Windows Vista Secret #4: Disabling UAC

Windows Vista Secret #4: Disabling UAC

Rate This
  • Comments 27

If you're a reader of this blog, I'm going to take a low-risk gamble and assert that you probably consider yourself a power user. You pride yourself in the responsibility of having full and absolute control over your machine environment and anything that comes between that perfect human-machine symbiosis is to be spurned. If only there were a way to turn User Account Control off on a Windows Vista machine, you'd upgrade immediately. Well, dear reader, I'm here to help.

Firstly, it's worth a brief digression into the benefits of this feature. Running as admin is a bad thing, as most of us know. Aaron Margosis has blogged extensively on this issue, and I won't rehash it here. But for reasons of compatibility, running as a standard user can still be a somewhat painful proposition. Windows Vista attempts to give you the benefits of both worlds by allowing administrators to execute most processes in the context of a standard user and only elevating the privileges on their user token by consent, in addition to allowing standard user accounts to perform administrative tasks by selectively elevating a process to use administrator-level credentials.

In general, UAC has turned out pretty well. It was pretty intrusive in early builds, prompting often and sometimes capturing focus at the wrong time. For the vast majority of users, UAC will offer a valuable level of security protection that will protect against malware: it simply won't have the rights to perform invasive actions like installing device drivers or services. Once a system is configured, you'll rarely see UAC prompts unless you're an inveterate settings tweaker. Incidentally, you can find out a great deal more about how UAC works, what you need to do to your own applications so that they co-operate well with UAC, and the rationale for its design at the official UAC blog.

It is possible to switch UAC off. I really don't recommend it - if you like full control over your machine, surely you want to know when something is attempting to perform an administrative-level action? Nevertheless, I'd prefer to have you run Windows Vista without UAC than having you run a different operating system.

There are two ways to disable UAC. The easy solution is through Control Panel. Type "UAC" into the search bar at the top of the screen and you'll see this task presented:

This approach is pretty brute-force, though. It just switches the whole thing off. There's a more subtle configuration choice that gives you some of the benefits of UAC without any of the prompting. You'll need to edit the local security policy to control this, as follows:

  1. From the Start search bar, type "Local Security Policy"
  2. Accept the elevation prompt
  3. From the snap-in, select Security Settings -> Local Policy -> Security Options
  4. Scroll down to the bottom, where you'll find nine different group policy settings for granular configuration of UAC.

Perhaps the best choice to select is to change the setting:
   User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
from Prompt for consent to Elevate without prompting.

What does this do? Despite the warning from the Windows Security Center, UAC isn't actually switched off. It's still there, and all your processes will still run as a standard user. To prove this, open a command prompt and try to save a file to the c:\ directory. You'll get an access denied error message. However, when a process is marked for elevation, instead of getting the secure desktop elevation prompt, the request will be silently approved. To show this in action, right click on a command prompt shortcut and choose "Run as Administrator". You'll see the command prompt open without elevation, but the window title will show that you're running with full administrative privileges.

Using this approach is better than nothing, but it's a bit like relying on everyone else having a vaccination against measles to protect yourself from infection. Read the explanations on the second page of the property sheet for each policy setting before tinkering, and be careful!

  • I have a different route to do it, which I found in beta2 (don't think the control panel icon way was available then).
    click windows and type in "msconfig" it will launch the config tool and under tools is an option to enable and disable uac.
  • I had blogged about this earlier too.

    http://rachit.wordpress.com/2006/08/25/uac-problem-with-wcf-on-vista/

    Thanks
  • Hopefully this will not have the side affect of the "brute force" option - that is, every time you boot you get a _really_ annoying toast telling you you've turned it off.

    aaaaaaaaaaaaaaaaaaarrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrggggggggggggggggggggggggg!

  • I was lost to OS X in 2003. It only prompts me for the admin password when I am administering something, not when I want to do something. I can install all the programs I want in my home folder and I have full access over them. Windows Vista is a kludge but don't let that stop you having fun administering it rather than doing anything constructive like personal computing.
  • There's always a Mac fanboy in every forum or blog.
  • Tim Sneath is on a roll with his series of Windows Vista Secrets posts, and rumour has it he has something...
  • What Microsoft REALLY needs to do is give each UAC prompt a box the user can check to say "Take my answer and apply it in the future without asking me again".  I don't know why they won't do that...
  • PingBack from http://cyber-knowledge.net/blog/2006/09/21/5-windosws-vista-secrets-you-must-know/
  • Let me use an analogy here:  UAC to me is a lock on a door.

    Yes, it's an irritation sometimes.  Though once I understand the rationale for having a lock and understand that not everyone in the world was as honest as I would like, it is reasonable.  

    Do I go to work with the door unlocked?  No.  Would I drill out my locks to ensure I never had to use that pesky key again?  No.  Would I add a sensor that automatically unlocked the door whenever anyone approached???  um, no.

    Ok, that's my right and likely the analogy of a lock will be picked apart (pun intended ;)) but still I understand why some believe that they need to be admins on the box.  I'll try my hardest to leave out the sentiment that these will likely be only one of the people who 0wN that box.

    However, the recommendation to anyone that silent elevation is a good thing to do is near irresponsible.
    The ONLY thing it could potentially protect you from is good apps that did something bad.  It is ZERO protection from bad apps trying to do bad things.
    Indeed, you even said that UAC is still running.  It is, but so effectively useless it's not really protecting anyone.

    UAC has come on in leaps and bounds - yes, it's a pain in the posterior when you're first configuring the machine.  I too get a little irked when viewing processes from all users.  But in day to day use it is not bothersome at all.  

    Don't do silent elevation.  Just say "No"!
  • @Mike Peter Reed: The only reason UAC prompts come up so often when installing applications are that none of these applications or setup programs have been written to take into account UAC and write to shared or system areas, which launches the UAC prompt.
    It would be the same on a Mac if apps were written incorrectly and wanted to write to non-user areas.
  • If there's one thing that puts me off an application, it's when it unnecessarily inserts itself into...
  • PingBack from http://www.shahine.com/omar/FlickeringAndDimmingInVista.aspx

  • PingBack from http://larchoye.com/2006/10/04/10-windows-vista-secrets-and-more-tim-sneath-vista-blogs/

  • PingBack from http://www.belshe.com/2006/10/04/security-by-lawyers-vistas-elevation-prompts/

Page 1 of 2 (27 items) 12