Home » Guides » Security »

Published on 11.29.10 by Brent Trahan

User Account Control (UAC) Explained

Learn what User Account Control is, how it works, why you need it, and how to tweak it.

What is User Account Control (UAC)?

User Account Control (UAC) is technology and security infrastructure introduced with Windows Vista and perfected in Windows 7 that’s used to protect your computer from viruses and spyware (malware).

How does User Account Control (UAC) work?

UAC protects your computer from malware compromising it and limiting what the malware can do.

When you’re logged on and UAC is configured with its default configuration your user account always runs with non-admin privileges (even if your account has administrator privileges). When you run a program or change settings that require admin privileges UAC steps in and asks you if it’s OK to pass your admin privileges along with a UAC prompt.

UAC stops malware that tries to secretly install itself in the background in it’s tracks. When the malware tries to install a UAC prompt will appear (shown above) asking you for permission.

Why should I use User Account Control (UAC)?

Back in the old days of Windows XP and earlier when you were logged in as a user with administrative privileges malware could easily use your administrative privileges to install itself in the background without you knowing it.

UAC gives you a fighting chance by forcing the malware to ask for permission before it can install itself on your computer.

Do I still need Antivirus software since I’m using User Account Control (UAC)?

Yes. User Account Control is not going to prevent all malware. Antivirus software is HIGHLY recommended. I suggest Microsoft Security Essentials. It’s free, made by Microsoft, light on computer resources, and very good.

Tweaking User Account Control (UAC)

Although UAC works perfectly out of the box for most people it can be tweaked for special circumstances.

Warning: Only tweak UAC if you truly understand what you’re doing.

  • Admin Approval Mode for built-in administrator account: This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
  • Allow UIAccess applications to prompt for elevation without the secure desktop: This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the “User Account Control: Switch to the secure desktop when prompting for elevation” policy setting, the prompts appear on the interactive user’s desktop instead of the secure desktop. Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the “User Account Control: Switch to the secure desktop when prompting for elevation” policy setting.
  • Elevation prompt behavior for administrators in Admin Approval Mode: This policy setting controls the behavior of the elevation prompt for administrators. Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user’s highest available privilege. Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user’s highest available privilege. Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user’s highest available privilege. Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user’s highest available privilege.
  • Elevation prompt for standard users: This policy setting controls the behavior of the elevation prompt for standard users. Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. Prompt for credentials on the secure desktop: (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
  • Detect application installations and prompt for elevation: This policy setting controls the behavior of application installation detection for the computer. Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Disabled: (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
  • Only elevate signed and validated executables: This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
  • Only elevate UIAccess applications that are installed in secure locations: This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: – …\Program Files\, including subfolders, – …\Windows\system32\, – …\Program Files (x86)\, including subfolders for 64-bit versions of Windows. Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
  • Run all administrators in Admin Approval Mode: This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
  • Switch to the Secure Desktop when prompting for elevation: This policy setting controls whether the elevation request prompt is displayed on the interactive user’s desktop or the secure desktop. Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. Disabled: All elevation requests go to the interactive user’s desktop. Prompt behavior policy settings for administrators and standard users are used.
  • Virtualize file and registry write failures: This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. Disabled: Applications that write data to protected locations fail.

Disabling User Account Control (UAC)

Just so you know, disabling UAC is a really bad idea and I don’t suggest it. Here’s how to Disable User Account Control (UAC) in Windows 7.

Still need help? Ask your computer question now.

Related Guides:

Leave a Reply

Subscribe to this guide's comments RSS feed.

Microsoft Windows is a registered trademark of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with MAXIMUMpcguides.com. All other products mentioned are registered trademarks of their respective companies. MAXIMUMpcguides IS NOT RESPONSIBLE for any damage or data loss to your computer from using this web site. All information on MAXIMUMpcguides is provided on an AS IS basis with NO WARRANTIES.

Copyright 2006-2016 Brent Trahan. All rights reserved.