Situation: as described for example here.

Experienced: removed admin privileges from ACLs might be another criterion.

Expected: exact details need to be worked out in testing, e.g. we need to make sure to detect the standard admin account as well as the local admin group and domain admins, to avoid false positives.

I think it must have a high priority, we need to know can overpass the securities features, if those programs are authorized without our knowledge...

Not sure if we've found the perfect criteria yet; domain admin, built-in admin, local admin or all to everyone is not quite sufficient, with a few special exceptions where it's fine that only system, and no admin, is allowed to write.