Business
Fixing Windows Vista, Part 2: Taming UAC
The User Account Control feature in Windows Vista has been known to drive normally level-headed people over the edge with frustration. If you find it annoying, you might be tempted to turn it off. According to Microsoft research, somewhere between 12 and 16 percent of all Windows Vista users do exactly that. But before you take such a radical step, it helps to understand what UAC is actually doing on your behalf and how you can tone down its hard edges without sacrificing its protection. The three techniques I outline here (with illustrations in the accompanying screenshot gallery) can help cut the annoyance factor dramatically.
The User Account Control feature in Windows Vista has been known to drive normally level-headed people over the edge with frustration. If you find it annoying, you might be tempted to turn it off. According to Microsoft research, somewhere between 12 and 16 percent of all Windows Vista users do exactly that. But before you take such a radical step, it helps to understand what UAC is actually doing on your behalf and how you can tone down its hard edges without sacrificing its protection.
The biggest misconception I hear about UAC is that it's just another silly "Are you sure?" dialog box that users will quickly learn to ignore. That's only one small part of the overall UAC system. The point of UAC is to allow you to run as a standard user, something that is nearly impossible in Windows XP and earlier Windows versions. In fact, with UAC enabled (the default setting) every user account in Windows Vista runs as a standard user. When you try to do something that requires administrative privileges, you see a UAC consent dialog box. If you're an administrator, you simply have to click Continue when prompted. If you're running as a standard user, you have to provide the user name and password of a member of the Administrators group.
UAC has four major benefits:
Image Gallery: I’ve created a walkthrough gallery that shows how to tone down the hard edges of UAC without sacrificing its protection. | ||||||
- On a shared computer, you can set up standard user accounts for users who don't have the experience or training to make smart decisions about installing software or making system changes. As a result, they won't be able to do any damage if a malicious website fools them into trying to install a piece of spyware or a Trojan.
- As an administrator, you get a warning before a piece of software attempts to make a change that can adversely affect the system. In Windows XP, clicking OK to a single malicious installer program could install a dozen programs in the background, with no warning to you. In Vista with UAC, you'll have to give consent to each installation (and presumably will say No, early and often.)
- Badly written programs sometimes try to write user data to system areas, such as the Windows or Program Files folder or a registry key that affects all users. In Windows XP, running this type of program as a standard user would probably cause the program to fail. With Vista, those operations are intercepted and written to a virtualized location in your user profile. The program thinks it wrote a file to the Windows folder, but the actual file appears in your profile.
- Internet Explorer 7 runs in Protected Mode when UAC is on. That causes processes in a browser window to run at a low integrity level, where they're blocked from interacting with processes that have a higher integrity level. The net effect is to stop entire classes of web-based attacks in their tracks.
Next -->
Stop UAC from blacking out the background
On some systems, the most annoying part of User Account Control is the delay while the background goes dark before the consent dialog box appears. That feature is called Secure Desktop, and it's a way to prevent so-called shatter attacks that can pass messages (and dangerous code) from one running process to another. This option has two unfortunate usability side effects:- If you have an underpowered graphics subsystem, the delay while you wait for the Secure Desktop to switch in can be noticeable. Even if it's only a half-second or so, it can be grating.
- With Secure Desktop enabled, any request for consent is presented in a user context that is separate from your normal desktop. You must click Continue or Cancel to get past the consent dialog box.
- Using Vista Business, Ultimate, or Enterprise, open the Local Group Policy Editor (gpedit.msc), and then drill down through Computer Configuration to Windows Settings, Security Settings, Local Policies, and finally to Security Options. In the list of Policies in the right-hand pane, double-click User Account Control: Switch to the secure desktop when prompting for elevation. Change the setting from its default, Enabled, to Disabled. Click OK to close the dialog box.
- Using Vista Home Basic or Home Premium, the Local Group Policy Editor is not available. Instead, you'll need to edit the registry. Open Regedit.exe (the usual disclaimers apply: if you screw something up, it's not my fault). Locate this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\System In the right-hand pane, double-click PromptOnSecureDesktop and change its value to 0 (the default is 1). Click OK to save the change.
Next -->
Create a UAC-free Administrator account
Linux users are familiar with the concept of a Root account, which has untrammeled access to the entire system but is not intended for day-to-day use. You can accomplish the same thing in Windows Vista by using standard accounts for day-to-day work, setting up a single Administrator account for those occasions when you want to tinker with the system, and then disabling UAC prompts for Administrators. The secret involves changing a setting that controls how elevation prompts work for Administrators. You can do this in either of two ways:- Using Vista Business, Ultimate, or Enterprise, open the Local Group Policy Editor (gpedit.msc), and then drill down through Computer Configuration to Windows Settings, Security Settings, Local Policies, and finally to Security Options. In the list of Policies in the right-hand pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. Change the setting from its default, Prompt for consent, to Elevate without prompting. Click OK to close the dialog box.
- Using Vista Home Basic or Home Premium, the Local Group Policy Editor is not available. Instead, you'll need to edit the registry. Open Regedit.exe (the usual disclaimers apply: if you screw something up, it's not my fault). Locate this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\System In the right-hand pane, double-click ConsentPromptBehaviorAdmin and change its value from the default 2 to 0. Click OK to save the change.
Next -->