Understanding and optimizing the UAC in Windows 7
Table of Contents
The UAC (User Account Control) was introduced as a security tool for Windows to help standard users perform admin tasks (refer below list) and to encourage users not to run as admin. When any program requires admin privileges, the UAC prompt asks users for permission to proceed. Potential malware can also be prevented due to the features of the UAC. The following tutorial will help you understand UAC prompts, enable a password protection setting and how it will help secure your system.
Here are some scenarios which would trigger a UAC prompt:
a. While trying to install/uninstall a program
b. To gain access to a system utility like msconfig
c. Any kind of program which checks for updates for new programs (third party tools like secunia psi or File hippo's updatechecker), Windows updates and changing the time.
d. While trying to delete/add folders to the program files directory or the system directory (usually c:\windows)
e. Last but not least, the UAC prompt will only show up if you initiate a process like installing/updating/removing software, drivers, plugins, playing games (a few cases), windows updates and all. If a UAC window shows up when you have done nothing, malware could possibly be present in your system.
All the above mentioned tasks will trigger a UAC prompt (when using a standard user account). There are some system utilities like regedit (the registry editor) which do not ask for a UAC prompt and therefore you will not be able to make any changes. Click here for more details.
Perhaps no other feature in Windows has triggered so much of negative and positive feedback as the User Account Control (UAC) which debuted in Windows Vista. Most users got irritated with the seemingly endless popups which keeps nagging you continuously with questions like"allow this program or not", "A program is trying to make the following changes allow or not". Perhaps someone might have even told you to "Just turn it off. Problem solved". Clearly, the UAC ends up irritating and annoying most people. Almost everybody agrees that this feature makes life miserable for end users.
Before you think about turning it off, you could try to understand how the UAC works and its benefits for all users.
Most home users run as admin since it is easier to install/uninstall/update programs, drivers, games etc. The downside of running as admin is that malware, viruses and rootkits can do more damage to your system. There is also a huge possibility that you can unintentionally damage your system due to easier access to system tools like the Windows Registry (regedit) and the system configuration (msconifg). As a standard user, your access will be limited, but you will be able to do most things except for making system wide changes, adding/removing/ updating programs.
Thanks to the UAC, you will be able to get an "admin" like capability even if you are a standard user. If you do prefer to continue as admin, you can still enable the UAC password prompt. UAC settings for admins are here.
Note: If you are continuing as a standard user and want to enable the UAC password prompt, you should first enable the admin account and only then should you become a standard user. Then you can make the required changes to the local policy editor (secpol.msc) . More instructions on this and more below.
To become a standard user:
Enable the hidden admin account for Windows 7 by opening the command prompt as admin (right click on it and choose "run as admin") and typing the following text " net user administrator /active:yes " (exclude the quotes). You should then get the following message:
[click on thumbnails for bigger images]
Type secpol.msc (this should be run as admin) in the run box (or use the start menu search box to locate it) and under "local policies", "Security policies", double click on the policy "User Account Control: Behavior of the elevation prompt for standard users" and change the options to "prompt for credentials on the secure desktop".
Admins: double click on the policy "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" and change the options to "prompt for credentials on the secure desktop". You have now set a password prompt for the UAC.
Note: Some editions of Windows 7 do not have secpol.msc. To make the UAC prompt ask for your admin password, you will have to make changes to the registry. Ensure caution while editing values in the registry as editing the wrong values will lead to your system becoming unstable. Open the registry editor, by typing "regedit" in the run box and navigate to:
Then double click "ConsentPromptBehaviorUser" and change it to 1 (standard users). Admins, change "ConsentPromptBehaviorAdmin" to 1.
You have now successfully set a password for the UAC prompt. Also, ensure that your UAC settings are set to the maximum " Default - Always notify me when: "
Once this is done, you can change your admin account to that of a "Standard User" account by going to the Control panel "Control Panel\User Accounts and Family Safety\User Accounts\Change Your Account Type". Most of you might be wondering "but what's the use of entering my admin password in the UAC box? Wouldn't that make the UAC even more irritating?"
The password will help prevent accidental tampering of the system files, drivers, programs etc. UAC + a password will give you more control over your system. You can also have a few seconds to think before approving or disapproving the UAC prompts.
If you want to always run a program as admin without the UAC prompt, you could use the task scheduler to do this. Note: This would also defeat the the UAC's security, so ensure that the program is trustworthy and not malware/spyware etc. Instructions in the below thread:
Another alternative: Use Microsoft's Application Compatibility Toolkit to bypass the UAC prompts:
Remember: Tools like the "UAC" and "Runas" are partially based on the "sudo" concept for Unix/Linux-based systems including all Linux distros and the Macintosh OS (Mac). Therefore, this is not a completely new concept. A list of similar UAC like tools for various Operating Systems can be found here.
UAC is not a "cure it all" or an "all in one security" tool which will prevent malware, spyware and the lot. When used together with a standard user account, safe browsing, downloading only from trusted sites and common sense (this can be discussed further in Gizmo's friendly neighborhood forums) you will have an (almost) bullet proof system.
Most security tools regardless of the OS, will have a learning curve. If you want to utilize the in built tools of the OS without using third party tools, then the UAC can be very useful.
There are some system applications that do not prompt for a UAC elevation when logged in as a standard user. You can:
a. right click on the application and use the "run as administrator" option.
b. Create shortcuts for that particular program and make the UAC prompt appear by default by right clicking on the shortcut, choose "properties", "advanced" "Run as administrator" is another simpler way of doing it.
For Windows XP users: There is a small utility called "surun" which will give you UAC like capability. Tutorial here
So that's it. If you have any comments/feedback or suggestions on how this article could be improved, please let us know. The image of "the scream" is from the wikipedia (public domain image).