Why is my cmd.exe in windows 7, opening as Administrator?

Why is my cmd.exe in windows 7, opening with Administrative privileges. (I won't say Running "as Administrator" 'cos i'm aware that Win7 "Run As Administrator" option, runs it with Administrative privileges rather than As Administrator, and that is what is happening here albeit automatically)

Commenter "HelpingHand" states "add the cols, "Elevated" and "UAC Virtualization". What is Elevated state of Explorer,the parent process of the cmd. Is that "Elevated=No", "UAC Virtualization-disabled"? Maybe focus on the parent proc rather than the child. I would also launch the cmd.exe with Process Monitor running. Confirm, In the Tree view, it is the child of the checked Explorer.exe process above and check the CreateProcess operation by Explorer.exe to launch cmd. Specifically the stack that is calling CreateProcess. It would be good to check there are no third party modules. Maybe paste a screenshot."

Windows 7 doesn't have an "Elevated" column! The Elevated column is specific to Windows 10(and maybe Win8 but who cares re Win8). In Win10 the columns are tab specific and it's associated with the details tab of Win10. In Win7 the columns aren't tab specific and there is no "Elevated" column.

Also you mention Process Monitor, great program, but I think when you mean a tree, you mean Process Explorer. Process monitor won't show a tree of processes. Process explorer will. Both programs are great programs by sysinternals/ Mark Russinovich, now available from MS. Where you mention an operation, (like filtering by operation), then you mean Process Monitor. There isn't a CreateProcess that I can see though there is a ThreadCreate

Looking at a fairly fresh, regular Windows 7 system that doesn't have the issue. Process explorer shows that the cmd.exe process is a child of the explorer.exe process it shows under "Explorer", and double clicking it it says the parent is the/an explorer.exe instance. Looking at various processes, some have UAC Virtualization set to Allowed, some to Disabled. Explorer has it set to Disabled. cmd has it set to Disabled.

Looking at the windows 7 system in question, looking at process explorer, I see two explorer processes. cmd isn't showing under either of them. But if I double click cmd then it says explorer.exe is the parent process. Looking at Task manager, no processes have UAC set to disabled. Explorer has it set to "Not Allowed", and cmd has it set to "Not allowed". Of the two explorer processes, one has a command line with "/factory....", the other is just a regular call to explorer.exe. Process Explorer shows the PPID(parent process ID/PPID) of cmd.exe and it matches to the instance of explorer.exe that is just called normally.

As for the process monitor info looking at the operation ThreadCreate, and the stack tab, here is a paste.

You mention to consider if there is a third party module there. I do not see any third party module/dll or exe there.

In answer to some comments. I do obviously have an account called "user", that should be clear.

commenter suggests I run this command showing the output .

The "Impersonate a client after authentication" and "Create global objects" are interesting as I don't see them enabled on a fresh install. This link https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63889 mentions that "Impersonate a client after authentication" should only be granted to Administrators. The user 'user' is in the Administrators group.

Looking at a fairly fresh install, I see user 'user' added to the administrators group, but "Impersonate a client after authentication" isn't listed as enabled when running that command. But that's because on the fairly fresh install, cmd doesn't run as administrator.

Commenter scott asks "What happens when you run netplwiz?" Well, the same thing as if you do windows key + R and type control userpasswords2<ENTER>. It shows that screen where you set whether or not the user has to enter a password to log in, and which user can log in automatically.

In answer to some enquiries from commenter "scott". I do obviously have an account called "user", that should be clear.

commenter "scott", suggests I run this command showing the output .

Nothing unusual there. If you run cmd prompt with administrative privileges on a fresh install then it shows the same thing. Obviously in my case it's happening automatically. So, perhaps commenter scott can state what he might have been looking for there?

Commenter scott asks "What happens when you run netplwiz?" Well, the same thing as if you do windows key + R(to get the old run dialog box) and type control userpasswords2<ENTER>. It shows that screen where you set whether or not the user has to enter a password to log in, and which user can log in automatically.