5-21-root domain-519)
• 组策略管理员 ( S-1-5-21-domain-520)

因此，如果 LSA 注意到在用户的初始令牌中列出了这些组成员身份或特权中的任何一个，则将在交互式登录期间使用CreateRestrictedTokenAPI版本创建过滤令牌，并且完全特权令牌由 LSA 保存. 这两个令牌是链接在一起的，可以使用具有新信息类型的Get-Token-TokenLinkedTokenInformation API从过滤后的令牌中获取完全特权的令牌。但是请注意，UAC 不会影响服务、网络或批量登录。

If the user does not belong to any of the groups listed above but has certain privileges, a filtered token will be created with these privileges removed. The privileges in question are:

• SeCreateTokenPriv-i-lege- User Right: Create a token object.
• SeTcbPrivilege- User Right: Act as part of the operating system.
• Se-Take-Owner-ship-Priv-ilege- User Right: Take ownership of files or other objects.
• Se-Back-up-Priv-i-lege- User Right: Back up files and directories.
• Se-Re-store-Privilege- User Right: Restore files and directories.
• Se-De-bug-Priv-ilege- User Right: Debug programs.
• Se-Im-personatePrivilege- User Right: Impersonate a client after authentication.
• Se-Re-labelPrivilege- User Right: Modify an object label.

如果用户不属于上面列出的任何组但具有某些权限，则会创建一个过滤令牌，并删除这些权限。有问题的特权是：

• SeCreateTokenPriv-i-lege- 用户权限：创建令牌对象。
• SeTcbPrivilege- 用户权限：作为操作系统的一部分。
• Se-Take-Owner-ship-Priv-ilege- 用户权限：取得文件或其他对象的所有权。
• Se-Back-up-Priv-i-lege- 用户权限：备份文件和目录。
• Se-Re-store-Privilege- 用户权限：恢复文件和目录。
• Se-De-bug-Priv-ilege- 用户权限：调试程序。
• Se-Im-personatePrivilege- 用户权限：身份验证后模拟客户端。
• Se-Re-labelPrivilege- 用户权限：修改对象标签。

If i create a backupuser, i need to run with my backuprelated privileges returned to me:

如果我创建了一个备份用户，我需要在返回给我的备份相关权限的情况下运行：

• Se-Back-up-Priv-i-lege
• SeRestorePrivilege

• Se-Back-up-Priv-i-lege
• 恢复权限

That means that i don't need (or want) to run as a full fledged Administrator. I want to run with my highest availableset of permissions back.

这意味着我不需要（或不想）以成熟的管理员身份运行。我想以我最高的可用权限集运行。

This is where your three options for requestedExecutionLevelstart to come out:

这是requestedExecutionLevel的三个选项开始出现的地方：

• asInvoker: The application will run with the same permissions as the process that started it. The application can be elevated to a higher permission level by selecting Run as Administrator.

• highestAvailable: The application will run with the highest permission level that it can. If the user who starts the application is a member of the Administrators group, this option is the same as requireAdministrator. If the highest available permission level is higher than the level of the opening process, the system will prompt for credentials.

• requireAdministrator: The application will run with administrator permissions. The user who starts the application must be a member of the Administrators group. If the opening process is not running with administrative permissions, the system will prompt for credentials.

• asInvoker：应用程序将以与启动它的进程相同的权限运行。通过选择以管理员身份运行，可以将应用程序提升到更高的权限级别。

• highestAvailable：应用程序将以它所能达到的最高权限级别运行。如果启动应用程序的用户是管理员组的成员，则此选项与 requireAdministrator 相同。如果最高可用权限级别高于打开过程级别，系统将提示输入凭据。

• requireAdministrator：应用程序将以管理员权限运行。启动应用程序的用户必须是管理员组的成员。如果打开过程没有以管理权限运行，系统将提示输入凭据。

Bonus Reading

奖励阅读

• https://superuser.com/a/610253/8169
• Teach Your Apps To Play Nicely With Windows Vista User Account Control(archive.is)
• Privilege Constants(archive.is)
• Well-known security identifiers in Windows operating systems

• https://superuser.com/a/610253/8169
• 使用 Windows Vista 用户帐户控制(archive.is)教您的应用程序运行良好
• 特权常量（archive.is）
• Windows 操作系统中众所周知的安全标识符