What is UAC (User Account Control) & Why You Should Never Turn it Off
By Ciprian Adrian Rusen on Sun, 07/05/2009 - 19:32
When Windows Vista was launched, User Account Control (UAC) has been the most criticized and misunderstood feature. Even though it is very important for security, many people have chosen to disable it and expose their systems to possible security problems. Also, lots of sites have published different 'tweaks' for this feature which render it useless and expose users to problems. Windows 7 brings further changes to this feature which has caused additional controversy. This is why I will try to bring more clarity about this feature. I will explain what UAC really is, how it works, what options you have and why you should never disable it. If you are thinking to turn it off, please read this article so that you better understand this feature and how it helps you.
What Is User Account Control (UAC) ?
UAC is a security feature of Windows Vista and Windows 7 which helps prevent unauthorized changes to your computer. These changes can be initiated by applications, viruses or other users. UAC makes sure these changes are made only with approval from the administrator of the computer. If these changes are not approved by the administrator, they will never be executed and the system will remain unchanged.
How Does User Account Control (UAC) Work ?
In Windows Vista and Windows 7, applications run by default without any administrative permissions. They have the same permission levels as a normal user would. They cannot make any changes to the system.
When an application wants to make system changes such as: modifications which affect other users, modifications of system files and folders, installation of new software, UAC prompts the user to ask for permission. An UAC prompt in Windows 7 looks similar to the one below.
If the user clicks on No, the change won't be performed. If the user clicks on Yes, the application receives administrative permissions and is able to make system changes. These permissions will be given until the application stops running or it is closed by the user.
For an easier understanding, the UAC algorithm is explained in the diagram below.
What Changes Require Administrative Privileges ?
There are many changes which require administrative privileges and, depending on how UAC is configured, they can cause an UAC prompt to pop-up and ask for permissions. These are the following:
- Running an application as an administrator
- Changes to system-wide settings or to files in the 'Windows & Program Files' folders
- Installing and uninstalling drivers & applications
- Installing ActiveX controls
- Changing settings to the Windows Firewall
- Changing UAC settings
- Configuring Windows Update
- Adding or removing user accounts
- Changing a user’s account type
- Configuring Parental Controls
- Running Task Scheduler
- Restoring backed-up system files
- Viewing or changing another user’s folders and files
- Changing the system date and time
What's The Difference Between UAC Levels ?
Unlike Windows Vista, where you had only two options: UAC turned On or Off, in Windows 7 there are four levels to choose from. The differences between them are the following:
- Always notify - at this level you will be notified before applications make changes to your computer or your Windows 7 settings that required administrative permissions. When an UAC prompt shows up, your desktop will be dimmed like in the screenshot below, and you must choose Yes or No before you can do anything else on your computer. Security Impact: this is the most secure setting but also the most annoying. If you do not like the UAC implementation from Windows Vista, you won't like this level.
- Notify me only when programs try to make changes to my computer - this is the default level and it notifies you only before programs make changes to your computer that require administrative permissions. If you manually make changes to Windows 7, then you will not be notified by UAC. This level is less annoying as it doesn't stop the user when making changes to the system; it only shows prompts if an application wants to make changes. When an UAC prompt is shown, the desktop is dimmed and you must choose Yes or No before you can do anything else on your computer. Security Impact: this is less secure due to the fact that there can be malicious programs created which simulate the keystrokes or mouse moves of a user and change Windows 7 settings. However, if you are using a good security solution, these scenarios should never occur.
- Notify me only when programs try to make changes to my computer (do not dim my desktop) - this level is identical to the one above except the fact that, when a UAC prompt shows up, the desktop is not dimmed and other programs might be able to interfere with the UAC dialog window. Security Impact: this level is even less secure as it is easier for malicious programs to simulate keystrokes or mouse moves which interfere with the UAC prompt.
- Never notify - at this level, UAC is turned off and it doesn't offer any protection against unauthorized system changes. Security Impact: if you don't have a good security solution you are very likely to have security problems with your PC. With UAC turned off it will be easier for malicious programs to infect your computer and take control of it and/or its settings.
Should I Disable UAC When I Install My Applications & Turn It On Afterward ?
The biggest annoyance level for users is when you install Windows 7 and all your daily applications. At this time you can receive lots of UAC prompts and you might be tempted to disable it temporarily, while you install all your applications and enable it back when done. In some scenarios this can be a bad idea. Certain applications, which make lots of system changes can fail to work once you turn on UAC after their installation and they will work if you install them with UAC turned on. The failures happen because, when UAC is turned off, the virtualization techniques used by UAC for all applications are inactive. This causes certain user settings and files to be installed to a different place and no longer work when UAC is turned back on. To avoid these problems, it is better to have UAC turned on at all times.
Where To Find UAC & How To Change Its Level ?
We have covered this topic in one of our previous articles, called How To Change User Account Control (UAC) Levels. There you will find a complete guide with all the information you need.
Conclusion
Microsoft has listened to the feedback they received from Windows Vista users and have seriously tweaked UAC. We now have many options to choose from. These new settings provide a pretty good balance between security and usability. For those of you who are still not satisfied with the usability level of UAC, we will continue to look for additional tips and tricks which can tweak it further without compromising your security. If you already have some tips, don't hesitate to share them with us using the comments form below.
Related articles:
How To Change User Account Control (UAC) Levels
Windows 7 vs Windows Vista: The UAC Benchmark
Use the Task Scheduler to Launch Programs Without UAC Prompts
How to Run Programs as Administrator in Windows 7
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.
Microsoft, Windows and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Microsoft Corporation in no way endorses or is affiliated with our site.
All other products mentioned are registered trademarks and/or trademarks of their respective companies.
This blog is running on the Drupal CMS - the best Content Management Platform.
Comments
I would turn UAC back on if
I would turn UAC back on if it would stop causing Windows Stop errors
I always found the UAC in
I always found the UAC in Vista sorta annoying, but not enough to actually complain about it, in fact, i turned up the setting in Windows 7, cause I'm paranoid like that
I would like to add some apps
I would like to add some apps to the UAC "control files", like we do with Firewall (when adding an .exe for example).
Everytime i boot win7, UAC asks for permission for the Rivaturner, i disabled UAC only for this incovenience, i'd like to put rivaturner as a 'safer' application inside UAC...
Try to follow this
Try to follow this guide:
http://www.vista4beginners.com/Disable-UAC-for-certain-applications
It is for Windows Vista but it should work on Windows 7 too.
Gonna try it when i'm in
Gonna try it when i'm in home.
Thank you !
Meh =( It didn't worked for
Meh =(
It didn't worked for me.
It messed a little with my Win7 (I could not load RT anymore), uninstalled and re-installed it to get it back 2 work. I uninstalled the MS Compatibility soft as well, since it 'll be here for nothing.
Gonna keep UAC ON this time and try live with it... :)
Hopefully we will publish a
Hopefully we will publish a solution in the coming weeks.
Actually, i think i've found
Actually, i think i've found a little trick to bypass UAC while it's state is ON.
All i had to do was:
1- Create a Task inside Task Scheduler
2- Create a shortcut linked to the one inside Task Scheduler -> schtasks /run /tn "Rivaturner"
3- Unchecked the checkbox "Start with Windows" in Rivaturner
4- Moved that shortcut i created (schtasks /run /tn "Rivaturner") into the folder StartUp in All Programs
And voilá!
Everytime windows boots, it does not ask for permission to run rivaturner anymore.
If you try to run rivaturner.exe, it will fail and windows will show that annoying UAC window. All your calls to rivaturner MUST be done though that shortcut.
Sorry for my English, i did my best to help some "troublemakers" as I here =) ^^
Cheers from Brazil!
For more detailed help in how to creat a task in Task Scheduler, visit this topic (It's in portuguese and you must be registred to see the image examples (The text in the images are in English, so it may be good to register there and do the procedure following the images))
http://www.babooforum.com.br/forum/Executando-programas-sem-o-prompt-da-...
PS. DONT FORGET, all your calls to Rivaturner (Or any other program you desire) must be done though the SHORTCUT !!!! If you run the program by it's .exe it will trigger UAC.
PS2. Uncheck the "Run as Adm" in file properties too...
UAC and MagiColor 2300 DL
UAC and MagiColor 2300 DL Printer. Currently I'm using VISTA, but will be upgrading my computer this month to Win 7. That said, I suspect the issue I have with my Magicolor 2300 DL printer will be encountered in Win 7. ISSUE: If you don't disable UAC it takes three minutes to print. You never get the UAC popup. Does anyone know a workaround without having to cut off UAC?
I have found that when the
I have found that when the UAC level is changed from Never to any other of the three settings, a restart is needed but no warning is given! If Action Center is viewed, it can be seen that it is needed.
When trying to install some
When trying to install some Windows 7 updates I received the error msg 646 and the updates would never install. I restarted my machine and tried again with the same results. I went to Google and searched the web for this issue and saw a recommendation to turn off UAC. I did and the updates installed correctly. I then turned UAC back on and did a restart. My question to MS is why does UAC have an impact on Windows updates? This is does not happen with every update but this is the second time I had issues with installing updates. Turning UAC on and off is a pain because of having to restart the machine each time a change is made to UAC. Is this a bug in Windows that needs fixed?
Because, even to Windows own
Because, even to Windows own computers, about half of the updates ARE viruses!
:-D
Certainly, they act like it when it comes to running programs that ran perfectly well before the update(s).
The "P" in PC is for
The "P" in PC is for Personal. The UAC is just too intrusive for this person. I use anti-virus software and scan my PC when I'm done for the day. Don't hamper my day with needless mouse clicks.
Ciprian, your analysis is
Ciprian, your analysis is good but you missed the biggest flaw of all in UAC. That flaw is the human sitting in front of the computer.
The vast majority of computer users have no idea what UAC is for even in simple terms, let alone the technical reasons for it and how it works.
People rapidly become conditioned to provide the response that gets them what they want and that includes answering "Yes" to the UAC prompt whenever they see it. It doesn't matter why or when it appears because regular people will never understand why that annoying Window is appearing. They just know that if they Click No, they are often prevented from doing something they want.
The very fact that Windows even displays a UAC means that Microsoft has failed. End users should never have to make the technical decision of whether a process should run or not. Try explaining to your grandmother how to properly answer the UAC question.
I disable UAC right out of the box for my clients. And, yes, I fully understand what UAC does. I also know that non-technical types will NEVER understand it and will ALWAYS click yes. So let's just remove the annoyance and take other measures instead.
I agree with the point you
I agree with the point you are making. However, our mission here at 7 Tutorials is to educate our readers and convince them to go for "best practices" instead of the traditional "click yes on everything". If our readers choose to follow our recommendations, that's great. If not... well that's their choice.
Personally, when I setup a computer for friends and family, I always stick around to installing all drivers and main applications. I also explain what UAC is, why it is important to leave it turned on and, if they don't need to install more than another 2-3 applications after I leave, they generally keep it turned on. It helps also that they view as the expert and, because we also have a very personal relationship, they tend to listen to my advice.
Add new comment