Understanding The Windows 7 UAC

Understanding and optimizing the UAC in Windows 7

Table of Contents

1. Introduction

2. How and why a UAC prompt might occur

3. What users think about the UAC

4. Admin vs Standard user: pros and cons

5. UAC settings in Windows 7

6. Conclusion

1. Introduction

The UAC (User Account Control) was introduced as a security tool for Windows to help standard users perform admin tasks (refer below list) and to encourage users not to run as admin. When any program requires admin privileges, the UAC prompt asks users for permission to proceed. Potential malware can also be prevented due to the features of the UAC. The following tutorial will help you understand UAC prompts, enable a password protection setting and how it will help secure your system.

 

2. How and why a UAC prompt might occur

Here are some scenarios which would trigger a UAC prompt:

a. While trying to install/uninstall a program

b. To gain access to a system utility like msconfig

c. Any kind of program which checks for updates for new programs (third party tools like secunia psi or File hippo's updatechecker), Windows updates and changing the time.

d. While trying to delete/add folders to the program files directory or the system directory (usually c:\windows)

e. Last but not least, the UAC prompt will only show up if you initiate a process like installing/updating/removing software, drivers, plugins, playing games (a few cases), windows updates and all. If a UAC window shows up when you have done nothing, malware could possibly be present in your system.

All the above mentioned tasks will trigger a UAC prompt (when using a standard user account). There are some system utilities like regedit (the registry editor) which do not ask for a UAC prompt and therefore you will not be able to make any changes. Click here for more details.

 

3. What users think about the UAC

Perhaps no other feature in Windows has triggered so much of negative and positive feedback as the User Account Control (UAC) which debuted in Windows Vista. Most users  got irritated with the seemingly endless popups which keeps nagging you continuously with questions like"allow this program or not", "A program is trying to make the following changes allow or not". Perhaps someone might have even told you to "Just turn it off. Problem solved". Clearly, the UAC ends up irritating and annoying most people. Almost everybody agrees that this feature makes life miserable for end users.cryingangry

Before you think about turning it off, you could try to understand how the UAC works and its benefits for all users.

 

4. Admin vs Standard user: pros and cons

Most home users run as admin since it is easier to install/uninstall/update programs, drivers, games etc. The downside of running as admin is that malware, viruses and rootkits can do more damage to your system. There is also a huge possibility that you can unintentionally damage your system due to easier access to system tools like the Windows Registry (regedit) and the system configuration (msconifg). As a standard user, your access will be limited, but you will be able to do most things except for making system wide changes, adding/removing/ updating programs.

Thanks to the UAC, you will be able to get an "admin" like capability even if you are a standard user. If you do prefer to continue as admin, you can still enable the UAC password prompt. UAC settings for admins are here.

Note: If you are continuing as a standard user and want to enable the UAC password prompt, you should first enable the admin account and only then should you become a standard user. Then you can make the required changes to the local policy editor (secpol.msc) . More instructions on this and more below.

To become a standard user:

Enable the hidden admin account for Windows 7 by opening the command prompt as admin (right click on it and choose "run as admin") and typing the following text " net user administrator /active:yes " (exclude the quotes). You should then get the following message:

[click on  thumbnails for bigger images]

5. UAC settings in Windows 7

Type secpol.msc (this should be run as admin) in the run box (or use the start menu search box to locate it) and under "local policies", "Security policies", double click on the policy "User Account Control: Behavior of the elevation prompt for standard users" and change the options to "prompt for credentials on the secure desktop".

Admins: double click on the policy "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" and change the options to "prompt for credentials on the secure desktop". You have now set a password prompt for the UAC.

Note: Some editions of Windows 7 do not have secpol.msc. To make the UAC prompt ask for your admin password, you will have to make changes to the registry. Ensure caution while editing values in the registry as editing the wrong values will lead to your system becoming unstable. Open the registry editor, by typing "regedit" in the run box and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Then double click "ConsentPromptBehaviorUser" and change it to 1 (standard users). Admins, change "ConsentPromptBehaviorAdmin" to 1.

You have now successfully set a password for the UAC prompt. Also, ensure that your UAC settings are set to the maximum " Default - Always notify me when: "

Once this is done, you can change your admin account to that of a "Standard User" account by going to the Control panel "Control Panel\User Accounts and Family Safety\User Accounts\Change Your Account Type". Most of you might be wondering "but what's the use of entering my admin password in the UAC box? Wouldn't that make the UAC even more irritating?"

The password will help prevent accidental tampering of the system files, drivers, programs etc. UAC + a password will give you more control over your system. You can also have a few seconds to think before approving or disapproving the UAC prompts.

If you want to always run a program as admin without the UAC prompt, you could use the task scheduler to do this. Note: This would also defeat the the UAC's security, so ensure that the program is trustworthy and not malware/spyware etc. Instructions in the below thread:

http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/...

Another alternative: Use Microsoft's Application Compatibility Toolkit to bypass the UAC prompts:

http://www.ghacks.net/2010/07/08/get-rid-of-uac-prompts-with-microsofts-...

Remember: Tools like the "UAC" and "Runas" are partially based on the "sudo" concept for Unix/Linux-based systems including all Linux distros and the Macintosh OS (Mac). Therefore, this is not a completely new concept. A list of similar UAC like tools for various Operating Systems can be found here.

6. Conclusion

UAC is not a "cure it all" or an "all in one security" tool which will prevent malware, spyware and the lot. When used together with a standard user account, safe browsing, downloading only from trusted sites and common sense (this can be discussed further in Gizmo's friendly neighborhood forums) you will have an (almost) bullet proof system.

Most security tools regardless of the OS, will have a learning curve. If you want to utilize the in built tools of the OS without using third party tools, then the UAC can be very useful.

There are some system applications that do not prompt for a UAC elevation when logged in as a standard user. You can:

a. right click on the application and use the "run as administrator" option.

b. Create shortcuts for that particular program and make the UAC prompt appear by default by right clicking on the shortcut, choose "properties", "advanced" "Run as administrator" is another simpler way of doing it.

For Windows XP users: There is a small utility called "surun" which will give you UAC like capability. Tutorial here

So that's itsmiley. If you have any comments/feedback or suggestions on how this article could be improved, please let us know. The image of "the scream" is from the wikipedia (public domain image).

Share this
4.166665
Average: 4.2 (24 votes)
Your rating: None

Comments

by GJM (not verified) on 22. August 2012 - 16:19  (98157)

For the life of me I can not figure out why on one of my machines when running as a standard user I get prompted for the elevated admin password so I can install a program, and on another (with all the same settings mentioned above) it won't OFFER me the option to insert an admin password to allow the program to run.

I have checked the registry settings and they match what is set above.
I have tried changing the settings to deny that option, and then back again.
I have tried creating a new user to see if there was something wrong with the Current standard user I have.

No Luck.

Does anyone have any idea why it works on all my machines except for one?

Comment would be appreciated.

by J_L on 21. October 2012 - 16:09  (101140)

That is the correct and somewhat secure behaviour, if the "another" is an admin account.

That should be noted on the article for those lazy administrator wannabes (admittedly, I was one who did it way back in 2009-2011, because it only got rid of prompts that affect programs that "needed the shield" in admin accounts). Why do I say lazy? Cause they don't know how easy it is bypassing it these days (except advanced malware unless installed), and how many popular programs do it without effort.

You really shouldn't depend on third-party software for any fully compatible replacement (as in the same function, not more security in another form, which can mess up the system like any software bugs now that every part of it has admin rights).

by Concerned User on 23. August 2012 - 18:17  (98206)

To begin with, are you able to get the password prompt in the admin account with the steps mentioned above? Or are you facing problems with that too?

To change the registry settings, you should login as admin and make the changes.

Or you should create a shortcut for the program (regedit for example) and choose "run as administrator" for the changes to get reflected. Refer "6. Conclusion" for more details on that.

By the way, as a standard user do you get the regular UAC prompt while trying to install/uninstall programs etc..?

by Guest (not verified) on 19. July 2012 - 19:42  (96412)

If I'm already logged in as Administrator... and I specifically open a command-prompt in Administrator Mode... will I *STILL* get asked by UAC?

by Concerned User on 30. July 2012 - 16:54  (96895)

Well, if you've set the UAC prompt for an admin user, yes you will be prompted.

See 5. UAC settings in Windows 7 for further details.

by Stretch (not verified) on 25. January 2012 - 8:30  (87744)

I like the UAC. It does give one time to think about whether the program you are going to install or the change you are going to make is beneficial to your OS. Yes, it can be irritating, but sometimes I download things and up pops the UAC and it DOES make me think, "Did I get this from a reliable source?" In most cases yes, but sometimes I have had 2nd thoughts about making a change which keeps my mind at ease. Overall I think it was good that this was introduced.

by Kipster on 24. January 2012 - 21:26  (87729)

A while back, I evidently changed some setting in the UAC so that I now need to hit the ENTER key to continue booting at startup, i.e. Login as User.
How do I get rid of this? (running Ultimate)

by Concerned User on 25. January 2012 - 4:16  (87737)

This does not seem to be a UAC problem, perhaps something to do with the BIOS settings.

Register yourself in Gizmo's forums and describe your problem in more detail, please.

http://www.techsupportalert.com/freeware-forum/

by Mark Ess (not verified) on 24. January 2012 - 17:09  (87711)

For UAC functionality in Windows XP, WinPatrol might well be worth a look...

Initially, I experimented with WinPatrol for a couple of months. Six years later, I'm still using it, along with common sense and other due diligence, and WITHOUT an anti-virus compliment! To paraphrase from your linked SuRun article, with assists from Comodo and Housecall (and others over the years), there's been no malware, no nasties, no nothing...

To clarify, I have no first-hand experience with SuRun and I'm not stating that WinPatrol is better. In fact, WinPatrol does not alter Administrative status, which may actually be a significant disadvantage if your browsing or networking habits are less distrusting than mine...

by chrisabc on 24. January 2012 - 14:01  (87695)

The heading TO BECOME A STANDARD USER is in section 4. But the actual instructions for doing this are at the end of Section 5. This part could be made more clear. (well, I had to read it a few times before I understood :-)

Should start by defining what UAC stands for.

Spelling mistake near end of Section 2.
"malware could possible be" >> possibly

Maybe a section on how software developers can make their programs not trigger the UAC prompt by Signing their Code.

by Concerned User on 24. January 2012 - 16:16  (87706)

The spelling mistake has been corrected.

Re Section 4: A small note has been added that an admin account needs to be present(for standard users) all the time if the UAC password prompt needs to show up.

Regarding what the UAC is, a small intro has been given in the first section itself. More info could be added, but this would make the article even more longer.

Yes, a section on how software developers could make their programs "UAC compliant" would be more interesting. Will consider that a little later. Thanks for your feedback.

by Main Nerd (not verified) on 24. January 2012 - 13:51  (87694)

I have a program that I use every day that ALWAYS pops up with the UAC warning. How can I tell Win7 to NOT do it for that program?

Thank you.

by Concerned User on 24. January 2012 - 15:53  (87702)

Which application is this? For some programs, you can simply right click on the shortcut icon and choose "properties", "advanced" and uncheck "run as administrator" (this will not work for system applications like regedit).

Another option is to use the task scheduler and always run the program with the highest (admin) privileges. This kind of defeats the purpose of the UAC.

However, if you are sure that the program is trustworthy and not malware/spyware etc, you can do so. Instructions in the below thread:

http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/...

Tutorial has been updated to reflect this.

Gizmo's Freeware is Recruiting!

Gizmos Needs YouShare your knowledge of free software with millions of Gizmo's readers by joining our editing team.  Details here.