The Windows operating system divides users into categories. Some categories are given more access and privileges than other categories. One category is called the Administrator account. The Administrator account -- sometimes known as the admin account -- has full read, write and delete privileges to sensitive areas of the operating system. The admin account has the ability to change the status of other users as well as alter system functions. One of these functions is to act as a Debugger user.
Administrator Debugger User
According to Microsoft support, “By default, the only member of the Debugger Users group is the Administrator who installed the application.” While this is true, the Admin has the ability to grant the right by adding an account to the Debugger Users group. That account can then access MDM.EXE on systems carrying it to clean up and/or secure problem applications.
Machine Debug Manager (MDM.EXE) is an application debugger and an important executable. It is used to correct application errors that can bring the system to a standstill. The executable can only be run by an Administrator account or a LocalSystem account accessed by an Administrator. LocalSystem accounts have extensive privileges to major system objects, including debuggers such as MDM.EXE. An Administrator account has the ability to grant the right by adding an existing account to the Debugger Users group; that account can then access MDM.EXE on systems running MDM.EXE to clean up and/or secure problem applications.
Automatic Assigning of Debugger Privileges
An Administrator granting debugger privilege is not the only way to obtain the privilege. A limited number of applications automatically bestow the Debugger User privilege to the account used to install the application. For example, debugging rights are needed to improve Microsoft Visual Studio applications while they are being coded. Programming without debugging authorization would generate very poor programs.
Controlling Auto Changing Behavior
Occasionally, a policy that controls the Administrator account settings will automatically switch an Administrator account to a Debugger User account. This can happen in any version of Windows that has account settings administered through the Registry. To set the policy that controls account settings, navigate to local security policy and access the rename Administrator account setting. Set account privilege policies and adjust the setting. This will keep the local security policy from overriding Administrator account privileges
Advantage of Dual Roles
Administrator Debugger User grants more privileges than running as an Administrator alone, and grants a few extra abilities. Access to MDM.EXE and other Debuggers is one such ability. Another is the right to attach a debugger to an application. The added security gained by acting as a Debugger User, coupled with the privileges granted to the Administrator User enables the Admin Debugger account to secure the Registry and other vital system objects from outside attacks and prevent annoying auto account changing behavior.