What is UAC (User Account Control) & Why You Should Not Turn it Off

When Windows Vista was launched, User Account Control (UAC) was the most criticized and misunderstood feature. Even though it is very important for security, many people have chosen to disable it and expose their systems to possible security problems. This feature has been improved in Windows 7 and Windows 8 and, even if it adds a lot to the security of the operating system, many users still choose to disable it. That’s why, in this article, I would like to clarify what this feature is, how it works and the benefits of keeping it active.

What Is User Account Control (UAC) in Windows?

UAC is a security feature of Windows Vista, Windows 7 and Windows 8 which helps prevent unauthorized changes to your computer. These changes can be initiated by applications, viruses or other users. User Account Control makes sure these changes are made only with approval from the administrator. If the changes are not approved by the administrator, they are not executed and Windows remains unchanged. It is as if nothing happened. :)

How Does User Account Control (UAC) Work?

In modern editions of Windows, applications run by default without any administrative permissions. They have the same permissions a normal user account has: they cannot make any changes to the operating system, its system files or the machine’s registry settings. Also, they cannot change anything that’s owned by other user accounts. Applications can change only their own files and registry settings.

When an application wants to make a system change like: modifications which affect other users, modifications of system files and folders, installation of new software, an UAC prompt is shown, asking for permission.

UAC prompts in Windows 7 looks similar to the one below.

User Account Control (UAC)

UAC prompts in Windows 8 looks similar to the one below.

User Account Control (UAC)

If the user clicks or taps No, the change won't be performed. If the user clicks or taps Yes, the application receives administrative permissions and it is able to make the system changes it requires. These permissions are given only until the application stops running or it is closed by the user.

For an easier understanding, the UAC algorithm is explained in the diagram below.

User Account Control (UAC)

Which Changes Require Administrative Privileges in Windows?

There are many changes which require administrative privileges and, depending on how UAC is configured, they can cause an UAC prompt to show up and ask for permission. These are the following:

  • Running an application as administrator
  • Changes to system-wide settings or to files in the Windows or Program Files folders
  • Installing and uninstalling drivers & applications
  • Installing ActiveX controls
  • Changing settings to the Windows Firewall
  • Changing UAC settings
  • Configuring Windows Update
  • Adding or removing user accounts
  • Changing a user’s account type
  • Configuring Parental Controls or Family Safety
  • Running Task Scheduler
  • Restoring backed-up system files
  • Viewing or changing another user’s folders and files
  • Changing the system date and time

What is Different Between UAC Levels in Windows?

Unlike Windows Vista, where you had only two options: UAC turned On or Off, in Windows 7 and Windows 8 there are four levels to choose from. The differences between them are the following:

  • Always notify - at this level you are notified before applications and users make changes that required administrative permissions. When an UAC prompt shows up, the desktop is dimmed as shown in the screenshot below. You must choose Yes or No before you can do anything else on the computer. Security Impact: this is the most secure setting and the most annoying. If you did not like the UAC implementation from Windows Vista, you won't like this level.

    User Account Control (UAC)

  • Notify me only when programs/apps try to make changes to my computer - this is the default level and UAC notifies you only before programs make changes that require administrative permissions. If you manually make changes to Windows, then a UAC prompt is not shown. This level is less annoying as it doesn't stop the user from making changes to the system, it only shows prompts if an application wants to make changes. When an UAC prompt is shown, the desktop is dimmed and you must choose Yes or No before you can do anything else on your computer. Security Impact: this is less secure than the first setting because malicious programs can be created to simulate the keystrokes or mouse movements made by a user and change Windows settings. However, if you are using a good security solution, such scenarios should not occur.
  • Notify me only when programs/apps try to make changes to my computer (do not dim my desktop) - this level is identical to the one above except the fact that, when a UAC prompt is shown, the desktop is not dimmed and other programs are able to interfere with it. Security Impact: this level is even less secure as it makes it easy for malicious programs to simulate keystrokes or mouse moves that interfere with the UAC prompt.
  • Never notify - at this level, UAC is turned off and it doesn't offer any protection against unauthorized system changes. Security Impact: if you don't have a good security solution you are very likely to encounter security issues with your PC. With UAC turned off it is much easier for malicious programs to infect your computer and take control.

Should I Disable UAC When I Install Applications & Turn It On Afterwards?

The biggest annoyance for users is when they install Windows and their most used applications. During this procedure, lots of UAC prompts are shown and you might be tempted to disable it temporarily, while you install all applications and enable it again when done.

In some scenarios this can be a bad idea. Applications that make lots of system changes can fail to work once UAC is turned on, after their installation. However, they will work correctly if you install them when UAC is turned on. When UAC is turned off, the virtualization techniques used by UAC for all applications are inactive. This causes certain user settings and files to be installed to a different place. They will not work when UAC is turned back on.

To avoid such problems, it is better to have User Account Control (UAC) turned on at all times.

Where To Find UAC & How To Change Its Level ?

We have covered this topic in one of our previous articles, named How To Change User Account Control (UAC) Levels.

Conclusion

The UAC implementation from Windows 7 & Windows 8 provides a good balance between security and usability. I hope that instead of disabling it, you will choose only to switch to a less annoying levels that provides the security Microsoft intended this feature to provide.