Fixing Windows Vista, Part 2: Taming UAC

Fixing Windows Vista, Part 2: Taming UAC

Summary: The User Account Control feature in Windows Vista has been known to drive normally level-headed people over the edge with frustration. If you find it annoying, you might be tempted to turn it off. According to Microsoft research, somewhere between 12 and 16 percent of all Windows Vista users do exactly that. But before you take such a radical step, it helps to understand what UAC is actually doing on your behalf and how you can tone down its hard edges without sacrificing its protection. The three techniques I outline here (with illustrations in the accompanying screenshot gallery) can help cut the annoyance factor dramatically.

SHARE:
The User Account Control feature in Windows Vista has been known to drive normally level-headed people over the edge with frustration. If you find it annoying, you might be tempted to turn it off. According to Microsoft research, somewhere between 12 and 16 percent of all Windows Vista users do exactly that. But before you take such a radical step, it helps to understand what UAC is actually doing on your behalf and how you can tone down its hard edges without sacrificing its protection. The biggest misconception I hear about UAC is that it's just another silly "Are you sure?" dialog box that users will quickly learn to ignore. That's only one small part of the overall UAC system. The point of UAC is to allow you to run as a standard user, something that is nearly impossible in Windows XP and earlier Windows versions. In fact, with UAC enabled (the default setting) every user account in Windows Vista runs as a standard user. When you try to do something that requires administrative privileges, you see a UAC consent dialog box. If you're an administrator, you simply have to click Continue when prompted. If you're running as a standard user, you have to provide the user name and password of a member of the Administrators group.

  Image Gallery: I’ve created a walkthrough gallery that shows how to tone down the hard edges of UAC without sacrificing its protection.   UAC's Secure Desktop is a hard block   It's best to have only one Administrator account  

UAC has four major benefits:
  1. On a shared computer, you can set up standard user accounts for users who don't have the experience or training to make smart decisions about installing software or making system changes. As a result, they won't be able to do any damage if a malicious website fools them into trying to install a piece of spyware or a Trojan.
  2. As an administrator, you get a warning before a piece of software attempts to make a change that can adversely affect the system. In Windows XP, clicking OK to a single malicious installer program could install a dozen programs in the background, with no warning to you. In Vista with UAC, you'll have to give consent to each installation (and presumably will say No, early and often.)
  3. Badly written programs sometimes try to write user data to system areas, such as the Windows or Program Files folder or a registry key that affects all users. In Windows XP, running this type of program as a standard user would probably cause the program to fail. With Vista, those operations are intercepted and written to a virtualized location in your user profile. The program thinks it wrote a file to the Windows folder, but the actual file appears in your profile.
  4. Internet Explorer 7 runs in Protected Mode when UAC is on. That causes processes in a browser window to run at a low integrity level, where they're blocked from interacting with processes that have a higher integrity level. The net effect is to stop entire classes of web-based attacks in their tracks.
Microsoft product unit manager David Cross made some remarks several weeks ago that have been widely misinterpreted. He was quoted as saying that the reason Microsoft added UAC to Windows Vista was "to annoy users." The reality is that UAC shouldn't be annoying, and consent dialog boxes shouldn't be common. If you're being pestered with UAC prompts all day long, you should be annoyed at the software developer that wrote the crappy program that's responsible for those prompts, and you should in turn annoy them until they fix it. But if you do find UAC annoying in day-to-day use, I recommend that you try one or more of the alternatives described in this post before resorting to the "nuclear alternative" of completely disabling it. The three techniques I outline here (with illustrations in the accompanying screenshot gallery) can help cut the annoyance factor dramatically Page 2: Stop annoying UAC "fade to black" slowdowns Page 3: Create an Administrator account that's free of UAC prompts Page 4: Use shortcuts to start programs in admin mode without UAC prompts

Next -->

Stop UAC from blacking out the background

On some systems, the most annoying part of User Account Control is the delay while the background goes dark before the consent dialog box appears. That feature is called Secure Desktop, and it's a way to prevent so-called shatter attacks that can pass messages (and dangerous code) from one running process to another. UAC with Secure Desktp option This option has two unfortunate usability side effects:
  • If you have an underpowered graphics subsystem, the delay while you wait for the Secure Desktop to switch in can be noticeable. Even if it's only a half-second or so, it can be grating.
  • With Secure Desktop enabled, any request for consent is presented in a user context that is separate from your normal desktop. You must click Continue or Cancel to get past the consent dialog box.
The solution, if you're willing to forgo a little security for convenience, is to disable the Secure Desktop option. You can do this in either of two ways:
  • Using Vista Business, Ultimate, or Enterprise, open the Local Group Policy Editor (gpedit.msc), and then drill down through Computer Configuration to Windows Settings, Security Settings, Local Policies, and finally to Security Options. In the list of Policies in the right-hand pane, double-click User Account Control: Switch to the secure desktop when prompting for elevation. Change the setting from its default, Enabled, to Disabled. Click OK to close the dialog box. Disable Secure Desktop via Policy
  • Using Vista Home Basic or Home Premium, the Local Group Policy Editor is not available. Instead, you'll need to edit the registry. Open Regedit.exe (the usual disclaimers apply: if you screw something up, it's not my fault). Locate this key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Policies\System In the right-hand pane, double-click PromptOnSecureDesktop and change its value to 0 (the default is 1). Click OK to save the change. Disable Secure Desktop via the registry
With this setting in place, the consent dialog box appears on a normal desktop background, and you can continue to interact with running programs and process and with Windows itself, even when the consent dialog box is visible. UAC without Secure Desktop

Next -->

Create a UAC-free Administrator account

Linux users are familiar with the concept of a Root account, which has untrammeled access to the entire system but is not intended for day-to-day use. You can accomplish the same thing in Windows Vista by using standard accounts for day-to-day work, setting up a single Administrator account for those occasions when you want to tinker with the system, and then disabling UAC prompts for Administrators. The secret involves changing a setting that controls how elevation prompts work for Administrators. You can do this in either of two ways:
  • Using Vista Business, Ultimate, or Enterprise, open the Local Group Policy Editor (gpedit.msc), and then drill down through Computer Configuration to Windows Settings, Security Settings, Local Policies, and finally to Security Options. In the list of Policies in the right-hand pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. Change the setting from its default, Prompt for consent, to Elevate without prompting. Click OK to close the dialog box.
Elevate without prompting
  • Using Vista Home Basic or Home Premium, the Local Group Policy Editor is not available. Instead, you'll need to edit the registry. Open Regedit.exe (the usual disclaimers apply: if you screw something up, it's not my fault). Locate this key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\System In the right-hand pane, double-click ConsentPromptBehaviorAdmin and change its value from the default 2 to 0. Click OK to save the change.
After making this change, you'll discover that User Account Control is still on, but clicking a shortcut that previously required elevation now takes you straight to the option you chose, with no intervening UAC dialog boxes. This is a significant improvement over disabling UAC completely, because file and registry virtualization still work, and so does Protected Mode IE7. But if you can put up with occasional UAC prompts, you'll be even better off using a standard account and saving your one (and only one) Administrator account for administrative tasks. In this example, I started with an account called edbott, which I use for everyday computing. 1. First step is to open Control Panel, type new account in the search box, and open the Create New Account dialog box shown here. In this case, I'm creating an account called eb-admin, which I assign as an Administrator. 2. After creating that account, I select my everyday user account (edbott) and click Change the account type. 3. To demote the account, click Standard user and then click Change Account Type. After all the configuration is complete, I have the list of accounts shown here: one (and only one) administrator account, plus several standard accounts. To perform administrative tasks without being bothered by UAC, I can press Windows logo key + L and log on to the eb-admin account. Because I enabled the Elevate without prompting option earlier, any task that would normally require UAC consent goes through on the very first click.

Next -->

Create one-click elevated shortcuts

If a tool you use regularly requires that you click through a UAC prompt every time you start it up, the extra clicks can quickly become annoying. Some programs (Regedit,, for example) are hard-coded to require UAC consent. Others, such as Task Manager, work differently if they're launched with administrative credentials. There's no way to configure an ordinary program shortcut to bypass a UAC prompt, but you can use the Windows Vista Task Scheduler to create a special shortcut that bypasses the consent dialog box and works with a single click. First, the caveats: This technique works only if your account is already a member of the Administrators group. If you've set yourself up with a Standard account, you can't use this trick. Also, you'll notice a window flash open and very quickly close as the Scheduled Task command executes and calls the program you really want to run. 1. To get started, open Task Scheduler (type task in the Start menu search box and it should pop to the top of the list). Ironically, you'll have to approve a UAC consent dialog box to continue. In the main Task Scheduler window, click Create Task. 2. On the General tab, enter a name for the task (you'll use this name to run the command later), and click the Run with highest privileges checkbox. This setting tells Windows to use the administrator token (the one you normally unlock via UAC) when you run this task. 3. On the Actions tab, enter the full path of the command you want to run. In this example, I'm using Taskmgr.exe, which will open Task Manager and display all running processes. 4. On the Settings tab, be sure that Allow task to be run on demand is selected. You're not actually going to schedule this task but instead are going to run it from a shortcut. Click OK to save the task. 5. Finally, right-click an empty space in a folder or on the desktop and choose New, Shortcut. In the Create Shortcut wizard, enter this command: schtasks /run /tn "task_name" Substitute the name of the task you created in Step 2 and click Next. 6. Finally, give the shortcut a name and click Finish. Drag this shortcut to the Start menu, the Quick Launch bar, or any convenient location. You can now double-click this shortcut to run the task with full Administrator privileges and no UAC prompt.

Topics: Software, Microsoft, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

213 comments
Log in or register to join the discussion
  • Ed, You Rock

    Excellent article; thanks a bunch.
    Mr. Big
    • RE: Ed, You Rock

      When I initially saw this headline, I was on the verge of irritation, but this is a great article.

      I would say that most users in my office never see a UAC prompt for weeks on end, so I'm not sure who these normal users are that have so many issues. I would suggest they look to their software vendor with concern.
      cromwellryan@...
      • I have this problem

        I have several programs that I run regularly that require UAC approval (Visual Studio 2005 is one of them...for some reason). While I do at times find it annoying, it does give me warm fuzzies knowing that my kids or the 5/8 have a lower chance of mussing up my system.

        It is great to know I can create shortcuts for known safe programs that pretty much bypass the UAC.
        bigsibling
        • I hope...

          That's sarcasm....

          You can't create shortcuts that will bypass it, the uac dialogue will still pop. Also, upgrade to 2008.
          Spiritusindomit@...
          • Did you read this story?

            The last page explains how to create a Scheduled Task that automatically elevates itself without a UAC dialog box. You can then assign that task to a shortcut and run it. I presume that's what he was referring to.
            Ed Bott
          • UAC... is a waste of time

            Ed I am sorry, but UAC is a massive waste of time for most users. They will simply always click continue. Why? because they want to install the software they are installing.

            We don't want to tweak it so it doesn't pop up...why waste time doing that when 6 clicks eliminates it forever?

            UAC is an answer to a problem few have. They problem isn't that people are accidentally installing malicious programs on their PCs... it is that they purposely install crapware in order to gain access to something free. This crapware then delivers its malicious payload. These users are the same users who will simply click continue. A user such as myself, would always install software from a reputable vendor and therefore wouldn't need to worry about these issues. It is no coincidence that most of us who aren't trying to get free crapware do not encounter these problems with or without UAC.

            UAC is disabled on my Vista machine as it has been since about the 50th prompt during initial setup of my machine. The Windows software firewall....also has been disabled from moment one as it has the same issue... prompt... prompt....prompt. Third Party Firewall software works much better and with WAY less prompting...When MS decides to find a way to not prompt me to death, I might use these features...until then disabled they will be.
            notlehs
          • Only half right

            Not sure it is really fair to call it a waste of time, but it is imo a rather poor implementation of a long overdue 'step in the right direction', that is, a ramping up of platform security. Personally I grin (all right, grimace) and bear the pain, as opposed to ditching UAC altogether.

            If you're willing to dance a little, Ed does offer a lot of sensible ideas in this article to make dealing with the admittedly needling redundancies a bit more bearable. Hopefully Microsoft will listen to its user base and critics and get it right the next time around -- they're not far from making this happen (assuming they listen).

            That said, I do empathize with much of what you've written, and feel it reflects the sentiments of the public at large (whom I deal with regularly on such issues).

            Justin James and George Ou how have a few interesting takes on this very subject on Ou's new Technology For Mortals Blog that you might want to visit: [b]Microsoft's Achille's Heel[/b]
            http://www.formortals.com/Home/tabid/36/EntryID/16/Default.aspx
            klumper
          • Waste? IMO - Not!

            UAC has been a nice tool I use at home.
            Four teens each with their own pc.
            I can do what I need in their logon w/o having to login as the admin and it has been great stopping them from 'installing' items they should not.

            Far fewer issues than when they were on 2000/xp.
            rhonin
          • did you read the article?

            it explains how to bypass...
            evilkillerwhale@...
      • Wow, what kind of magic are those users dabbling in?

        because after using Vista for a couple of months I see dialog after dialog of UAC prompts for same dang thing over and over and over...mostly for MS's apps. Soooooo should we be looking at that vendor as the cause of the problems? ;)
        Kid Icarus-21097050858087920245213802267493
        • More likely.

          you've "tweaked" your system into a total disaster.

          Very few MS apps would request elevation, unless you screwed up the permissions on your folder structures.

          It doesn't take any magic.
          rtk
          • Hmm, that's funny

            I didn't have to "tweak" anything for every control panel to ask if I need permission or for many apps to repeatedly ask for the same permission over and over. Nope, no tweaking done on my part.

            Sluffing off a complaint as someone who knows nothing, huh? Nice. Do you always defend MS this way?

            It could never be MS's implementation of this silly "feature" now could it?

            Besides, do you really think a yes or no box makes your computer safe? At least require some password credentials or something, but oh wait, if MS did that the UAC would be even more annoying because it goes off for the most trivial reasons.

            How does a UAC prompt help the security of your computer if you have launched that same app 20 times previously? See? It doesn't make sense.

            It's a tacked on fake feature.
            Kid Icarus-21097050858087920245213802267493
          • It really is.

            Any control panel app that affects machine rather than user settings should require elevation.

            Any program that accesses or changes machine rather than user settings needs to elevate.

            I'm not "sluffing off a complaint" about a ligitimate complaint, I'm questioning how you'd manage to misconfigure a machine to the point you can't open any app without it asking to elevate.

            It's surely not the default, nor the experience of the mass majority.

            If you need help understanding least privilege and rights elevation, maybe you could search out one of the hundreds of explanations available online.
            rtk
          • Really?

            I need to asked if I really want to open a control panel
            every time over and over with the same app in my session?
            Even if I close and open it again. A control panel that I
            specifically clicked on to open and do nothing else? Really?

            Wow, now that's security.

            There's a reason it's just a simple yes or no question being
            tacked on to your actions. Otherwise it would be a
            nightmare. There's a difference between thoughtfully
            knowing when to raise privileges and just willy nilly asking
            if you would like to cancel or allow just about everything
            you do.

            And as far as that not being the default, you're wrong. I
            did nothing special in my install to "tweak" anything. That's
            just Vista through and through.
            Kid Icarus-21097050858087920245213802267493
          • yup, really.

            according to MS, and witnessed on our now 50+ installs of Vista, 90% of user sessions have 0 UAC prompts, less than 2% see more than 4.

            Do you spend your day tweaking your control panel applets? Most users "use" their pc, and least for some portion of their session.

            On a corporate network, over the shoulder elevation has made standard user accounts an easily achievable goal. On XP and below it was an absolute nightmare.
            rtk
          • Betraying gross ignorance

            I tried to dispense with the misconception that UAC consent dialogs are simple yes-or-no confirmation boxes on page one of this posts, but I guess you were too busy composing your Talkback posts to actually read.

            You really need to get some basic facts about what UAC is and how it works before you try to pontificate on it. Did you know there are actually books written about this stuff?
            Ed Bott
          • Ignorance?

            So the average Vista user now needs to read books on UAC to
            realize that annoying isn't annoying?

            I guess all those that are PO'd with UAC's implementation just
            need to sit down and read books to realize that it isn't
            REALLY annoying.

            Great, I'll take that into consideration when someone asks me
            about Vista's UAC. Brilliant.
            Kid Icarus-21097050858087920245213802267493
          • re: Ignorance?

            you need to decide if you want to claim it's annoying or useless.

            If you can't understand the necessity of using your pc daily as a reduced privileged user, you're not the right person to be advising people on computer security.

            The average computer user needs to understand that running as root is bad, that's all you need to tell anybody.
            rtk
          • Seat belts are annoying

            Driving would be much more convenient if we didn't have to stop and put on seat belts every time we started the car.

            That's basically what you're arguing.

            I repeat: You're not going to make a coherent argument until you understand what you're arguing about.
            Ed Bott
    • Disable UAC Tutorials

      I've recorded the steps I toke to disabling UAC on video here:
      http://pcwizkid.blogspot.com/2008/02/disable-user-account-control-popups.html

      Cheers all.
      PCWizKid
      pcwizkid.tech.talk@...