Fixing Windows Vista, Part 2: Taming UAC

The User Account Control feature in Windows Vista has been known to drive normally level-headed people over the edge with frustration. If you find it annoying, you might be tempted to turn it off. According to Microsoft research, somewhere between 12 and 16 percent of all Windows Vista users do exactly that. But before you take such a radical step, it helps to understand what UAC is actually doing on your behalf and how you can tone down its hard edges without sacrificing its protection. The three techniques I outline here (with illustrations in the accompanying screenshot gallery) can help cut the annoyance factor dramatically.

The User Account Control feature in Windows Vista has been known to drive normally level-headed people over the edge with frustration. If you find it annoying, you might be tempted to turn it off. According to Microsoft research, somewhere between 12 and 16 percent of all Windows Vista users do exactly that. But before you take such a radical step, it helps to understand what UAC is actually doing on your behalf and how you can tone down its hard edges without sacrificing its protection. The biggest misconception I hear about UAC is that it's just another silly "Are you sure?" dialog box that users will quickly learn to ignore. That's only one small part of the overall UAC system. The point of UAC is to allow you to run as a standard user, something that is nearly impossible in Windows XP and earlier Windows versions. In fact, with UAC enabled (the default setting) every user account in Windows Vista runs as a standard user. When you try to do something that requires administrative privileges, you see a UAC consent dialog box. If you're an administrator, you simply have to click Continue when prompted. If you're running as a standard user, you have to provide the user name and password of a member of the Administrators group.


  Image Gallery: I’ve created a walkthrough gallery that shows how to tone down the hard edges of UAC without sacrificing its protection.  
UAC's Secure Desktop is a hard block
 
It's best to have only one Administrator account
 

UAC has four major benefits:
  1. On a shared computer, you can set up standard user accounts for users who don't have the experience or training to make smart decisions about installing software or making system changes. As a result, they won't be able to do any damage if a malicious website fools them into trying to install a piece of spyware or a Trojan.
  2. As an administrator, you get a warning before a piece of software attempts to make a change that can adversely affect the system. In Windows XP, clicking OK to a single malicious installer program could install a dozen programs in the background, with no warning to you. In Vista with UAC, you'll have to give consent to each installation (and presumably will say No, early and often.)
  3. Badly written programs sometimes try to write user data to system areas, such as the Windows or Program Files folder or a registry key that affects all users. In Windows XP, running this type of program as a standard user would probably cause the program to fail. With Vista, those operations are intercepted and written to a virtualized location in your user profile. The program thinks it wrote a file to the Windows folder, but the actual file appears in your profile.
  4. Internet Explorer 7 runs in Protected Mode when UAC is on. That causes processes in a browser window to run at a low integrity level, where they're blocked from interacting with processes that have a higher integrity level. The net effect is to stop entire classes of web-based attacks in their tracks.
Microsoft product unit manager David Cross made some remarks several weeks ago that have been widely misinterpreted. He was quoted as saying that the reason Microsoft added UAC to Windows Vista was "to annoy users." The reality is that UAC shouldn't be annoying, and consent dialog boxes shouldn't be common. If you're being pestered with UAC prompts all day long, you should be annoyed at the software developer that wrote the crappy program that's responsible for those prompts, and you should in turn annoy them until they fix it. But if you do find UAC annoying in day-to-day use, I recommend that you try one or more of the alternatives described in this post before resorting to the "nuclear alternative" of completely disabling it. The three techniques I outline here (with illustrations in the accompanying screenshot gallery) can help cut the annoyance factor dramatically Page 2: Stop annoying UAC "fade to black" slowdowns Page 3: Create an Administrator account that's free of UAC prompts Page 4: Use shortcuts to start programs in admin mode without UAC prompts

Next -->

Stop UAC from blacking out the background

On some systems, the most annoying part of User Account Control is the delay while the background goes dark before the consent dialog box appears. That feature is called Secure Desktop, and it's a way to prevent so-called shatter attacks that can pass messages (and dangerous code) from one running process to another.
UAC with Secure Desktp option
This option has two unfortunate usability side effects:
  • If you have an underpowered graphics subsystem, the delay while you wait for the Secure Desktop to switch in can be noticeable. Even if it's only a half-second or so, it can be grating.
  • With Secure Desktop enabled, any request for consent is presented in a user context that is separate from your normal desktop. You must click Continue or Cancel to get past the consent dialog box.
The solution, if you're willing to forgo a little security for convenience, is to disable the Secure Desktop option. You can do this in either of two ways:
  • Using Vista Business, Ultimate, or Enterprise, open the Local Group Policy Editor (gpedit.msc), and then drill down through Computer Configuration to Windows Settings, Security Settings, Local Policies, and finally to Security Options. In the list of Policies in the right-hand pane, double-click User Account Control: Switch to the secure desktop when prompting for elevation. Change the setting from its default, Enabled, to Disabled. Click OK to close the dialog box.
    Disable Secure Desktop via Policy
  • Using Vista Home Basic or Home Premium, the Local Group Policy Editor is not available. Instead, you'll need to edit the registry. Open Regedit.exe (the usual disclaimers apply: if you screw something up, it's not my fault). Locate this key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Policies\System In the right-hand pane, double-click PromptOnSecureDesktop and change its value to 0 (the default is 1). Click OK to save the change.
    Disable Secure Desktop via the registry
With this setting in place, the consent dialog box appears on a normal desktop background, and you can continue to interact with running programs and process and with Windows itself, even when the consent dialog box is visible.
UAC without Secure Desktop

Next -->

Create a UAC-free Administrator account

Linux users are familiar with the concept of a Root account, which has untrammeled access to the entire system but is not intended for day-to-day use. You can accomplish the same thing in Windows Vista by using standard accounts for day-to-day work, setting up a single Administrator account for those occasions when you want to tinker with the system, and then disabling UAC prompts for Administrators. The secret involves changing a setting that controls how elevation prompts work for Administrators. You can do this in either of two ways:
  • Using Vista Business, Ultimate, or Enterprise, open the Local Group Policy Editor (gpedit.msc), and then drill down through Computer Configuration to Windows Settings, Security Settings, Local Policies, and finally to Security Options. In the list of Policies in the right-hand pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode. Change the setting from its default, Prompt for consent, to Elevate without prompting. Click OK to close the dialog box.
Elevate without prompting
  • Using Vista Home Basic or Home Premium, the Local Group Policy Editor is not available. Instead, you'll need to edit the registry. Open Regedit.exe (the usual disclaimers apply: if you screw something up, it's not my fault). Locate this key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\System In the right-hand pane, double-click ConsentPromptBehaviorAdmin and change its value from the default 2 to 0. Click OK to save the change.
After making this change, you'll discover that User Account Control is still on, but clicking a shortcut that previously required elevation now takes you straight to the option you chose, with no intervening UAC dialog boxes. This is a significant improvement over disabling UAC completely, because file and registry virtualization still work, and so does Protected Mode IE7. But if you can put up with occasional UAC prompts, you'll be even better off using a standard account and saving your one (and only one) Administrator account for administrative tasks. In this example, I started with an account called edbott, which I use for everyday computing. 1. First step is to open Control Panel, type new account in the search box, and open the Create New Account dialog box shown here. In this case, I'm creating an account called eb-admin, which I assign as an Administrator.
2. After creating that account, I select my everyday user account (edbott) and click Change the account type.
3. To demote the account, click Standard user and then click Change Account Type.
After all the configuration is complete, I have the list of accounts shown here: one (and only one) administrator account, plus several standard accounts.
To perform administrative tasks without being bothered by UAC, I can press Windows logo key + L and log on to the eb-admin account. Because I enabled the Elevate without prompting option earlier, any task that would normally require UAC consent goes through on the very first click.

Next -->

Create one-click elevated shortcuts

If a tool you use regularly requires that you click through a UAC prompt every time you start it up, the extra clicks can quickly become annoying. Some programs (Regedit,, for example) are hard-coded to require UAC consent. Others, such as Task Manager, work differently if they're launched with administrative credentials. There's no way to configure an ordinary program shortcut to bypass a UAC prompt, but you can use the Windows Vista Task Scheduler to create a special shortcut that bypasses the consent dialog box and works with a single click. First, the caveats: This technique works only if your account is already a member of the Administrators group. If you've set yourself up with a Standard account, you can't use this trick. Also, you'll notice a window flash open and very quickly close as the Scheduled Task command executes and calls the program you really want to run. 1. To get started, open Task Scheduler (type task in the Start menu search box and it should pop to the top of the list). Ironically, you'll have to approve a UAC consent dialog box to continue. In the main Task Scheduler window, click Create Task.
2. On the General tab, enter a name for the task (you'll use this name to run the command later), and click the Run with highest privileges checkbox. This setting tells Windows to use the administrator token (the one you normally unlock via UAC) when you run this task.
3. On the Actions tab, enter the full path of the command you want to run. In this example, I'm using Taskmgr.exe, which will open Task Manager and display all running processes. 4. On the Settings tab, be sure that Allow task to be run on demand is selected. You're not actually going to schedule this task but instead are going to run it from a shortcut. Click OK to save the task. 5. Finally, right-click an empty space in a folder or on the desktop and choose New, Shortcut. In the Create Shortcut wizard, enter this command: schtasks /run /tn "task_name" Substitute the name of the task you created in Step 2 and click Next.
6. Finally, give the shortcut a name and click Finish. Drag this shortcut to the Start menu, the Quick Launch bar, or any convenient location. You can now double-click this shortcut to run the task with full Administrator privileges and no UAC prompt.