I was checking for write permissions in a relative's system in C:\Windows\* directory, using AccessChk. I used the syntax accesschk -w -s username "C:\Windows\" The Users group only had read and execution permissions for PxSecure.dll. As it should be. The standard user account has FULL control over PxSecure.dll. It's able to delete the file. No UAC alert, due to permissions allowing deletion, etc. Just to clarify, the is in C:\Windows\System32\PxSecure.dll. This begs the question: Why does the user (limited user) have FULL access to PxSecure.dll? It shouldn't. Such permissions should be handled by the prevx.exe running with System permissions and not by the process running with user permissions. (I'm assuming that's the reason why the user has such permissions, in the first place.) If the user has FULL access, so does malware.