On CBSNews.com: Obama Set To Be 1st "Wired" President
BNET Business Network:
BNET
TechRepublic
ZDNet

April 29th, 2008

Fixing Windows Vista, Part 2: Taming UAC

Posted by Ed Bott @ 10:41 pm

Categories: Windows Vista, Security, Tips

Tags: Program, Account, Microsoft Windows Vista, OK, UAC, Dialog Box, Microsoft Windows, Microsoft Windows Vista (Longhorn), Operating Systems, Software

The User Account Control feature in Windows Vista has been known to drive normally level-headed people over the edge with frustration. If you find it annoying, you might be tempted to turn it off. According to Microsoft research, somewhere between 12 and 16 percent of all Windows Vista users do exactly that. But before you take such a radical step, it helps to understand what UAC is actually doing on your behalf and how you can tone down its hard edges without sacrificing its protection.

The biggest misconception I hear about UAC is that it’s just another silly “Are you sure?” dialog box that users will quickly learn to ignore. That’s only one small part of the overall UAC system. The point of UAC is to allow you to run as a standard user, something that is nearly impossible in Windows XP and earlier Windows versions. In fact, with UAC enabled (the default setting) every user account in Windows Vista runs as a standard user. When you try to do something that requires administrative privileges, you see a UAC consent dialog box. If you’re an administrator, you simply have to click Continue when prompted. If you’re running as a standard user, you have to provide the user name and password of a member of the Administrators group.
  Image Gallery: I’ve created a walkthrough gallery that shows how to tone down the hard edges of UAC without sacrificing its protection.   UAC's Secure Desktop is a hard block   It's best to have only one Administrator account  

UAC has four major benefits:

  1. On a shared computer, you can set up standard user accounts for users who don’t have the experience or training to make smart decisions about installing software or making system changes. As a result, they won’t be able to do any damage if a malicious website fools them into trying to install a piece of spyware or a Trojan.
  2. As an administrator, you get a warning before a piece of software attempts to make a change that can adversely affect the system. In Windows XP, clicking OK to a single malicious installer program could install a dozen programs in the background, with no warning to you. In Vista with UAC, you’ll have to give consent to each installation (and presumably will say No, early and often.)
  3. Badly written programs sometimes try to write user data to system areas, such as the Windows or Program Files folder or a registry key that affects all users. In Windows XP, running this type of program as a standard user would probably cause the program to fail. With Vista, those operations are intercepted and written to a virtualized location in your user profile. The program thinks it wrote a file to the Windows folder, but the actual file appears in your profile.
  4. Internet Explorer 7 runs in Protected Mode when UAC is on. That causes processes in a browser window to run at a low integrity level, where they’re blocked from interacting with processes that have a higher integrity level. The net effect is to stop entire classes of web-based attacks in their tracks.

Microsoft product unit manager David Cross made some remarks several weeks ago that have been widely misinterpreted. He was quoted as saying that the reason Microsoft added UAC to Windows Vista was “to annoy users.” The reality is that UAC shouldn’t be annoying, and consent dialog boxes shouldn’t be common. If you’re being pestered with UAC prompts all day long, you should be annoyed at the software developer that wrote the crappy program that’s responsible for those prompts, and you should in turn annoy them until they fix it.

But if you do find UAC annoying in day-to-day use, I recommend that you try one or more of the alternatives described in this post before resorting to the “nuclear alternative” of completely disabling it. The three techniques I outline here (with illustrations in the accompanying screenshot gallery) can help cut the annoyance factor dramatically

Page 2: Stop annoying UAC “fade to black” slowdowns

Page 3: Create an Administrator account that’s free of UAC prompts

Page 4: Use shortcuts to start programs in admin mode without UAC prompts

Next –>

Pages: 1 2 3 4

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 211 Talkback(s)
RE: Fixing Windows Vista, Part 2: Taming UAC
This is great! I was so sick and tired of having to authorize programs to run that I'd installed myself and obviously knew where they came from...very frustrating. Thank you, thank you, thank you!... (Read the rest)
Posted by: femmdraven Posted on: 05/20/08 You are currently: Logged In | Log out
Ed, You Rock Mr. Big   | 04/29/08
RE: Ed, You Rock cromwellryan@...   | 04/30/08
I have this problem bigsibling   | 04/30/08
I hope... Spiritusindomit@...   | 04/30/08
Did you read this story? Ed Bott  ZDNet | 04/30/08
UAC... is a waste of time notlehs   | 05/01/08
Only half right klumper   | 05/01/08
Waste? IMO - Not! Dkunzma   | 05/01/08
did you read the article? evilkillerwhale@...   | 04/30/08
Wow, what kind of magic are those users dabbling in? Kid Icarus   | 05/01/08
More likely. rtk   | 05/01/08
Hmm, that's funny Kid Icarus   | 05/01/08
It really is. rtk   | 05/01/08
Really? Kid Icarus   | 05/01/08
yup, really. rtk   | 05/01/08
Betraying gross ignorance Ed Bott  ZDNet | 05/01/08
Ignorance? Kid Icarus   | 05/01/08
re: Ignorance? rtk   | 05/01/08
Seat belts are annoying Ed Bott  ZDNet | 05/02/08
Disable UAC Tutorials pcwizkid.tech.talk@...   | 05/02/08
RE: Fixing Windows Vista, Part 2: Taming UAC ddanboyle@...   | 04/29/08
Good Article, But Vista Still A Loser chessmen   | 04/30/08
great article, Vista is a winner. rtk   | 04/30/08
i can tell chessmen you don't know much about vista have you ever used SO.CAL Guy   | 04/30/08
Vista Jon@...   | 05/01/08
Have used... feel the same way. Raymond Danner   | 05/01/08
Message has been deleted. evilkillerwhale@...   | 04/30/08
Limited User Accounts Jim1977   | 05/03/08
RE: Fixing Windows Vista, Part 2: Taming UAC thad@...   | 04/30/08
Want good support? mwagner@...  ZDNet | 04/30/08
Excellent recommendation...! Wolfie2K3   | 04/30/08
Dell is awful snixon@...   | 04/30/08
HP's business line is ok t_mohajir   | 05/01/08
Full of Crapware jbaviera@...   | 05/05/08
Dell? No thank you. angrykeyboarder   | 05/19/08
have you tried... evilkillerwhale@...   | 04/30/08
HP and Vista davidpeace   | 05/01/08
I love UAC, I love Ed too qmlscycrajg   | 04/30/08
Coding around the UAC rtfa   | 04/30/08
Hmm TheTruthisOutThere   | 04/30/08
Here's a bit more info rtfa   | 04/30/08
Not Bypassing Jhaks   | 04/30/08
Working exactly as intended Ed Bott  ZDNet | 04/30/08
read my original post rtfa   | 04/30/08
Not an exploit Ed Bott  ZDNet | 04/30/08
Is there a way... Jhaks   | 04/30/08
As far as I can tell, no can do Ed Bott  ZDNet | 04/30/08
Jhaks you might try tweakUAC it keeps UAC on but with out the prompts SO.CAL Guy   | 04/30/08
Does the same as page 3 here Ed Bott  ZDNet | 04/30/08
Maybe not dprozzo   | 05/02/08
Thanks for clarification on TweakUAC Jim1977   | 05/03/08
Ok, I admit it - I'm crazy crypt2121   | 04/30/08
No, not if ... mwagner@...  ZDNet | 04/30/08
well said mwagner SO.CAL Guy   | 04/30/08
before bashing and all... batres   | 04/30/08
re: Ok, I admit it Badgered   | 04/30/08
LOL...nt socialism=nowhere   | 04/30/08
I agree - it bothers me very little if at all... socialism=nowhere   | 04/30/08
For those of use to Unix/Linux alaniane@...   | 04/30/08
errata alaniane@...   | 04/30/08
UAC is much more annoying in my book stevey_d   | 05/02/08
You actually proved my point alaniane@...   | 05/03/08
RE: Fixing Windows Vista, Part 2: Taming UAC a_chameleon   | 04/30/08
Yes, I document the registry edits Ed Bott  ZDNet | 04/30/08
Registry keys lines too long MauiMike   | 04/30/08
Thanks for pointing that out - fixed now Ed Bott  ZDNet | 04/30/08
If you do find UAC annoying in day-to-day use... Jeremy W   | 04/30/08
Actually, Redmond should have alaniane@...   | 04/30/08
Agreed ... but softwareFlunky   | 04/30/08
The reason Microsoft didn't do this earlier are likely... ye   | 04/30/08
Ye: I know why they didn't alaniane@...   | 05/01/08
To add to that alaniane@...   | 05/01/08
Were you being sarcastic? ye   | 05/01/08
Doesn't have to be sarcastic necessarily alaniane@...   | 05/01/08
You're not making sense. ye   | 05/01/08
Ye lookup hyperbole alaniane@...   | 05/01/08
moot point stevey_d   | 05/02/08
I know exactly what DOS alaniane@...   | 05/02/08
Before anyone else decides to go off alaniane@...   | 05/02/08
Go figure - - - - (rhetorical) b8375629@...   | 04/30/08
How is elevating via UAC any different than... ye   | 04/30/08
Excellent post, ye b8375629@...   | 04/30/08
What is the hole? And what is the better way? ye   | 05/01/08
Are you sure about that? b8375629@...   | 05/01/08
@b8375629: Yep. I sure am. And the links... ye   | 05/01/08
@b8375629: One other thing: You didn't answer... ye   | 05/01/08
Well explain it to me, then... b8375629@...   | 05/01/08
@b8375629: ye   | 05/01/08
Sill have questons b8375629@...   | 05/02/08
I suggested to Microsoft the following solution stevey_d   | 05/02/08
Go figure - - - - (rhetorical) richdave   | 04/30/08
There's a difference between Kid Icarus   | 05/01/08
if you think the dialog is rtk   | 05/01/08
Uh no Kid Icarus   | 05/01/08
How would you change it and still keep the system secure? ye   | 05/01/08
There is. The one that permits a single elevation... ye   | 05/01/08
I see, soooo.... Kid Icarus   | 05/01/08
I wouldn't know. When there's an OS that does that... ye   | 05/01/08
There already is b8375629@...   | 05/02/08
RE: Fixing Windows Vista, Part 2: Taming UAC Nik Simpson   | 04/30/08
Fixing Windows Vista, Part 2: Taming UAC? Jeremy W   | 04/30/08
So why do you continue to come here? Ed Bott  ZDNet | 04/30/08
bozo filter rtk   | 04/30/08
Fortunately... John L. Ries   | 04/30/08
unfortunately rtk   | 04/30/08
Priceless klumper   | 04/30/08
roflcopter rtk   | 04/30/08
It was one for the ZDN ages klumper   | 04/30/08
ROFL ed i would say don't feed the troll but that needed to be said SO.CAL Guy   | 04/30/08
Vista Jon@...   | 05/01/08
A perfect example of distortion Ed Bott  ZDNet | 05/01/08
Do you believe everything Microsoft tells you? b8375629@...   | 05/01/08
Do you really believe made up statistics? CobraA1   | 05/02/08
Who said that? b8375629@...   | 05/02/08
Microsoft research shows that 88% leave it turned on Jeremy W   | 05/02/08
If you don't believe a companies own research or reporting rtk   | 05/02/08
Well said, Jeremy W b8375629@...   | 05/02/08
Let's see... Jeremy W   | 05/02/08
Wow rtk   | 05/02/08
this isn't fixing; tomandnancyjones@...   | 04/30/08
Re: this isn't fixing; none none   | 04/30/08
"it just works" rtk   | 04/30/08
you made me giggle evilkillerwhale@...   | 04/30/08
:) batres   | 04/30/08
and because of that, davidpeace   | 05/01/08
RE: Fixing Windows Vista, Part 2: Taming UAC davidhayes   | 04/30/08
RE: Fixing Windows Vista, Part 2: Taming UAC rmelugin@...   | 04/30/08
What Malicious Software Installation? vincentclement1@...   | 04/30/08
You could do that Ed Bott  ZDNet | 04/30/08
I could do that vincentclement1@...   | 04/30/08
Try TweakUAC Ed Bott  ZDNet | 04/30/08
Microsoft short sighted Jim Johnson   | 04/30/08
Re: Microsoft Short Sighted vincentclement1@...   | 04/30/08
RE: Fixing Windows Vista, Part 2: Taming UAC jimdorval@...   | 04/30/08
Good Intent Needs Other Considerations isanna   | 04/30/08
If UAC is bugging you all day long... John L. Ries   | 04/30/08
Additional thought John L. Ries   | 04/30/08
Good article, but I'm still puzzled pikeman666   | 04/30/08
UAC is a great idea Michael Kelly   | 04/30/08
Taming UAC danzig6   | 04/30/08
The symptoms you're pointing out alaniane@...   | 04/30/08
One more thing about Secure Desktop sjh_vt   | 04/30/08
Yes, agreed Ed Bott  ZDNet | 04/30/08
Two questions goyta   | 04/30/08
Workaround Ed Bott  ZDNet | 04/30/08
Just more silliness Jeremy W   | 05/03/08
Microsoft Hubris: The Beginning of the End sgk77@...   | 04/30/08
Re: Microsoft Hubris: The Beginning of the End graham.lv   | 04/30/08
RE: Fixing Windows Vista, Part 2: Taming UAC cool_frood@...   | 04/30/08
No Ed Bott  ZDNet | 04/30/08
Choice cool_frood@...   | 04/30/08
You do have that option Ed Bott  ZDNet | 04/30/08
Effect cool_frood@...   | 04/30/08
Because they tried to write to systemlocation Ed Bott  ZDNet | 04/30/08
Ok cool_frood@...   | 04/30/08
I would expect rtk   | 04/30/08
'Please' don't b8375629@...   | 04/30/08
This is no problem in my world ThePrairiePrankster   | 04/30/08
Hmm.... Spiritusindomit@...   | 04/30/08
Master Joe Says... MasterJoe   | 04/30/08
This is why... John L. Ries   | 04/30/08
What about USB appliances ? Frank from Holland   | 04/30/08
Easy way to tell Ed Bott  ZDNet | 04/30/08
RE: Fixing Windows Vista, Part 2: Taming UAC Island Gecko   | 04/30/08
That;'s what I recommend Ed Bott  ZDNet | 04/30/08
RE: Fixing Windows Vista, Part 2: Taming UAC moses123   | 04/30/08
Run everything as root John L. Ries   | 04/30/08
This is exactly why rtk   | 04/30/08
Problem with Task Manager jorjitop   | 04/30/08
Is Task Manager already running? Ed Bott  ZDNet | 04/30/08
No jorjitop   | 04/30/08
Repeated all instructions jorjitop   | 04/30/08