Holy cow, I wrote a book!
Take a shortcut to the command prompt or some other Windows component,
right-click it, and select "Run as Administrator."
The "Start in" directory from the shortcut is ignored
and you are always dropped into the system directory.
Why is the starting directory ignored?
To avoid a category of attacks (current directory attacks).
the dynamic link library search order documentation,
the current directory is searched in step five,
after the executable directory, and a variety of system-defined
If a program calls LoadLibrary and does not pass
a fully-qualified path, and the DLL cannot be found in one of the
first four locations, the current directory will be searched.
An attacker can drop a DLL into a directory and trick you into
running a program with that directory as its current directory.
When that program tries to load a library that normally doesn't exist,
the one the attacker created will be found and loaded.
This is bad.
Note that this behavior applies only to
Windows binaries and only if they are launched through
an elevation prompt.
(Programs that are not a part of Windows do not receive this
behavior because compatibility testing showed that third-party
application rely heavily on the current directory being preserved
across an elevation boundary.
installers will unpack their contents into a temporary directory,
change to that temporary directory, and then run the main setup